CERT mailing list archives
AR18-337C: MAR-10158513.r1.v1 – SamSam3
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Mon, 03 Dec 2018 17:23:24 -0600
U.S. Department of Homeland Security US-CERT National Cyber Awareness System: AR18-337C: MAR-10158513.r1.v1 SamSam3 [ https://www.us-cert.gov/ncas/analysis-reports/AR18-337C ] 12/03/2018 12:15 PM EST Original release date: December 03, 2018 Description Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. Summary Description 14 files were submitted for analysis. These files are designed to encrypt a victim's system files for a ransom payment. For a downloadable copy of IOCs, see: * MAR-10158513.r1.v1.stix [ https://www.us-cert.gov/sites/default/files/publications/MAR-10158513.r1.v1.stix.xml ] Submitted Files (17) 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 (samsam.exe) 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac (samsam.exe) 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f (selfdel.exe) 45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b (samsam.exe) 553967d05b83364c6954d2b55b8cfc2ea3808a17c268b2eee49090e71976ba29 (553967d05b83364c6954d2b55b8cfc...) 58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e (samsam.exe) 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 (HELP_DECRYPT_YOUR_FILES.html) 6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307 (samsam.exe) 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 (samsam.exe) 89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805 (samsam.exe) 939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8 (samsam.exe) 946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4 (samsam.exe) 979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868 (samsam.exe) 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 (del.exe) a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e (samsam.exe) e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155 (samsam.exe) ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626 (samsam.exe) Domains (10) anonyme.com evilsecure9.wordpress.com followsec7.wordpress.com key88secu7.wordpress.com keytwocode.wordpress.com lordsecure4u.wordpress.com payforsecure7.wordpress.com secangel7d.wordpress.com union83939k.wordpress.com zeushelpu.wordpress.com Findings 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac Tags dropperransomwaretrojan Details Name samsam.exe Size 218624 bytes Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 a14ea969014b1145382ffcd508d10156 SHA1 ff6aa732320d21697024994944cf66f7c553c9cd SHA256 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac SHA512 73f28bed4ee700e15d1c0eb9871e37bdda77e3ef3c14b63a1597b9628e7407dc31f8382e0ec52c8c65f68c00a4f321f5971359f865eb35b35dc62e9f5e8e7be1 ssdeep 3072:ZVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbP:Za1i6UHVyLV0poZa1jrD099on9 Entropy 6.249245 Antivirus Ahnlab Trojan/Win32.Samas Antiy Trojan/Win32.SGeneric Avira TR/Ransom.lhumd BitDefender Generic.Ransom.SamSam.12451789 ClamAV Win.Trojan.Samas-1 Cyren W32/Trojan.MPPP-7951 ESET MSIL/Filecoder.AR trojan Emsisoft Generic.Ransom.SamSam.12451789 (B) Ikarus Trojan-Ransom.SamSam K7 Trojan ( 700000121 ) McAfee Ransomware-SAMAS!A14EA969014B Microsoft Security Essentials Ransom:MSIL/Samas.A NANOAV Trojan.Win32.Ransom.eamswz Quick Heal Trojan.Inject.TL3 Sophos Troj/RansmSam-A Symantec Trojan.Gen.2 Systweak malware.gen-r TrendMicro Ransom_CRYPSAM.B TrendMicro House Call Ransom_CRYPSAM.B Vir.IT eXplorer Trojan.Win32.MSIL9.BGXA VirusBlokAda Trojan-Ransom.MSIL.Samas Zillya! Dropper.Agent.Win32.229787 Yara Rules No matches found. ssdeep Matches 97 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 PE Metadata Compile Date 2016-01-05 19:14:43-05:00 Import Hash f34d5f2d4577ed6d9ceec516c1f5a744 Company Name Microsoft File Description MicrosoftSAM Internal Name samsam.exe Legal Copyright Copyright \xa9 2014 Original Filename samsam.exe Product Name MicrosoftSAM Product Version 2.4.8.4 PE Sections MD5 Name Raw Size Entropy 37c3e95eb9901183e02df0ba1de6caf2 header 512 2.774592 7a556f246357051b2d82ea445571ddbb .text 216064 6.270810 d0b581056989efaa1de31a61a8f4a9ec .rsrc 1536 4.110334 06441ad348b483e2458a535949e809cf .reloc 512 0.101910 Packers/Compilers/Cryptors Microsoft Visual C# v7.0 / Basic .NET Relationships 0f2c5c3949... Connected_To union83939k.wordpress.com 0f2c5c3949... Dropped 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 0f2c5c3949... Dropped 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f 0f2c5c3949... Dropped 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 Description This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section: --Begin resource-- "samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files "samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victims system --End resource-- It installs the embedded files into the following directory: --Begin files installed-- %Currentdirectory%\del.exe %Currentdirectory%\Selfdel.exe --End files installed-- This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format: --Begin RSA public key-- "<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" --End RSA public key-- The input text file was not available for analysis. Displayed below is the code snippet designed to accept an input text file as the command-line argument: --Begin command line argument-- private static void Main(string[] args) { if (args.Length != 1) { return; } if (!string.IsNullOrEmpty(args[0])) { Program.publickey = File.ReadAllText(args[0]); } Program.create_from_resource(); --End command line argument-- It searches the drives installed on the victim system for files with the following file extensions: --Begin file extensions-- "xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv" --End file extensions-- The malware avoids encrypting files in the "Windows", "Reference Assemblies\Microsoft", and "Recycle.bin" folders: Displayed below is the code snippet used to avoid encrypting files in the folders: --Begin code-- if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\Microsoft") && !path.Contains("Recycle.Bin")) --End code-- It randomly generates the following keys for encrypting the target files: --Begin randomly generates keys-- AES key (16 bytes) AES IV (16 bytes) Signature key (64 bytes) for SHA256 HMAC key calculation --End randomly generates keys-- Displayed below is the code snippet for generating the unique keys for a target file: --Begin key generation-- public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey) { byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key byte[] key = encc.GenerateRandom(16); ==> Rijndael key byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey); return null; --End key generation-- It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file: --Begin Base64 encodes data-- AES key, encrypted with RSA public key AES IV, encrypted with RSA public key SHA-256H MAC of the encrypted file data HMAC key, encrypted with RSA public key --End Base64 encodes data-- Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file. --Begin encrypting and encoding-- byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey); string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey)); string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey)); string text3 = Convert.ToBase64String(inArray); string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey)); string str = string.Concat(new object[] { "<MtAeSKeYForFile>", encc.sn, "<Key>", text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding "</Key>", encc.sn, "<IV>", text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding "</IV>", encc.sn, "<Value>", text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data "</Value>", encc.sn, "<EncryptedKey>", text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding "</EncryptedKey>", encc.sn, "<OriginalFileLength>", fileInfo.Length, ==> The length of the original file "</OriginalFileLength>", encc.sn, "</MtAeSKeYForFile>" }); --End encrypting and encoding-- Following the encryption of the victims files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html onto the victims system. Displayed below is the embedded blog and Bitcoin address for the ransomware note: --Begin blog and Bitcoin address-- Blog address: "http[:]//union83939k.wordpress.com" Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds --End blog and Bitcoin address-- 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 Tags ransomwaretrojan Details Name samsam.exe Size 218112 bytes Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 14721036e16587594ad950d4f2db5f27 SHA1 ed1797c282f0817d2ad8f878f8dd50ab062501ac SHA256 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 SHA512 4d9e75850713f0bf6892fca8d74f462a5b2c0ccec2ed089fd830b8babcce7aedbd3bcb56e25c81cb6bf285bba9111ef89913d0c665593b2ba8da5f57d9505d32 ssdeep 3072:gUOsdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199JWbk9f7b1v:gzL1i6UHVyLV0poZa1jrD099Qbk9V Entropy 6.248108 Antivirus Ahnlab Trojan/Win32.Samas Antiy Trojan[Ransom]/MSIL.Samas Avira TR/Ransom.lhumd BitDefender Generic.Ransom.SamSam.B120689A Cyren W32/Trojan.HBQK-8340 ESET a variant of MSIL/Filecoder.AR trojan Emsisoft Generic.Ransom.SamSam.B120689A (B) Ikarus Trojan-Ransom.SamSam K7 Trojan ( 700000121 ) McAfee Ransomware-SAMAS!14721036E165 Microsoft Security Essentials Ransom:MSIL/Samas.A NANOAV Trojan.Win32.Samas.eajeha Quick Heal Trojan.Inject.TL3 Sophos Troj/RansmSam-A Symantec Ransom.SamSam!gen1 Systweak trojan-spy.filecryptor TrendMicro Ransom_.2933F726 TrendMicro House Call Ransom_.2933F726 Vir.IT eXplorer Trojan.Win32.Atros3.CWX VirusBlokAda Trojan-Ransom.MSIL.Samas Zillya! Trojan.Filecoder.Win32.2108 Yara Rules No matches found. ssdeep Matches No matches found. Packers/Compilers/Cryptors Microsoft Visual C# v7.0 / Basic .NET Relationships 7aa585e6fd... Dropped 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 7aa585e6fd... Dropped 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f 7aa585e6fd... Dropped 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 7aa585e6fd... Connected_To union83939k.wordpress.com Description This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section: --Begin resource-- "samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files "samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victims system --End resource-- It installs the embedded files into the following directory: --Begin files installed-- %Currentdirectory%\del.exe %Currentdirectory%\Selfdel.exe --End files installed-- This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format: --Begin RSA public key-- "<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" --End RSA public key-- The input text file was not available for analysis. Displayed below is the code snippet designed to accept an input text file as the command-line argument: --Begin command line argument-- private static void Main(string[] args) { if (args.Length != 1) { return; } if (!string.IsNullOrEmpty(args[0])) { Program.publickey = File.ReadAllText(args[0]); } Program.create_from_resource(); --End command line argument-- It searches the drives installed on the victim system for files with the following file extensions: --Begin file extensions-- "xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv" --End file extensions-- The malware avoids encrypting files in the "Windows", "Reference Assemblies\Microsoft", and "Recycle.bin" folders: Displayed below is the code snippet used to avoid encrypting files in the folders: --Begin code-- if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\Microsoft") && !path.Contains("Recycle.Bin")) --End code-- It randomly generates the following keys for encrypting the target files: --Begin randomly generates keys-- AES key (16 bytes) AES IV (16 bytes) Signature key (64 bytes) for SHA256 HMAC key calculation --End randomly generates keys-- Displayed below is the code snippet for generating the unique keys for a target file: --Begin key generation-- public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey) { byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key byte[] key = encc.GenerateRandom(16); ==> Rijndael key byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey); return null; --End key generation-- It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file: --Begin Base64 encodes data-- AES key, encrypted with RSA public key AES IV, encrypted with RSA public key SHA-256H MAC of the encrypted file data HMAC key, encrypted with RSA public key --End Base64 encodes data-- Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file. --Begin encrypting and encoding-- byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey); string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey)); string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey)); string text3 = Convert.ToBase64String(inArray); string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey)); string str = string.Concat(new object[] { "<MtAeSKeYForFile>", encc.sn, "<Key>", text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding "</Key>", encc.sn, "<IV>", text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding "</IV>", encc.sn, "<Value>", text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data "</Value>", encc.sn, "<EncryptedKey>", text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding "</EncryptedKey>", encc.sn, "<OriginalFileLength>", fileInfo.Length, ==> The length of the original file "</OriginalFileLength>", encc.sn, "</MtAeSKeYForFile>" }); --End encrypting and encoding-- Following the encryption of the victims files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html onto the victims system. Displayed below is the embedded blog and Bitcoin address for the ransomware note: --Begin blog and Bitcoin address-- blog address: "http://union83939k.wordpress.com" Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds --End blog and Bitcoin address-- union83939k.wordpress.com URLs * http://union83939k.wordpress.com Whois Domain Name: WORDPRESS.COM Registry Domain ID: 21242797_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-01-12T22:53:10Z Creation Date: 2000-03-03T12:13:23Z Registry Expiry Date: 2020-03-03T12:13:23Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints () markmonitor com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.WORDPRESS.COM Name Server: NS2.WORDPRESS.COM Name Server: NS3.WORDPRESS.COM Name Server: NS4.WORDPRESS.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2018-03-27T18:16:17Z <<<
NetRange: 192.0.64.0 - 192.0.127.255 CIDR: 192.0.64.0/18 NetName: AUTOMATTIC NetHandle: NET-192-0-64-0-1 Parent: NET192 (NET-192-0-0-0-0) NetType: Direct Assignment OriginAS: AS2635 Organization: Automattic, Inc (AUTOM-93) RegDate: 2012-11-20 Updated: 2012-11-20 Ref: https://whois.arin.net/rest/net/NET-192-0-64-0-1 OrgName: Automattic, Inc OrgId: AUTOM-93 Address: 60 29th Street #343 City: San Francisco StateProv: CA PostalCode: 94110 Country: US RegDate: 2011-10-05 Updated: 2013-11-01 Ref: https://whois.arin.net/rest/org/AUTOM-93 OrgAbuseHandle: ABUSE3970-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-877-273-8550 OrgAbuseEmail: abuse () automattic com OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3970-ARIN OrgTechHandle: NOC12276-ARIN OrgTechName: NOC OrgTechPhone: +1-877-273-8550 OrgTechEmail: ipadmin () automattic com OrgTechRef: https://whois.arin.net/rest/poc/NOC12276-ARIN OrgNOCHandle: NOC12276-ARIN OrgNOCName: NOC OrgNOCPhone: +1-877-273-8550 OrgNOCEmail: ipadmin () automattic com OrgNOCRef: https://whois.arin.net/rest/poc/NOC12276-ARIN Relationships union83939k.wordpress.com Connected_From 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac union83939k.wordpress.com Connected_From 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 Tags dropperransomwaretrojan Details Name samsam.exe Size 218624 bytes Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 fe998080463665412b65850828bce41f SHA1 203bb8ec1da6b237a092bab71fa090849c7db9bd SHA256 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 SHA512 9ade6edde3f063fc935f53366ffc9cb6cf7e17691d22fd2fe107d779da3b61eaed006ef7679b456bc16aca8b686d035f09aaf42bf06fa62b872e0a89046994eb ssdeep 3072:bVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbM:ba1i6UHVyLV0poZa1jrD099on9 Entropy 6.249304 Antivirus Ahnlab Trojan/Win32.Samas Antiy Trojan/Win32.SGeneric Avira TR/Ransom.lhumd BitDefender Generic.Ransom.SamSam.CDB17A36 ClamAV Win.Trojan.Samas-1 Cyren W32/SamSam.D.gen!Eldorado ESET MSIL/Filecoder.AR trojan Emsisoft Generic.Ransom.SamSam.CDB17A36 (B) Ikarus Trojan-Ransom.SamSam K7 Trojan ( 700000121 ) McAfee Ransomware-SAMAS!FE9980804636 Microsoft Security Essentials Ransom:MSIL/Samas.A NANOAV Trojan.Win32.Ransom.eamenb NetGate Trojan.Win32.Malware Quick Heal Trojan.Inject.TL3 Sophos Troj/RansmSam-A Symantec Ransom.SamSam!gen1 Systweak malware.gen-r TrendMicro Ransom_.2933F726 TrendMicro House Call Ransom_.2933F726 Vir.IT eXplorer Trojan.Win32.MSIL9.BGXA VirusBlokAda Trojan-Ransom.MSIL.Samas Zillya! Dropper.Agent.Win32.229787 Yara Rules No matches found. ssdeep Matches 97 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac Packers/Compilers/Cryptors Microsoft Visual C# v7.0 / Basic .NET Relationships 036071786d... Dropped 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 036071786d... Dropped 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f 036071786d... Dropped 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 036071786d... Connected_To keytwocode.wordpress.com Description This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section: --Begin resource-- "samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files "samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victims system --End resource-- It installs the embedded files into the following directory: --Begin files installed-- %Currentdirectory%\del.exe %Currentdirectory%\Selfdel.exe --End files installed-- This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format: --Begin RSA public Revisions * December 3, 2018: Initial version ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- AR18-337C: MAR-10158513.r1.v1 – SamSam3 US-CERT (Dec 03)