CERT mailing list archives
AR18-337B: MAR-10166283.r1.v1 – SamSam2
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Mon, 03 Dec 2018 17:21:31 -0600
U.S. Department of Homeland Security US-CERT National Cyber Awareness System: AR18-337B: MAR-10166283.r1.v1 SamSam2 [ https://www.us-cert.gov/ncas/analysis-reports/AR18-337B ] 12/03/2018 12:12 PM EST Original release date: December 03, 2018 Description Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. Summary Description These files are related to SamSam ransomware. SamSam is a variety of ransomware based on the .NET framework. For a downloadable copy of IOCs, see: * MAR-10166283.r1.v1.stix [ https://www.us-cert.gov/sites/default/files/publications/MAR-10166283.r1.v1.stix.xml ] Submitted Files (6) 2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 (winnetuse.exe) 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d (ss2.exe) 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c (ss2.stubbin) a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb (SORRY-FOR-FILES.html) bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 (g04inst.bat) da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 (sdgasfse.dll) Domains (1) jcmi5n4c3mvgtyt5.onion Findings 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c Tags obfuscatedransomwaretrojan Details Name ss2.stubbin Size 278032 bytes Type data MD5 9202651c295369eb01cc7a10cd59adff SHA1 ff2f511009b2813af9d12c6103206828560869db SHA256 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c SHA512 547efea0c2407d1e2949e84fe107820a1efaab2eaddeaf60ceb8f23b53d635b7c86ceadb1e19c07432e51a3609d02f12aca99cb5e23b5d324febb67994f83a9c ssdeep 6144:gXNGATWMK0AlJgQpQXFvr0Cn8wyrQ4EeGiEb53fSEnetKA:gjDoWiUFe+NPSEnQH Entropy 7.999190 Antivirus Ahnlab BinImage/Obfuscated Antiy GrayWare/Win32.Presenoker Cyren Trojan.FTIO-1 McAfee Ransomware-SAMAS Sophos Troj/Samas-G TrendMicro Ransom_.67284F17 TrendMicro House Call Ransom_.67284F17 Yara Rules No matches found. ssdeep Matches No matches found. Relationships 594b9b42a2... Contains 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d Description This file is an encrypted data file with ".stubbin extension. It contains the AES encrypted SamSam ransomware ss2.exe (1afc39b101a64c61b763fdf07fde1d55). 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d Tags dropperransomwaretrojan Details Name ss2.exe Size 278016 bytes Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 1afc39b101a64c61b763fdf07fde1d55 SHA1 89fe55d2669e6c995b9a0d9ed5d5aa404d20713b SHA256 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d SHA512 35b066679ce733b0de20b79cb7570570164eb695307cbb96173bd7c4485b62a42e5b67caab8b9373e45b9cd9abe72ab0eb78960256420144b9f609c3734320f0 ssdeep 1536:VLDPjQejqUjWMuX/28KIGsA/Nu4vlIXa5CjZwEclPcx6KtCNvmuxOfgQBAMyOk3t:V3Mexh8KIXAV9vOX6mz6ylgr Entropy 4.757791 Antivirus Avira TR/Dropper.MSIL.Gen BitDefender Generic.Ransom.SamSam.82D17683 ClamAV Win.Ransomware.Samsam-6425958-0 ESET a variant of MSIL/Filecoder.Samas.B trojan Emsisoft Generic.Ransom.SamSam.82D17683 (B) Ikarus Trojan-Ransom.Samas McAfee Trojan-FNEY!1AFC39B101A6 Sophos Troj/Samas-L Symantec Ransom.SamSam Yara Rules No matches found. ssdeep Matches No matches found. Relationships 427091e188... Contained_Within 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c 427091e188... Downloaded a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb Description This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. The ransomware accepts the following three arguments during runtime: --Begin arguments-- "nonpenetrable" "6" "0.8" --End arguments-- When executed, it searches and if installed will load a key file with a ".keyxml" extension into the %CurrentDirectory%. The key file contains a RSA public key in the following format: --Begin RSA public key-- "<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" --End RSA public key-- The key file was not available for analysis. The ransomware searches for files to encrypt on all drives installed on the victims system. The malware avoids encrypting files with the following extensions and files in the following folders: --Begin files-- "desktop.ini" "g04inst.bat" "ntuser.dat" "search-ms" .search-ms" ".exe" ".msi" ".lnk" ".wim" ".scf" "microsoft\windows" "appdata" .ini" .sys" ".dll" --End files-- It randomly generates the following keys for encrypting the target files: --Begin randomly generated keys-- AES key (16 bytes) AES IV (16 bytes) Signature key (64 bytes) for SHA256 HMAC key calculation --End randomly generated keys-- Displayed below is the code snippet for generating unique keys for each target file. --Begin key generation-- public static string myff1(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey) { byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key byte[] key = encc.GenerateRandom(16); ; ==> Rijndael key byte[] iv = encc.GenerateRandom(16); ; ==> Rijndael IV encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey); return null; --End key generation-- The malware reads the target file into memory and encrypts it using an AES algorithm in CBC mode by using the generated AES key. The encrypted data from the original file is stored into a newly created file. The newly created file has the same name as the original file, but with a ".weapologize" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file: --Begin base64 encodes data-- AES key, encrypted with RSA public key AES IV, encrypted with RSA public key SHA-256H MAC of the encrypted file data HMAC key, encrypted with RSA public key --End base64 encodes data-- Displayed below is the code used to RSA encrypt and Base64 encode data prepended at the beginning of each encrypted file: --Begin encrypting and encoding-- string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey)); string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey)); string text3 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey)); byte[] bytesFromString = encc.GetBytesFromString(string.Concat(new object[] { "<AAAAAAAAAAAAAAAAAAAAA>", encc.nnnlllll, "<AAA>", text, "</AAA>", encc.nnnlllll, "<AA>", text2, "</AA>", encc.nnnlllll, "<AAAAA>xPN1oBWSqfQgInnB6ydF204jiHN/uqljySnn1fkhqUk=</AAAAA>", encc.nnnlllll, "<AAAAAAAAAAAA>", text3, "</AAAAAAAAAAAA>", encc.nnnlllll, "<AAAAAAAAAAAAAAAAAA>", fileInfo.Length, "</AAAAAAAAAAAAAAAAAA>", encc.nnnlllll, "</AAAAAAAAAAAAAAAAAAAAA>" })); --End encrypting and encoding-- Following encryption, the original files are deleted and the ransomware note contents are DES encrypted and Base64 encoded in the malware. Displayed below is the hard-coded DES key and the IV used to decrypt the contents of the ransomware note. --Begin DES key and IV-- DES KEY: 61 58 62 32 75 79 34 7A (aXb2uy4z) IV: 0C 15 2B 11 39 23 43 1B --End DES key and IV-- It installs the ransomware note "SORRY-FOR-FILES.html" on the victim system. Next, the malware kills any open process, which file name contains "sql. a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb Details Name SORRY-FOR-FILES.html Size 3547 bytes Type HTML document, ASCII text, with very long lines, with no line terminators MD5 074e52525d5ec2b2af8675477180b5f0 SHA1 631e5f4b9a3ba6855dd93dbdccb416337560491d SHA256 a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb SHA512 16d5cab293ffe44a8bfe247fc8f60167741d4a44cb12542b378cf26b689abcff95065ab44e4725b2ab3e85295925faa695bce1159d06211c1bf971d437398414 ssdeep 96:2RPS2X4/vpRMdu4JW4Qy06pZu42yNSSa/kZLCXWQJxZEzQx:GulKuwscsR5 Entropy 4.871033 Antivirus No matches found. Yara Rules No matches found. ssdeep Matches No matches found. Process List Process PID PPID lsass.exe 468 (384) iexplore.exe 2628 (2332) explorer.exe 1412 (1368) Relationships a660cc6155... Downloaded_By 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d a660cc6155... Contains jcmi5n4c3mvgtyt5.onion Description This file is the ransom displayed to the victim. This ransomware note contains the ransom payment information and how to obtain the RSA private key to recover encrypted files. Displayed below are the embedded blog and Bitcoin addresses in the ransomware note: --Begin blog and Bitcoin addresses-- blog address: "http://jcmi5n4c3mvgtyt5.onion/" Bitcoin address: "1HbJu2kL4xDNK1L9YUDkJnqh3yiC119YM2" --End blog and Bitcoin addresses-- Screenshots Figure 1 - Screenshot of the ransom note *Figure 1 - *Screenshot of the ransom note 2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 Tags ransomwaretrojan Details Name winnetuse.exe Size 239104 bytes Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 5b168ad87a0de81c443656cc144df29a SHA1 c3cf36abda1463dbe81dc7a7283c6a089c922071 SHA256 2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 SHA512 853eec13cba76de73361f1fb1e18d11ce3c1b9496f5e093d3050283643f569b659a5931b2092d8302cc8cfbfb69e4a6241461eed4c8931879818c4280af025cf ssdeep 1536:YM84wQNIdSpfYy1wDcCxqwDcCxqwDcCxqwDcCxqwDcCxqwDcCxWAAPtR8XKvfOxx:R2dHD3DD3DD3DD3DD3DD3v Entropy 5.041215 Antivirus Ahnlab Trojan/Win32.Occamy Antiy Trojan/Win32.TSGeneric BitDefender Gen:Variant.Razy.275811 ClamAV Win.Ransomware.Samsam-6482587-0 Cyren W32/Trojan.KJIQ-4456 ESET a variant of MSIL/Runner.J trojan Emsisoft Gen:Variant.Razy.275811 (B) Ikarus Trojan.SuspectCRC K7 Riskware ( 0040eff71 ) McAfee RDN/Generic.dx Microsoft Security Essentials Ransom:MSIL/Samas.D NANOAV Trojan.Win32.Crypt.falsxr NetGate Trojan.Win32.Malware Quick Heal Trojan.YakbeexMSIL.ZZ4 Sophos Mal/Kryptik-BV Symantec Trojan Horse TrendMicro TROJ_FR.5CBB1CDE TrendMicro House Call TROJ_FR.5CBB1CDE Zillya! Trojan.Crypt.Win32.42586 Yara Rules No matches found. ssdeep Matches No matches found. Packers/Compilers/Cryptors Microsoft Visual C# v7.0 / Basic .NET Relationships 2b06d2abc8... Related_To bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 Description This file is a 32-bit Windows .NET compiled executable designed to search and loads the encrypted data file ss2.stubbin (9202651c295369eb01cc7a10cd59adff) on the victim's system. If ss2.stubbin exists, it will utilize Rijndael algorithm in the Class Library file ClassLibrary1.dll to decrypt the data file. Winnetuse.exe deletes the encrypted data file after decryption. bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 Tags trojan Details Name g04inst.bat Size 267 bytes Type ASCII text, with CRLF line terminators MD5 62e21431e87e8a21cf06319da7438f11 SHA1 a4708853f4a7e4e242a236a433e9b5e8593f1090 SHA256 bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 SHA512 f2f60c6eb6d96c025a34eb58e175866e15a806f9ec805793676cc60ede00dbfd55b9ade816c6148235e4fc34c4c412d91ae873d324032f1dbd17b09a7a539233 ssdeep 6:JF1ZzANc4PgXsoFDVlAVyXHI+CIwZALICLA9X/1y/W:L1Jsc4PSJFDyyXo+Bb0L/1gW Entropy 4.884702 Antivirus McAfee BAT/Starter.h Microsoft Security Essentials Ransom:BAT/Samas Sophos Troj/RansRun-A Symantec Trojan.Malscript Yara Rules No matches found. ssdeep Matches No matches found. Relationships bc53f513df... Related_To 2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 Description This file is a batch file designed to execute winnetuse.exe (5b168ad87a0de81c443656cc144df29a) with predefine arguments. Displayed are the arguments: --Begin arguements-- Format: %myrunner% %password% %path% %totalprice% %priceperhost% Sample: winnetuse.exe nvWvlIHNSzASiWhnMWCR nonpenetrable 6 0.8 --End arguements-- da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 Tags ransomwaretrojan Details Name sdgasfse.dll Size 5632 bytes Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 f702153b68628eff973abb2912af0d22 SHA1 138c3aae51e67db0c4134affae428fe91c0d1686 SHA256 da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 SHA512 7b5c3a6dcc30225874b70e9aa5df803d7796322e5c6654b0ace265b95b0134035384e113112a7a17b09e24dbceb71a22867424cfc1c660ec2ebb605583980dcd ssdeep 48:6/mWW45Rekl3tpEE4ln0LT8wVMM4W8i02+KU4AeyuNew0cxdn5Mla5GQ6bwN8ah:gBv3Z8we5i0/4Ae+2gMrG Entropy 3.968484 Antivirus Ahnlab Trojan/Win32.Samas Antiy Trojan/Win32.AGeneric Avira TR/Ransom.hlwsr BitDefender Trojan.GenericKD.30548303 ClamAV Win.Ransomware.Samsam-6482588-0 Cyren W32/Trojan.USJT-3730 ESET a variant of MSIL/Runner.N trojan Emsisoft Trojan.GenericKD.30548303 (B) Ikarus Ransom.MSIL.Samas K7 Riskware ( 0040eff71 ) McAfee RDN/Generic.dx Microsoft Security Essentials Ransom:MSIL/Samas.D NANOAV Trojan.Win32.Ransom.ffqmxt Sophos Troj/Samas-F Symantec Ransom.SamSam Systweak trojan-spy.samas TrendMicro TROJ_SAMAS.B TrendMicro House Call TROJ_SAMAS.B Zillya! Trojan.GenericKD.Win32.128339 Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2018-03-06 11:43:39-05:00 Import Hash dae02f32a21e03ce65412f6e56942daa Company Name jkg kdjfhg dfkgdjf k,hh k File Description skudfkjg sjdfbsk hfkusdh fkjh Internal Name sdgasfse.dll Legal Copyright hdf kjdfhgfk dhfkjhkh Original Filename sdgasfse.dll Product Name kh vkjhd dfgk ghdfkjhkj Product Version 9.7.1.2 PE Sections MD5 Name Raw Size Entropy b85b73ffa6d2bc4679ee6ece174a93b1 header 512 2.535489 12fe3b15c663fe9ed9480c352f9bded3 .text 3072 5.048626 9cf5eb0ba3d939001e41a98351a45be5 .rsrc 1536 2.577418 8ef9498de2781e9f674c2727ab3546c6 .reloc 512 0.081539 Description This file is .NET Class Library module designed for decrypting the encrypted data file with ".stubbin extension using Rijndael encryption algorithm. Displayed are the Key and the initialization vector used for decryption. --Begin key-- rijndael.Key = hdfgkhioiugyfyghdseertdfygu ==> 7E 7C C0 90 0A E8 7C 3B F1 38 6C 9E 7E 89 B8 29 10 76 C1 E4 FF 6C A3 F8 42 2B 9F 8C 83 7F AC FE rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg ==> F1 38 6C 9E 7E 89 B8 29 C3 93 32 02 C5 A0 08 10 --End key-- jcmi5n4c3mvgtyt5.onion URLs * http://jcmi5n4c3mvgtyt5.onion/ Relationships jcmi5n4c3mvgtyt5.onion Contained_Within a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb Description The domain was identified in the ransom note. Relationship Summary 594b9b42a2... Contains 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d 427091e188... Contained_Within 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c 427091e188... Downloaded a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb a660cc6155... Downloaded_By 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d a660cc6155... Contains jcmi5n4c3mvgtyt5.onion 2b06d2abc8... Related_To bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 bc53f513df... Related_To 2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 jcmi5n4c3mvgtyt5.onion Contained_Within a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb Recommendations NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. * Maintain up-to-date antivirus signatures and engines. * Keep operating system patches up-to-date. * Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. * Enforce a strong password policy and implement regular password changes. * Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. * Disable unnecessary services on agency workstations and servers. * Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). * Monitor users' web browsing habits; restrict access to sites with unfavorable content. * Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.). * Scan all software downloaded from the Internet prior to executing. * Maintain situational awareness of the latest threats and implement appropriate ACLs. Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, *Guide to Malware Incident Prevention & Handling for Desktops and Laptops.* Contact Information * 1-888-282-0870 * NCCICCustomerService () us-cert gov [ https://www.us-cert.govmailto:NCCICCustomerService () us-cert gov ] (UNCLASS) * us-cert () dhs sgov gov [ https://www.us-cert.govmailto:us-cert () dhs sgov gov ] (SIPRNET) * us-cert () dhs ic gov [ https://www.us-cert.govmailto:us-cert () dhs ic gov ] (JWICS) NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQ *What is a MIFR?* A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. *What is a MAR?* A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. *Can I edit this document?* This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc () us-cert gov [ https://www.us-cert.govmailto:soc () us-cert gov ]. *Can I submit malware to NCCIC?* Malware samples can be submitted via three methods: * Web: https://malware.us-cert.gov [ https://malware.us-cert.gov/ ] * E-Mail: submit () malware us-cert gov [ https://www.us-cert.govmailto:submit () malware us-cert gov ] * FTP: ftp.malware.us-cert.gov (anonymous) NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov [ http://www.us-cert.gov/ ]. Revisions * December 3, 2018: Initial version ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: #333333; } ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- AR18-337B: MAR-10166283.r1.v1 – SamSam2 US-CERT (Dec 03)