CERT mailing list archives
AR18-337D: MAR-10164494.r1.v1 – SamSam4
From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Mon, 03 Dec 2018 17:29:48 -0600
U.S. Department of Homeland Security US-CERT National Cyber Awareness System: AR18-337D: MAR-10164494.r1.v1 SamSam4 [ https://www.us-cert.gov/ncas/analysis-reports/AR18-337D ] 11/29/2018 08:00 PM EST Original release date: November 29, 2018 | Last revised: December 03, 2018 Description Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. Summary Description Three artifacts were submitted for analysis. For a downloadable copy of IOCs, see: MAR-10164494.r1.v1.stix [ https://www.us-cert.gov/sites/default/files/publications/MAR-10164494.r1.v1.stix.xml ] Submitted Files (3) 738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 (mswinupdate.exe) 9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 (ClassLibrary1.dll) bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 (g04inst.bat) Findings 9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 Tags downloaderransomwaretrojan Details Name ClassLibrary1.dll Size 5120 bytes Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 76bd79f774ae892fd6a30b6463050a91 SHA1 4d7a60bd1fb3677a553f26d95430c107c8485129 SHA256 9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 SHA512 67e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829 ssdeep 48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII Entropy 4.004964 Antivirus Ahnlab Trojan/Win32.Black Antiy Trojan/Win32.AGeneric BitDefender Trojan.GenericKD.30369417 ClamAV Win.Trojan.Agent-6538241-0 Cyren W32/Trojan.URRI-3517 ESET a variant of MSIL/Runner.N trojan Emsisoft Trojan.GenericKD.30369417 (B) Ikarus Ransom.MSIL.Samas K7 Riskware ( 0040eff71 ) McAfee Ransomware-GJY!76BD79F774AE Microsoft Security Essentials Ransom:MSIL/Samas.D NANOAV Trojan.Win32.Runner.ffvfbl Sophos Troj/Samas-F Symantec Trojan.Gen.2 Systweak trojan.downloader TrendMicro TROJ_STUBDCRYP.A TrendMicro House Call TROJ_STUBDCRYP.A Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2018-01-28 06:09:15-05:00 Import Hash dae02f32a21e03ce65412f6e56942daa File Description ClassLibrary1 Internal Name ClassLibrary1.dll Legal Copyright Copyright 2018 Original Filename ClassLibrary1.dll Product Name ClassLibrary1 Product Version 1.0.0.0 PE Sections MD5 Name Raw Size Entropy 34943f18fd2a99cc3f5cabe43b4765f8 header 512 2.547920 06219fe6e30e15dce12688ca2b434890 .text 3072 4.856670 11b58fc9ac45168b871cc50399b7c86c .rsrc 1024 2.888335 ec45a535f38fb6dc4ac4ed7cbf63b754 .reloc 512 0.081539 Description This file is a .NET Class Library module designed to decrypt the encrypted data file with a ".stubbin extension using a Rijndael encryption algorithm. Displayed below is the encryption key and the initialization vector used for decryption. --Begin encryption information-- rijndael.Key = hdfgkhioiugyfyghdseertdfygu rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg --End encryption information-- 738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 Tags ransomwaretrojan Details Name mswinupdate.exe Size 6144 bytes Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 b96620d8a08fa436ea22ef480dd883ce SHA1 a1ab74d2f06a542e77ea2c6d641aae4ed163a2da SHA256 738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 SHA512 2a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6 ssdeep 48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt Entropy 4.238961 Antivirus Ahnlab Trojan/Win32.Samas Antiy Trojan[Ransom]/MSIL.Samas Avira TR/Samas.qybuh BitDefender Trojan.GenericKD.30367991 Cyren W32/Trojan.VYAP-2611 ESET a variant of MSIL/Runner.N trojan Emsisoft Trojan.GenericKD.30367991 (B) Ikarus Ransom.MSIL.Samas K7 Riskware ( 0040eff71 ) McAfee Ransomware-GJX!B96620D8A08F Microsoft Security Essentials Ransom:MSIL/Samas NANOAV Trojan.Win32.Generic.eymsce NetGate Malware.Generic Sophos Mal/Kryptik-BV Symantec Trojan.Gen.2 Systweak malware.shuriken TrendMicro TROJ_RUNNER.GBB TrendMicro House Call TROJ_RUNNER.GBB Zillya! Trojan.Samas.Win32.32 Yara Rules No matches found. ssdeep Matches No matches found. PE Metadata Compile Date 2018-01-28 06:09:17-05:00 Import Hash f34d5f2d4577ed6d9ceec516c1f5a744 Company Name oiauoyqtfhqiwur578q26trgqiwue ffh iufiuqwytf 78wt8 File Description dkhjkasyfafa udfiu asd fuiysfd fiusdfh oiafiuay Internal Name rock2.exe Legal Copyright iusy ergy8wej udg uy Original Filename rock2.exe Product Name 98y4798t qiy er998ergg iuery 8 o8uieyfui qewhfiuoyafibuwy ey7fq iuyi Product Version 76.7.99.12 PE Sections MD5 Name Raw Size Entropy 7f1dc4bd716bc037dea251c4dff12cdd header 512 2.538579 c8076584486a2745281e4945da9b8b13 .text 3072 4.946272 1efe88aa4756d059ec1d3b49e342de5d .rsrc 2048 3.917395 7048daac38c935b38e086adcd8035d2a .reloc 512 0.081539 Packers/Compilers/Cryptors Microsoft Visual C# v7.0 / Basic .NET Description This file is a PE32 .NET executable designed to search and load an encrypted data file with a ".stubbin" extension onto the victim's system. If the file exists, it will utilize the Rijndael algorithm in the Class Library file (ClassLibrary1.dll) to decrypt the data file. After decryption, the file deletes the encrypted data file. The encrypted file with a ".stubbin" extension was not available for analysis. bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 Tags ransomwaretrojan Details Name g04inst.bat Size 276 bytes Type ASCII text, with CRLF line terminators MD5 02c19bbf8e19bb69fc7870ec872d355e SHA1 cc76586ef94122329e825c78aad2ecb9ac064343 SHA256 bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 SHA512 283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99 ssdeep 6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW Entropy 4.962735 Antivirus McAfee BAT/Starter.h Microsoft Security Essentials Ransom:BAT/Samas Sophos Troj/RansRun-A Symantec Trojan.Malscript Yara Rules No matches found. ssdeep Matches No matches found. Description This file is a batch file designed to execute mswinupdate.exe with predefined arguments. Displayed below are the arguments: --Begin arguments-- Format: %myrunner% %password% %path% %totalprice% %priceperhost% Sample: mswinupdate.exe <password> juxtapositional 5 0.8 --End arguments-- Recommendations NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. * Maintain up-to-date antivirus signatures and engines. * Keep operating system patches up-to-date. * Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. * Enforce a strong password policy and implement regular password changes. * Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. * Disable unnecessary services on agency workstations and servers. * Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). * Monitor users' web browsing habits; restrict access to sites with unfavorable content. * Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.). * Scan all software downloaded from the Internet prior to executing. * Maintain situational awareness of the latest threats and implement appropriate ACLs. Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, *Guide to Malware Incident Prevention & Handling for Desktops and Laptops.* Contact Information * 1-888-282-0870 * NCCICCustomerService () us-cert gov [ https://www.us-cert.govmailto:NCCICCustomerService () us-cert gov ] (UNCLASS) * us-cert () dhs sgov gov [ https://www.us-cert.govmailto:us-cert () dhs sgov gov ] (SIPRNET) * us-cert () dhs ic gov [ https://www.us-cert.govmailto:us-cert () dhs ic gov ] (JWICS) NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQ *What is a MIFR?* A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. *What is a MAR?* A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis. *Can I edit this document?* This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc () us-cert gov [ https://www.us-cert.govmailto:soc () us-cert gov ]. *Can I submit malware to NCCIC?* Malware samples can be submitted via three methods: * Web: https://malware.us-cert.gov [ https://malware.us-cert.gov/ ] * E-Mail: submit () malware us-cert gov [ https://www.us-cert.govmailto:submit () malware us-cert gov ] * FTP: ftp.malware.us-cert.gov (anonymous) NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov [ http://www.us-cert.gov/ ]. Revisions * December 3, 2018: Initial version ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () ncas us-cert gov to your address book. OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Current thread:
- AR18-337D: MAR-10164494.r1.v1 – SamSam4 US-CERT (Dec 03)