The Cyphort lab found that an infected website of H would mislead visitors to download the toolkit.

The Cyphort lab found that an infected website of H would mislead visitors to download the toolkit.

 

 

In March 9, 2016, the Cyphort lab found an infected website (keng94.com) that directs visitors to download the Toolkit and finally installs a ransom software. This website directs users to rg.foldersasap.com, and malicious flash files and binary files are mounted on its pages.

 

 

Behavior Feature Analysis

The binary file is encrypted during network transmission and decrypted and stored in the % temp % folder. This binary file is a new type of malicious trojan downloading, but we found that it will reference the "FA" string multiple times, which reminds us to study this special malware:

 

ItsMeFA

“version_fa”

fa 155

 

It adds a self-starting key value to the Registry and copies itself to the Start menu for execution at each startup. It creates the file "C: \ Users \ Public \ Music \ Microsoft \ Windows \ Manifest \ torrc", which is a Tor configuration file. This configuration file starts a "Tor hidden service". We can see it on port 1060:

 

 

After creating the torrc file, it will ".

This file is actually an exe file, but it is disguised as MP3. At the beginning, it is like this:

 

C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

 

Generally, the following files are created during Tor execution:

 

 

As a hidden service, the Tor generates an onion address (for example, 43zri2d6x2rruezl. onion) on the machine and writes it to the "hostname" file. It uses this Tor to hide the service to download the final payload. The Tor hiding service allows hackers to hide malicious network activities in the Tor. In a few minutes, the following window will overwrite the entire screen, and your computer will not be able to use it:

 

 

Because it locks our system, we thought about starting it in security mode and investigating it, but it was not implemented for some reason. We decided to analyze it offline and analyze its memory image through Volatility.

Use Volatility to discover malware

We get the dump of the memory and then use the pstree command. After discovery, sd_app.exe is generated by the final process and generates an instance of another tor. This may be the culprit of downloading the app and locking our screen.

 

 

.

 

 

Then, run the process "id" and "cmdline" to confirm the complete path of the file:

 

 

We dumped the content in the disk and found the files added to the following list:

 

 

The. bat file in the figure uses bcedit to disable the Advanced startup Item, which is why we cannot start in safe mode.

 

 

In real network

Using the VirusTotal service, we found four similar samples. The first time such samples appeared in February 1, 2016, the detection rate was very low. These files also have signatures, but the certificate is actually invalid. The data shows that these files may be from Russia or Ukraine:

 

 

The sd_app variant is also signed, but two of the files are still not detected:

 

 

We also found that the uploaded file contains debugging printing in the code, and the file is uploaded from Ukraine. These indicate that the initiators use VirusTotal to detect whether their malware is detected by Heuristic software. The first variant uploaded on this website is 0.01a-154d:

 

WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

 

The version we get is 0.02a-155, which means the malware has grown a lot.

Conclusion

We have seen that there are new families of ransomware in the network for some time, probably because of the success of Cryptolocker, Cryptowall, Locky and other software. At the same time, the use of rescue discs can clear ransomware so that they no longer generate value. However, this newly discovered malware is also an improvement in ransomware, which can communicate with the CnC server through Tor. After using Tor, hackers can increase their hiding ability when conducting malicious network activities. At the same time, when hackers lock your computer, they will create a Tor to hide the service. Hackers can use your system to make bitcoin payments or other malicious activities. As researchers have discovered, the spam behavior of ransomware uses Tor to hide services. We also believe that this malware is still in its early stages of development, and these small actions are only being tested.

IOCs

Trojan Downloading hash:

 

5ed449fc2385896f8616e5cd7bee3f31

3a00058ccaee78805f539f2f6a259e92

d183ed4609e6ad7b00250c50a963db5d

6af38533fc8621128e943488a6f189ed

fb016a14ef1384ec78a284636631ab17

 

Lock screen hash

 

29e71b864ac46bd3e2c216cce0403114

639c62bcae61054a229ed3c79a109cc4

092b9e87bd75384df188feb2c4e402a2

e8231d2b7a04a5826a78b2908a1dd393

 

Mutex name

 

ItsMeFA

ItsMeSD