SAGE 2.2 Ransomware from Good Man Gate

IOCs:

  • 86.106.93.230 – datsonsdaughter.com – Good Man gate
  • 109.234.37.212 – see.letsown.com – RIG EK
  • 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2
  • 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site
  • 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site
  • 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site
  • Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key]

Traffic:

Traffic 1Traffic 2

Hashes:

SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f
File name: RIG EK Flash Exploit.swf

SHA256: 7c2bb48d35bf04bd4cee636d30ca096e194b741f68bced750310fe8a58eda54f
File name: o32.tmp

SHA256: 01fd9a6245c93f25ec2202d06bb40dbdcb5a3c1a0e5fb3db54c4d6253f9f7f4c
File name: udxmr3hn.exe

Hybrid-Analysis Report
https://www.hybrid-analysis.com/sample/01fd9a6245c93f25ec2202d06bb40dbdcb5a3c1a0e5fb3db54c4d6253f9f7f4c?environmentId=100

Infection Chain:

This infection started off with me visiting a Good Man gate. For those of you who don’t know what that is you can read more about that HERE. The gate domain for this infection chain was datsonsdaughter[.]com. It contained an iframe that redirected the host to a RIG EK landing page at see.letsown.com.

Good man

Image of Good Man gate containing iframe

You can tell by the traffic that the gate domain kept refreshing over and over again. This caused multiple GET requests for the gate, landing page, Flash exploit, and SAGE ransomware payload. Eventually I had to close IE to prevent the page from refreshing.

Once on the landing page we see o32.tmp dropped and executed in %Temp%:

Downloader

The script downloads the payload which is dropped and executed in %Temp%:

Temp

The payload is copied to AppData:

AppData

Processes:

process tree

  • Schedules a task via schtasks.exe to be executed at a specific time and date
  • Deletes volume snapshots via vssadmin.exe delete shadows /all /quiet command (often used by Ransomware)
  • Disables startup repair
  • Tries to suppress failures during boot (often used to hide system changes)
  • Executes a VBScript via process wscript.exe with commandline “%Temp%\f1.vbs”

The malware created .bat files in %Temp%. Each file has similar instructions:

bat file

bat file 2

runs shell commands

The Desktop background is changed to the ransom note via a .bmp image found in %Temp%:

Desktop SAGE ransomware

Encrypted files are appended with a .sage extension. An image of a lock is also used by the ransomware to signify that the file is encrypted:

Encrypted files

Trying to open an encrypted file prompts the user with some instructions:

File is encrypted

The ransom notes are called !HELP_SOS.hta. Users are pointed to three different domains hosted on various TLDs and an optional .onion domain for users needing to use the Tor browser/network.

Below are some images of the user login page and the decrypter page:

I’m attaching the .bmp image used on the Desktop and the .hta ransom note below:

Artifacts.zip

Sorry for the late post on this infection. I was sick most of the week. Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: