“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time.

The subject line of the malspam samples that I received all started with “IMG_” and neither of them contained anything in the body. Below are some images of the malspam samples:

Both samples came from Gmail accounts and had attached .zip files. Opening the .zip file shows a .js file, found in %TEMP%:

open attachment

Both .js files were GlobeImposter downloaders, so executing them generated GET requests for payloads hosted on various domains. I successfully received a payload, even though my samples were days old.

Below is the image of the GET request:

GET for payload

As you can see from the GET request, the user-agent string is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”, which is Internet Explorer 6 and Windows 2000. Looking through the .js file shows the user-agent being set:

user-agent
.JS file decoded and commented out by my friend IRDivision

You can also see how we GET the payloads:

domains

In my sample, I ended up getting the payload from adelaidemotorshow[.]com[.]au/hg65fyJHG, with the backup location being trombositting[.]org/af/hg65fyJHG.

More locations were posted in a very helpful paste by @Racco42, which can also be seen below:

3sat[.]fr/JKhbj6g7
apositive[.]be/hg65fyJHG
autoecole-jeanpierre[.]com/JKhbj6g7
camefe[.]com[.]mx/JKhbj6g7
cipemiliaromagna[.]cateterismo[.]it/hg65fyJHG
clubvive[.]net/JKhbj6g7
diesel-pickup-oil-site[.]com/hg65fyJHG
eubieartmedia[.]com/hg65fyJHG
greenerlivingca[.]com/JKhbj6g7
harristeavn[.]com/hg65fyJHG
homeownersinsurance[.]ca/JKhbj6g7
inducars[.]be/hg65fyJHG
irenefalsone[.]com/JKhbj6g7
lepair-be[.]com/JKhbj6g7
llallagua[.]ch/JKhbj6g7
peluqueriacaninaencordoba[.]com/JKhbj6g7
promultis[.]it/hg65fyJHG
saunaesofmansatis[.]net/JKhbj6g7
searchlightcare[.]com/JKhbj6g7
telesolutionsconsultants[.]com/hg65fyJHG
themeastralgratuit[.]com/JKhbj6g7

A Twitter user by the name of  also posted a paste of download locations being distributed on 8/8/17.

The payload is named XXSkRjf2.exe, saved in %TEMP%, and run:

payload

Below are the folder and file extension exclusion list, which were found on a very detailed blog post by Fortinet.

Folder exclusion list (44 in total):

Windows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab, McAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera, YandexBrowser, ntldr, Wsus, ProgramData.

Extension exclusion list (170 in total):

.$er, .4db, .4dd, .4d, .4mp, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .cdb, .cdb, .cdb, .ckp, .clkw, .cma, .crd, .daconnections, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wa, .db2, .db3, .dbc, .dbf, .dbf, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dd, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dx, .eco, .ecx, .edb, .emd, .eq, .fcd, .fdb, .fic, .fid, .fi, .fm5, .fmp, .fmp12, .fmps, .fo, .fp3, .fp4, .fp5, .fp7, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtm, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdf, .spq, .sqb, .sq, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc

It copies itself to %PUBLIC% and modifies auto-execute functionality by creating the following value in the registry:

reg1
Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE”; Key: “CertificatesCheck”; Value: “%PUBLIC%\XXSkRjf2.exe”

Like other ransomware variants, it also uses “vssadmin.exe Delete Shadows /All /Quiet” to delete shadow volume copies. You can read an article written by Lawrence Abrams, owner and editor in chief of BleepingComputer.com, as to why everyone should disable vssadmin.exe.

It accomplishes this task via a batch file:

batch file

Process tree:

processes

After infection, an .HTML ransom note called RECOVER-FILES-726.html is dropped on the Desktop and in folders containing encrypted files:

Encrypted files are appended with the .726 file extension.

Below is an image of the ransom note, which contains instructions for how to decrypt your files, as well as links to the decryptor sites:

Ransom note (2)

Opening the ransom note also generates GET requests for serv1[.]xyz/counter.php?nu=105&fb=726, which returns your external IP address:

IP check 2

Below are images of the decryptor and “help desk” pages:

decryptordecryptor 2

Tor pagesubmit a ticket

They are charging 0.31 bitcoins to decrypt files. I always recommend that people NOT pay ransoms. Instead, look for free decryptors that are released by organizations or by people in the InfoSec community. If there isn’t a free decryptor available then I suggest keeping your encrypted files until (hopefully) one is released.

Network Traffic
  • 203.87.96.65 – adelaidemotorshow.com.au – GET /hg65fyJHG??XXSkRjf=XXSkRjf
  • 198.23.241.227 – serv1.xyz – GET /counter.php?nu=105&fb=726
  • n224ezvhg4sgyamb.onion.link/efwdaq.php
  • n224ezvhg4sgyamb.onion.link/sup.php
  • n224ezvhg4sgyamb.onion
Hashes

SHA256: dc4a4ccb21190a7d73a0aacd7cb72391c07c999bdb6372ff2c603cdc780048f3
File name: IMG_1391.js

SHA256: af1b82ff61d13d045664bfe3b760736c1243b71f97b851473bbaaa58c0686f75
File name: IMG_6580.js

SHA256: 9e95f90c8bdd43f2ba0ec4a48ea56270d688e99d17a1b8a03a79807d2745515e
File name: XXSkRjf2.exe
Hybrid-Analysis Report

Downloads and Paste

Malicious Artifacts from GlobeImposter Malspam 080817.zip
Password is “infected”

Paste of the decoded and commented .js file —> https://pastebin.com/rDZMzK4J (thanks again, IRDivision!)

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: