I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time.
The subject line of the malspam samples that I received all started with “IMG_” and neither of them contained anything in the body. Below are some images of the malspam samples:
Both samples came from Gmail accounts and had attached .zip files. Opening the .zip file shows a .js file, found in %TEMP%:
Both .js files were GlobeImposter downloaders, so executing them generated GET requests for payloads hosted on various domains. I successfully received a payload, even though my samples were days old.
Below is the image of the GET request:
As you can see from the GET request, the user-agent string is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”, which is Internet Explorer 6 and Windows 2000. Looking through the .js file shows the user-agent being set:
You can also see how we GET the payloads:
In my sample, I ended up getting the payload from adelaidemotorshow[.]com[.]au/hg65fyJHG, with the backup location being trombositting[.]org/af/hg65fyJHG.
The payload is named XXSkRjf2.exe, saved in %TEMP%, and run:
Below are the folder and file extension exclusion list, which were found on a very detailed blog post by Fortinet.
Folder exclusion list (44 in total):
Windows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab, McAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera, YandexBrowser, ntldr, Wsus, ProgramData.
Extension exclusion list (170 in total):
.$er, .4db, .4dd, .4d, .4mp, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .cdb, .cdb, .cdb, .ckp, .clkw, .cma, .crd, .daconnections, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wa, .db2, .db3, .dbc, .dbf, .dbf, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dd, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dx, .eco, .ecx, .edb, .emd, .eq, .fcd, .fdb, .fic, .fid, .fi, .fm5, .fmp, .fmp12, .fmps, .fo, .fp3, .fp4, .fp5, .fp7, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtm, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdf, .spq, .sqb, .sq, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc
It copies itself to %PUBLIC% and modifies auto-execute functionality by creating the following value in the registry:
Like other ransomware variants, it also uses “vssadmin.exe Delete Shadows /All /Quiet” to delete shadow volume copies. You can read an article written by Lawrence Abrams, owner and editor in chief of BleepingComputer.com, as to why everyone should disable vssadmin.exe.
It accomplishes this task via a batch file:
After infection, an .HTML ransom note called RECOVER-FILES-726.html is dropped on the Desktop and in folders containing encrypted files:
Encrypted files are appended with the .726 file extension.
Below is an image of the ransom note, which contains instructions for how to decrypt your files, as well as links to the decryptor sites:
Opening the ransom note also generates GET requests for serv1[.]xyz/counter.php?nu=105&fb=726, which returns your external IP address:
Below are images of the decryptor and “help desk” pages:
They are charging 0.31 bitcoins to decrypt files. I always recommend that people NOT pay ransoms. Instead, look for free decryptors that are released by organizations or by people in the InfoSec community. If there isn’t a free decryptor available then I suggest keeping your encrypted files until (hopefully) one is released.
- 126.96.36.199 – adelaidemotorshow.com.au – GET /hg65fyJHG??XXSkRjf=XXSkRjf
- 188.8.131.52 – serv1.xyz – GET /counter.php?nu=105&fb=726
File name: IMG_1391.js
File name: IMG_6580.js
File name: XXSkRjf2.exe
Downloads and Paste
Malicious Artifacts from GlobeImposter Malspam 080817.zip
Password is “infected”
Paste of the decoded and commented .js file —> https://pastebin.com/rDZMzK4J (thanks again, IRDivision!)
Until next time!