NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://ift.tt/1qJcHPA. SummaryDescription14 files were submitted for analysis. These files are designed to encrypt a victim's system files for a ransom payment. For a downloadable copy of IOCs, see: Submitted Files (17)036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 (samsam.exe) 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac (samsam.exe) 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f (selfdel.exe) 45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b (samsam.exe) 553967d05b83364c6954d2b55b8cfc2ea3808a17c268b2eee49090e71976ba29 (553967d05b83364c6954d2b55b8cfc...) 58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e (samsam.exe) 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 (HELP_DECRYPT_YOUR_FILES.html) 6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307 (samsam.exe) 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 (samsam.exe) 89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805 (samsam.exe) 939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8 (samsam.exe) 946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4 (samsam.exe) 979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868 (samsam.exe) 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 (del.exe) a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e (samsam.exe) e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155 (samsam.exe) ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626 (samsam.exe) Domains (10)anonyme.com evilsecure9.wordpress.com followsec7.wordpress.com key88secu7.wordpress.com keytwocode.wordpress.com lordsecure4u.wordpress.com payforsecure7.wordpress.com secangel7d.wordpress.com union83939k.wordpress.com zeushelpu.wordpress.com Findings0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfacTagsdropperransomwaretrojan Details| Name | samsam.exe |
|---|
| Size | 218624 bytes |
|---|
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
|---|
| MD5 | a14ea969014b1145382ffcd508d10156 |
|---|
| SHA1 | ff6aa732320d21697024994944cf66f7c553c9cd |
|---|
| SHA256 | 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac |
|---|
| SHA512 | 73f28bed4ee700e15d1c0eb9871e37bdda77e3ef3c14b63a1597b9628e7407dc31f8382e0ec52c8c65f68c00a4f321f5971359f865eb35b35dc62e9f5e8e7be1 |
|---|
| ssdeep | 3072:ZVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbP:Za1i6UHVyLV0poZa1jrD099on9 |
|---|
| Entropy | 6.249245 |
|---|
Antivirus| Ahnlab | Trojan/Win32.Samas |
|---|
| Antiy | Trojan/Win32.SGeneric |
|---|
| Avira | TR/Ransom.lhumd |
|---|
| BitDefender | Generic.Ransom.SamSam.12451789 |
|---|
| ClamAV | Win.Trojan.Samas-1 |
|---|
| Cyren | W32/Trojan.MPPP-7951 |
|---|
| ESET | MSIL/Filecoder.AR trojan |
|---|
| Emsisoft | Generic.Ransom.SamSam.12451789 (B) |
|---|
| Ikarus | Trojan-Ransom.SamSam |
|---|
| K7 | Trojan ( 700000121 ) |
|---|
| McAfee | Ransomware-SAMAS!A14EA969014B |
|---|
| Microsoft Security Essentials | Ransom:MSIL/Samas.A |
|---|
| NANOAV | Trojan.Win32.Ransom.eamswz |
|---|
| Quick Heal | Trojan.Inject.TL3 |
|---|
| Sophos | Troj/RansmSam-A |
|---|
| Symantec | Trojan.Gen.2 |
|---|
| Systweak | malware.gen-r |
|---|
| TrendMicro | Ransom_CRYPSAM.B |
|---|
| TrendMicro House Call | Ransom_CRYPSAM.B |
|---|
| Vir.IT eXplorer | Trojan.Win32.MSIL9.BGXA |
|---|
| VirusBlokAda | Trojan-Ransom.MSIL.Samas |
|---|
| Zillya! | Dropper.Agent.Win32.229787 |
|---|
Yara RulesNo matches found. ssdeep Matches| 97 | 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 |
|---|
PE Metadata| Compile Date | 2016-01-05 19:14:43-05:00 |
|---|
| Import Hash | f34d5f2d4577ed6d9ceec516c1f5a744 |
|---|
| Company Name | Microsoft |
|---|
| File Description | MicrosoftSAM |
|---|
| Internal Name | samsam.exe |
|---|
| Legal Copyright | Copyright \xa9 2014 |
|---|
| Original Filename | samsam.exe |
|---|
| Product Name | MicrosoftSAM |
|---|
| Product Version | 2.4.8.4 |
|---|
PE Sections| MD5 | Name | Raw Size | Entropy |
|---|
| 37c3e95eb9901183e02df0ba1de6caf2 | header | 512 | 2.774592 | | 7a556f246357051b2d82ea445571ddbb | .text | 216064 | 6.270810 | | d0b581056989efaa1de31a61a8f4a9ec | .rsrc | 1536 | 4.110334 | | 06441ad348b483e2458a535949e809cf | .reloc | 512 | 0.101910 |
Packers/Compilers/Cryptors| Microsoft Visual C# v7.0 / Basic .NET |
Relationships| 0f2c5c3949... | Connected_To | union83939k.wordpress.com | | 0f2c5c3949... | Dropped | 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 | | 0f2c5c3949... | Dropped | 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f | | 0f2c5c3949... | Dropped | 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 |
DescriptionThis file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:
--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--
It installs the embedded files into the following directory:
--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--
This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:
--Begin RSA public key--
"Base64 encoded RSA public keyAQAB"
--End RSA public key--
The input text file was not available for analysis.
Displayed below is the code snippet designed to accept an input text file as the command-line argument:
--Begin command line argument--
private static void Main(string[] args)
{
if (args.Length != 1)
{
return;
}
if (!string.IsNullOrEmpty(args[0]))
{
Program.publickey = File.ReadAllText(args[0]);
}
Program.create_from_resource();
--End command line argument--
It searches the drives installed on the victim system for files with the following file extensions:
--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--
The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:
Displayed below is the code snippet used to avoid encrypting files in the folders:
--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--
It randomly generates the following keys for encrypting the target files:
--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--
Displayed below is the code snippet for generating the unique keys for a target file:
--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
byte[] key = encc.GenerateRandom(16); ==> Rijndael key
byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
return null;
--End key generation--
It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.
The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:
--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--
Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.
--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
"",
encc.sn,
"",
text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
"",
encc.sn,
"",
text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
fileInfo.Length, ==> The length of the original file
"",
encc.sn,
""
});
--End encrypting and encoding--
Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.
Displayed below is the embedded blog and Bitcoin address for the ransomware note:
--Begin blog and Bitcoin address--
Blog address: "http[:]//union83939k.wordpress.com"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address-- 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044Tagsransomwaretrojan Details| Name | samsam.exe |
|---|
| Size | 218112 bytes |
|---|
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
|---|
| MD5 | 14721036e16587594ad950d4f2db5f27 |
|---|
| SHA1 | ed1797c282f0817d2ad8f878f8dd50ab062501ac |
|---|
| SHA256 | 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 |
|---|
| SHA512 | 4d9e75850713f0bf6892fca8d74f462a5b2c0ccec2ed089fd830b8babcce7aedbd3bcb56e25c81cb6bf285bba9111ef89913d0c665593b2ba8da5f57d9505d32 |
|---|
| ssdeep | 3072:gUOsdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199JWbk9f7b1v:gzL1i6UHVyLV0poZa1jrD099Qbk9V |
|---|
| Entropy | 6.248108 |
|---|
Antivirus| Ahnlab | Trojan/Win32.Samas |
|---|
| Antiy | Trojan[Ransom]/MSIL.Samas |
|---|
| Avira | TR/Ransom.lhumd |
|---|
| BitDefender | Generic.Ransom.SamSam.B120689A |
|---|
| Cyren | W32/Trojan.HBQK-8340 |
|---|
| ESET | a variant of MSIL/Filecoder.AR trojan |
|---|
| Emsisoft | Generic.Ransom.SamSam.B120689A (B) |
|---|
| Ikarus | Trojan-Ransom.SamSam |
|---|
| K7 | Trojan ( 700000121 ) |
|---|
| McAfee | Ransomware-SAMAS!14721036E165 |
|---|
| Microsoft Security Essentials | Ransom:MSIL/Samas.A |
|---|
| NANOAV | Trojan.Win32.Samas.eajeha |
|---|
| Quick Heal | Trojan.Inject.TL3 |
|---|
| Sophos | Troj/RansmSam-A |
|---|
| Symantec | Ransom.SamSam!gen1 |
|---|
| Systweak | trojan-spy.filecryptor |
|---|
| TrendMicro | Ransom_.2933F726 |
|---|
| TrendMicro House Call | Ransom_.2933F726 |
|---|
| Vir.IT eXplorer | Trojan.Win32.Atros3.CWX |
|---|
| VirusBlokAda | Trojan-Ransom.MSIL.Samas |
|---|
| Zillya! | Trojan.Filecoder.Win32.2108 |
|---|
Yara RulesNo matches found. ssdeep MatchesNo matches found. Packers/Compilers/Cryptors| Microsoft Visual C# v7.0 / Basic .NET |
Relationships| 7aa585e6fd... | Dropped | 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 | | 7aa585e6fd... | Dropped | 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f | | 7aa585e6fd... | Dropped | 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 | | 7aa585e6fd... | Connected_To | union83939k.wordpress.com |
DescriptionThis file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:
--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--
It installs the embedded files into the following directory:
--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--
This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:
--Begin RSA public key--
"Base64 encoded RSA public keyAQAB"
--End RSA public key--
The input text file was not available for analysis.
Displayed below is the code snippet designed to accept an input text file as the command-line argument:
--Begin command line argument--
private static void Main(string[] args)
{
if (args.Length != 1)
{
return;
}
if (!string.IsNullOrEmpty(args[0]))
{
Program.publickey = File.ReadAllText(args[0]);
}
Program.create_from_resource();
--End command line argument--
It searches the drives installed on the victim system for files with the following file extensions:
--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--
The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:
Displayed below is the code snippet used to avoid encrypting files in the folders:
--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--
It randomly generates the following keys for encrypting the target files:
--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--
Displayed below is the code snippet for generating the unique keys for a target file:
--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
byte[] key = encc.GenerateRandom(16); ==> Rijndael key
byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
return null;
--End key generation--
It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.
The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:
--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--
Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.
--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
"",
encc.sn,
"",
text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
"",
encc.sn,
"",
text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
"",
encc.sn,
"",
fileInfo.Length, ==> The length of the original file
"",
encc.sn,
""
});
--End encrypting and encoding--
Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.
Displayed below is the embedded blog and Bitcoin address for the ransomware note:
--Begin blog and Bitcoin address--
blog address: "https://ift.tt/2SqhEMO"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address-- union83939k.wordpress.comURLsWhoisDomain Name: WORDPRESS.COM
Registry Domain ID: 21242797_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: https://ift.tt/xpfLn7
Updated Date: 2017-01-12T22:53:10Z
Creation Date: 2000-03-03T12:13:23Z
Registry Expiry Date: 2020-03-03T12:13:23Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://ift.tt/1STXx5R
Domain Status: clientTransferProhibited https://ift.tt/1HOMKoX
Domain Status: clientUpdateProhibited https://ift.tt/1YtTel4
Domain Status: serverDeleteProhibited https://ift.tt/1JKWtJi
Domain Status: serverTransferProhibited https://ift.tt/1DDIp8k
Domain Status: serverUpdateProhibited https://ift.tt/1JKWtJg
Name Server: NS1.WORDPRESS.COM
Name Server: NS2.WORDPRESS.COM
Name Server: NS3.WORDPRESS.COM
Name Server: NS4.WORDPRESS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://ift.tt/2gVBMqH
>>> Last update of whois database: 2018-03-27T18:16:17Z <<<
NetRange: 192.0.64.0 - 192.0.127.255
CIDR: 192.0.64.0/18
NetName: AUTOMATTIC
NetHandle: NET-192-0-64-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS2635
Organization: Automattic, Inc (AUTOM-93)
RegDate: 2012-11-20
Updated: 2012-11-20
Ref: https://ift.tt/2Qa7dAE
OrgName: Automattic, Inc
OrgId: AUTOM-93
Address: 60 29th Street #343
City: San Francisco
StateProv: CA
PostalCode: 94110
Country: US
RegDate: 2011-10-05
Updated: 2013-11-01
Ref: https://ift.tt/2SslLZ4
OrgAbuseHandle: ABUSE3970-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-273-8550
OrgAbuseEmail: abuse@automattic.com
OrgAbuseRef: https://ift.tt/2rjZ6CE
OrgTechHandle: NOC12276-ARIN
OrgTechName: NOC
OrgTechPhone: +1-877-273-8550
OrgTechEmail: ipadmin@automattic.com
OrgTechRef: https://ift.tt/2SrIJ2d
OrgNOCHandle: NOC12276-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-877-273-8550
OrgNOCEmail: ipadmin@automattic.com
OrgNOCRef: https://ift.tt/2SrIJ2d Relationships| union83939k.wordpress.com | Connected_From | 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac | | union83939k.wordpress.com | Connected_From | 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 |
036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050Tagsdropperransomwaretrojan Details| Name | samsam.exe |
|---|
| Size | 218624 bytes |
|---|
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
|---|
| MD5 | fe998080463665412b65850828bce41f |
|---|
| SHA1 | 203bb8ec1da6b237a092bab71fa090849c7db9bd |
|---|
| SHA256 | 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 |
|---|
| SHA512 | 9ade6edde3f063fc935f53366ffc9cb6cf7e17691d22fd2fe107d779da3b61eaed006ef7679b456bc16aca8b686d035f09aaf42bf06fa62b872e0a89046994eb |
|---|
| ssdeep | 3072:bVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbM:ba1i6UHVyLV0poZa1jrD099on9 |
|---|
| Entropy | 6.249304 |
|---|
Antivirus| Ahnlab | Trojan/Win32.Samas |
|---|
| Antiy | Trojan/Win32.SGeneric |
|---|
| Avira | TR/Ransom.lhumd |
|---|
| BitDefender | Generic.Ransom.SamSam.CDB17A36 |
|---|
| ClamAV | Win.Trojan.Samas-1 |
|---|
| Cyren | W32/SamSam.D.gen!Eldorado |
|---|
| ESET | MSIL/Filecoder.AR trojan |
|---|
| Emsisoft | Generic.Ransom.SamSam.CDB17A36 (B) |
|---|
| Ikarus | Trojan-Ransom.SamSam |
|---|
| K7 | Trojan ( 700000121 ) |
|---|
| McAfee | Ransomware-SAMAS!FE9980804636 |
|---|
| Microsoft Security Essentials | Ransom:MSIL/Samas.A |
|---|
| NANOAV | Trojan.Win32.Ransom.eamenb |
|---|
| NetGate | Trojan.Win32.Malware |
|---|
| Quick Heal | Trojan.Inject.TL3 |
|---|
| Sophos | Troj/RansmSam-A |
|---|
| Symantec | Ransom.SamSam!gen1 |
|---|
| Systweak | malware.gen-r |
|---|
| TrendMicro | Ransom_.2933F726 |
|---|
| TrendMicro House Call | Ransom_.2933F726 |
|---|
| Vir.IT eXplorer | Trojan.Win32.MSIL9.BGXA |
|---|
| VirusBlokAda | Trojan-Ransom.MSIL.Samas |
|---|
| Zillya! | Dropper.Agent.Win32.229787 |
|---|
Yara RulesNo matches found. ssdeep Matches| 97 | 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac |
|---|
Packers/Compilers/Cryptors| Microsoft Visual C# v7.0 / Basic .NET |
Relationships| 036071786d... | Dropped | 6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 | | 036071786d... | Dropped | 32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f | | 036071786d... | Dropped | 97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 | | 036071786d... | Connected_To | keytwocode.wordpress.com |
DescriptionThis file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:
--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--
It installs the embedded files into the following directory:
--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--
This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:
--Begin RSA public |