Malware analysis Batch ransomware and dropper

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
247
Short analysis of the tested Batch ransomware found by @upnorth

Referenced thread: https://malwaretips.com/threads/ransom-bat-03-11-2020.104942/#post-912312

Malware type: Ransomware and dropper
File type: TXT, Batch

Ransomware behavior:
It uses certutil command to encode files to base64 and append .cxk_nmsl extension.
These files can be decoded back. There is no encryption whatsoever. A ransom note seems to be missing.
Intermediate files have .cxkdata extension. These are renamed versions of not yet encoded files and they are deleted by the sample after encoding.

The ransomware portion is very noisy and creates a visible terminal window as evident from this analysis: CXK-NMSL V3.2.bat (MD5: 01B575A1012B97988655980A48430DBB) - Interactive analysis - ANY.RUN
Or this screenshot:

screenshot_bat.png


The message box content is just weird.
There is also a weird .mp3 file that is opened after encoding with VLC player. It's just a song. I guess the developer is just playing with things. Path of that file: %TEMP%/╝ª─π╠½├└.mp3

Dropper behavior:

Uses echo to write a big Base64 string into a file called x.
After decoding, x is a Portable Executable file which is detected as Flystudio trojan by most vendors. Identification is confirmed by strings like "Software\FlySky\E\Install\Path" in the binary.

VT link dropped file: VirusTotal
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,622
This BAT is CXK-NMSL ver. 3.2 and it is almost identical to the BAT used by the malware:
which is CXK-NMSL ver. 3.3.
In the ver. 3.3 the BAT contains an additional binary added at the end and some code related to it (this binary is not malicious).

The first tenths of lines of CXK-NMSL V3.2.bat are a simple fake-ransomware code based on Certutil encoding abilities. Next, there are some binaries encoded by Certutil. These binaries can be easily extracted by using the code from this BAT (the code is not obfuscated). These binaries are probably not malicious (although some of them are flagged on VirusTotal).

Here are the links about some created files:
CXK-NMSL-README.txt (ransomware note in Chinese simplified)
CXK-NMSL-DATA.exe
krnln.fnr
_ŻTŽ+ä_â_ÜTź_é+ö.mp3 (mp3 music file which is played in the end)
x.js (creates z.zip = compressed wallpaper)
z.zip (contains compressed wallpaper.jpg which replaces the wallpaper on the Desktop)

wallpaper.jpg

The malware changes the start page in Internet Explorer to the webpage that displays a videoclip:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d " hxxps://www.bilibili.com/video/av61335515/ " /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /d " hxxps://www.bilibili.com/video/av61335515/ " /f

Post edited.
 
Last edited by a moderator:
Top