Malware Analysis Batch ransomware and dropper

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
Short analysis of the tested Batch ransomware found by @upnorth

Referenced thread: https://malwaretips.com/threads/ransom-bat-03-11-2020.104942/#post-912312

Malware type: Ransomware and dropper
File type: TXT, Batch

Ransomware behavior:
It uses certutil command to encode files to base64 and append .cxk_nmsl extension.
These files can be decoded back. There is no encryption whatsoever. A ransom note seems to be missing.
Intermediate files have .cxkdata extension. These are renamed versions of not yet encoded files and they are deleted by the sample after encoding.

The ransomware portion is very noisy and creates a visible terminal window as evident from this analysis: CXK-NMSL V3.2.bat (MD5: 01B575A1012B97988655980A48430DBB) - Interactive analysis - ANY.RUN
Or this screenshot:

screenshot_bat.png


The message box content is just weird.
There is also a weird .mp3 file that is opened after encoding with VLC player. It's just a song. I guess the developer is just playing with things. Path of that file: %TEMP%/╝ª─π╠½├└.mp3

Dropper behavior:

Uses echo to write a big Base64 string into a file called x.
After decoding, x is a Portable Executable file which is detected as Flystudio trojan by most vendors. Identification is confirmed by strings like "Software\FlySky\E\Install\Path" in the binary.

VT link dropped file: VirusTotal
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This BAT is CXK-NMSL ver. 3.2 and it is almost identical to the BAT used by the malware:
which is CXK-NMSL ver. 3.3.
In the ver. 3.3 the BAT contains an additional binary added at the end and some code related to it (this binary is not malicious).

The first tenths of lines of CXK-NMSL V3.2.bat are a simple fake-ransomware code based on Certutil encoding abilities. Next, there are some binaries encoded by Certutil. These binaries can be easily extracted by using the code from this BAT (the code is not obfuscated). These binaries are probably not malicious (although some of them are flagged on VirusTotal).

Here are the links about some created files:
CXK-NMSL-README.txt (ransomware note in Chinese simplified)
CXK-NMSL-DATA.exe
krnln.fnr
_ŻTŽ+ä_â_ÜTź_é+ö.mp3 (mp3 music file which is played in the end)
x.js (creates z.zip = compressed wallpaper)
z.zip (contains compressed wallpaper.jpg which replaces the wallpaper on the Desktop)

wallpaper.jpg

The malware changes the start page in Internet Explorer to the webpage that displays a videoclip:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d " hxxps://www.bilibili.com/video/av61335515/ " /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /d " hxxps://www.bilibili.com/video/av61335515/ " /f

Post edited.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top