Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Batch ransomware and dropper
Message
<blockquote data-quote="struppigel" data-source="post: 912418" data-attributes="member: 86910"><p>Short analysis of the tested Batch ransomware found by [USER=38832]@upnorth[/USER]</p><p></p><p><strong>Referenced thread:</strong> <a href="https://malwaretips.com/threads/ransom-bat-03-11-2020.104942/#post-912312" target="_blank">https://malwaretips.com/threads/ransom-bat-03-11-2020.104942/#post-912312</a></p><p></p><p><strong>Malware type:</strong> Ransomware and dropper</p><p><strong>File type: </strong>TXT, Batch</p><p></p><p><strong>Ransomware behavior:</strong></p><p>It uses certutil command to encode files to base64 and append <strong><span style="color: rgb(84, 172, 210)">.cxk_nmsl</span></strong> extension.</p><p>These files can be decoded back. There is no encryption whatsoever. A ransom note seems to be missing.</p><p>Intermediate files have <span style="color: rgb(84, 172, 210)"><strong>.cxkdata</strong></span> extension. These are renamed versions of not yet encoded files and they are deleted by the sample after encoding.</p><p></p><p>The ransomware portion is very noisy and creates a visible terminal window as evident from this analysis: <a href="https://app.any.run/tasks/48bd99ba-79b4-4b05-8169-2072367646ff/" target="_blank">CXK-NMSL V3.2.bat (MD5: 01B575A1012B97988655980A48430DBB) - Interactive analysis - ANY.RUN</a></p><p>Or this screenshot:</p><p></p><p>[ATTACH=full]248472[/ATTACH]</p><p></p><p>The message box content is just weird.</p><p>There is also a weird .mp3 file that is opened after encoding with VLC player. It's just a song. I guess the developer is just playing with things. Path of that file: <strong><span style="color: rgb(44, 130, 201)"><strong>%TEMP%/╝ª─π╠½├└.mp3</strong></span></strong></p><p><strong></strong></p><p><strong>Dropper behavior:</strong></p><p>Uses echo to write a big Base64 string into a file called <strong><span style="color: rgb(84, 172, 210)">x</span></strong>.</p><p>After decoding, <span style="color: rgb(84, 172, 210)"><strong>x</strong></span> is a Portable Executable file which is detected as Flystudio trojan by most vendors. Identification is confirmed by strings like "Software\FlySky\E\Install\Path" in the binary.</p><p></p><p>VT link dropped file: <a href="https://www.virustotal.com/gui/file/e0f1e55916d3ecef3ebdc8c97e92ee1476b27682b71058dc527827d0c199d77f/detection" target="_blank">VirusTotal</a></p></blockquote><p></p>
[QUOTE="struppigel, post: 912418, member: 86910"] Short analysis of the tested Batch ransomware found by [USER=38832]@upnorth[/USER] [B]Referenced thread:[/B] [URL]https://malwaretips.com/threads/ransom-bat-03-11-2020.104942/#post-912312[/URL] [B]Malware type:[/B] Ransomware and dropper [B]File type: [/B]TXT, Batch [B]Ransomware behavior:[/B] It uses certutil command to encode files to base64 and append [B][COLOR=rgb(84, 172, 210)].cxk_nmsl[/COLOR][/B] extension. These files can be decoded back. There is no encryption whatsoever. A ransom note seems to be missing. Intermediate files have [COLOR=rgb(84, 172, 210)][B].cxkdata[/B][/COLOR] extension. These are renamed versions of not yet encoded files and they are deleted by the sample after encoding. The ransomware portion is very noisy and creates a visible terminal window as evident from this analysis: [URL='https://app.any.run/tasks/48bd99ba-79b4-4b05-8169-2072367646ff/']CXK-NMSL V3.2.bat (MD5: 01B575A1012B97988655980A48430DBB) - Interactive analysis - ANY.RUN[/URL] Or this screenshot: [ATTACH type="full" alt="screenshot_bat.png"]248472[/ATTACH] The message box content is just weird. There is also a weird .mp3 file that is opened after encoding with VLC player. It's just a song. I guess the developer is just playing with things. Path of that file: [B][COLOR=rgb(44, 130, 201)][B]%TEMP%/╝ª─π╠½├└.mp3[/B][/COLOR] Dropper behavior:[/B] Uses echo to write a big Base64 string into a file called [B][COLOR=rgb(84, 172, 210)]x[/COLOR][/B]. After decoding, [COLOR=rgb(84, 172, 210)][B]x[/B][/COLOR] is a Portable Executable file which is detected as Flystudio trojan by most vendors. Identification is confirmed by strings like "Software\FlySky\E\Install\Path" in the binary. VT link dropped file: [URL='https://www.virustotal.com/gui/file/e0f1e55916d3ecef3ebdc8c97e92ee1476b27682b71058dc527827d0c199d77f/detection']VirusTotal[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
