Malware analysis Go ransomware report, .VAGGEN extension

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
241
@upnorth asked me to do a small writeup of the sample used for testing here: https://malwaretips.com/threads/ransomware-loader-19-10-2020.104659/
This is not a fully detailed analysis, because that would take days to do. Instead I write all things down I can assess quickly.

Analysis of Downloader

Sample: VirusTotal
File type: Office Open XML document
Malware type: downloader
File name: UBC-COVID19-Survey-Mandatory.docx

After unpacking with 7zip you can find those images in word/media/:

image1.png

image2.png


The detection names suggest use of CVE-2017-0199.
Description of the CVE is consistent with the behaviour in any.run which shows winword.exe as doing the download and execute.

Contacted URLs by winword.exe:
hxxp://canarytokens(.)com/about/d4yeyvldfg6bn5y29by4e9fs3/post(.)jsp
hxxp://isrg.trustid.ocsp.identrust(.)com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D

Persistence for the downloaded file:
schtasks.exe /create /sc minute /mo 3 /tn "Internet Explorer Error Handling" /tr %APPDATA%\Byxor\polisen.exe

Analysis of Downloaded file

Sample: Malware type: ransomware
File type: PE 32 bit
File name: polisen.exe
Compiler: The ransomware is written in Go

Malware family: unknown, it's a new variant
Extension: .VAGGEN
E-Mail: employer21@protonmail.com
Note: ABOUT_UR_FILES.txt
BTC: 1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA --> link to blockchain

Go build ID: "VhhQ1UuEs3GW9JKPQlxr/KprNrDUoWKeN0_4zmFd8/dAiZDE9z9QKTx20ba5as/lfKWFUWyhFMg8VVGN2TT"

-----BEGIN RSA TESTING KEY-----
MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9
SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB
l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB
AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet
3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb
uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H
qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp
jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY
fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U
fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU
y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX
qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo
f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA==
-----END RSA TESTING KEY-----

Library referenced: Did not see any indication of wallpaper change in any.run. But there is a wallpaper seen in a screenshot referenced by this tweet.

Library referenced: Indication that XXTEA encryption algorithm is used

Class/Function names:
  • main.KILLME
  • main.TVINGAMIG
  • main.RINGAHUSET
  • main.main

Screenshot 2020-10-22 093836.png

Screenshot 2020-10-22 093817.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,113
Interesting parts is that several names/words used is Swedish or at least Scandinavian. Not any final conclusions from that alone, but it's something I think is important enough to mention. " Vaggen, Polisen, Tvingamig, Ringahuset "
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,591
It is a variant of:
and uses the same provided BTC wallet address (1LthWWSd82dKddmHwqhBv8XHiYyU).

Edit.
Anyway, the article is not very useful and does not contain malware analysis. Just an example, that this malware was noticed. It also advertises some anti-spyware programs.
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,591
If one check the timestamps, the sample posted here on MT was first.
This thread with @struppigel info is far more interesting than the article I posted. This article has not got any useful information, except the fact that the Vaggen ransomware is noticed.:)(y)
I also noticed that the malware from the article has slightly different text in the wallpaper.
 
Top