Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Go ransomware report, .VAGGEN extension
Message
<blockquote data-quote="struppigel" data-source="post: 910352" data-attributes="member: 86910"><p>[USER=38832]@upnorth[/USER] asked me to do a small writeup of the sample used for testing here: <a href="https://malwaretips.com/threads/ransomware-loader-19-10-2020.104659/" target="_blank">https://malwaretips.com/threads/ransomware-loader-19-10-2020.104659/</a></p><p>This is <strong>not</strong> a fully detailed analysis, because that would take days to do. Instead I write all things down I can assess quickly.</p><p></p><p><span style="font-size: 18px"><span style="color: rgb(65, 168, 95)"><strong>Analysis of Downloader</strong></span></span></p><p></p><p><strong>Sample:</strong> <a href="https://www.virustotal.com/gui/file/e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3/detection" target="_blank">VirusTotal</a></p><p><strong>File type:</strong> Office Open XML document</p><p><strong>Malware type:</strong> downloader</p><p><strong>File name:</strong> UBC-COVID19-Survey-Mandatory.docx</p><p></p><p>After unpacking with 7zip you can find those images in word/media/:</p><p>[ISPOILER]</p><p>[ATTACH=full]247706[/ATTACH]</p><p>[ATTACH=full]247707[/ATTACH][/ISPOILER]</p><p></p><p>The detection names suggest use of CVE-2017-0199.</p><p><strong><a href="https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html" target="_blank">Description of the CVE</a></strong> is consistent with the behaviour in <a href="https://app.any.run/tasks/8965c325-7052-4151-bd9c-fa2833f518f4/" target="_blank">any.run</a> which shows <span style="color: rgb(44, 130, 201)"><strong>winword.exe</strong></span> as doing the download and execute.</p><p></p><p><strong>Contacted URLs by winword.exe:</strong></p><p>hxxp://canarytokens(.)com/about/d4yeyvldfg6bn5y29by4e9fs3/post(.)jsp</p><p>hxxp://isrg.trustid.ocsp.identrust(.)com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D</p><p></p><p><strong>Persistence for the downloaded file: </strong></p><p>schtasks.exe /create /sc minute /mo 3 /tn "Internet Explorer Error Handling" /tr %APPDATA%\Byxor\polisen.exe</p><p></p><p><span style="font-size: 18px"><span style="color: rgb(65, 168, 95)"><strong>Analysis of Downloaded file</strong></span></span></p><p></p><p><strong>Sample: </strong>[URL unfurl="true"]https://www.virustotal.com/gui/file/03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf/community[/URL]</p><p><strong>Malware type: </strong>ransomware</p><p><strong>File type: </strong>PE 32 bit</p><p><strong>File name:</strong> polisen.exe</p><p><strong>Compiler: </strong>The ransomware is written in Go</p><p></p><p><strong>Malware family: </strong>unknown, it's a new variant</p><p><strong>Extension:</strong> .VAGGEN</p><p><strong>E-Mail:</strong> <a href="mailto:employer21@protonmail.com">employer21@protonmail.com</a></p><p><strong>Note: </strong>ABOUT_UR_FILES.txt</p><p><strong>BTC: </strong>1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA --> <a href="https://www.blockchain.com/btc/address/1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA" target="_blank">link to blockchain</a></p><p></p><p><strong>Go build ID:</strong> "VhhQ1UuEs3GW9JKPQlxr/KprNrDUoWKeN0_4zmFd8/dAiZDE9z9QKTx20ba5as/lfKWFUWyhFMg8VVGN2TT"</p><p></p><p>-----BEGIN RSA TESTING KEY-----</p><p>MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9</p><p>SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB</p><p>l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB</p><p>AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet</p><p>3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb</p><p>uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H</p><p>qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp</p><p>jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY</p><p>fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U</p><p>fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU</p><p>y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX</p><p>qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo</p><p>f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA==</p><p>-----END RSA TESTING KEY-----</p><p></p><p><strong>Library referenced: </strong>[URL unfurl="true"]https://github.com/reujab/wallpaper[/URL]</p><p>Did not see any indication of wallpaper change in any.run. But there is a wallpaper seen in a screenshot referenced by <a href="https://twitter.com/MarceloRivero/status/1318319318166310914" target="_blank">this tweet</a>.</p><p></p><p><strong>Library referenced: </strong>[URL unfurl="true"]https://github.com/xxtea/xxtea-go[/URL]</p><p>Indication that XXTEA encryption algorithm is used</p><p></p><p><strong>Class/Function names:</strong></p><ul> <li data-xf-list-type="ul">main.KILLME</li> <li data-xf-list-type="ul">main.TVINGAMIG</li> <li data-xf-list-type="ul">main.RINGAHUSET</li> <li data-xf-list-type="ul">main.main</li> </ul><p></p><p>[ATTACH=full]247708[/ATTACH]</p><p>[ATTACH=full]247709[/ATTACH]</p></blockquote><p></p>
[QUOTE="struppigel, post: 910352, member: 86910"] [USER=38832]@upnorth[/USER] asked me to do a small writeup of the sample used for testing here: [URL]https://malwaretips.com/threads/ransomware-loader-19-10-2020.104659/[/URL] This is [B]not[/B] a fully detailed analysis, because that would take days to do. Instead I write all things down I can assess quickly. [SIZE=5][COLOR=rgb(65, 168, 95)][B]Analysis of Downloader[/B][/COLOR][/SIZE] [B]Sample:[/B] [URL='https://www.virustotal.com/gui/file/e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3/detection']VirusTotal[/URL] [B]File type:[/B] Office Open XML document [B]Malware type:[/B] downloader [B]File name:[/B] UBC-COVID19-Survey-Mandatory.docx After unpacking with 7zip you can find those images in word/media/: [ISPOILER] [ATTACH type="full" alt="image1.png"]247706[/ATTACH] [ATTACH type="full" alt="image2.png"]247707[/ATTACH][/ISPOILER] The detection names suggest use of CVE-2017-0199. [B][URL='https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html']Description of the CVE[/URL][/B] is consistent with the behaviour in [URL='https://app.any.run/tasks/8965c325-7052-4151-bd9c-fa2833f518f4/']any.run[/URL] which shows [COLOR=rgb(44, 130, 201)][B]winword.exe[/B][/COLOR] as doing the download and execute. [B]Contacted URLs by winword.exe:[/B] hxxp://canarytokens(.)com/about/d4yeyvldfg6bn5y29by4e9fs3/post(.)jsp hxxp://isrg.trustid.ocsp.identrust(.)com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D [B]Persistence for the downloaded file: [/B] schtasks.exe /create /sc minute /mo 3 /tn "Internet Explorer Error Handling" /tr %APPDATA%\Byxor\polisen.exe [SIZE=5][COLOR=rgb(65, 168, 95)][B]Analysis of Downloaded file[/B][/COLOR][/SIZE] [B]Sample: [/B][URL unfurl="true"]https://www.virustotal.com/gui/file/03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf/community[/URL] [B]Malware type: [/B]ransomware [B]File type: [/B]PE 32 bit [B]File name:[/B] polisen.exe [B]Compiler: [/B]The ransomware is written in Go [B]Malware family: [/B]unknown, it's a new variant [B]Extension:[/B] .VAGGEN [B]E-Mail:[/B] [EMAIL]employer21@protonmail.com[/EMAIL] [B]Note: [/B]ABOUT_UR_FILES.txt [B]BTC: [/B]1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA --> [URL='https://www.blockchain.com/btc/address/1LthWWSd82dKddmHwqhBv8XHiCYyUZqhmA']link to blockchain[/URL] [B]Go build ID:[/B] "VhhQ1UuEs3GW9JKPQlxr/KprNrDUoWKeN0_4zmFd8/dAiZDE9z9QKTx20ba5as/lfKWFUWyhFMg8VVGN2TT" -----BEGIN RSA TESTING KEY----- MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9 SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet 3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA== -----END RSA TESTING KEY----- [B]Library referenced: [/B][URL unfurl="true"]https://github.com/reujab/wallpaper[/URL] Did not see any indication of wallpaper change in any.run. But there is a wallpaper seen in a screenshot referenced by [URL='https://twitter.com/MarceloRivero/status/1318319318166310914']this tweet[/URL]. [B]Library referenced: [/B][URL unfurl="true"]https://github.com/xxtea/xxtea-go[/URL] Indication that XXTEA encryption algorithm is used [B]Class/Function names:[/B] [LIST] [*]main.KILLME [*]main.TVINGAMIG [*]main.RINGAHUSET [*]main.main [/LIST] [ATTACH type="full" alt="Screenshot 2020-10-22 093836.png"]247708[/ATTACH] [ATTACH type="full" alt="Screenshot 2020-10-22 093817.png"]247709[/ATTACH] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
