Need help analyzing possible ransomware

RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead :)

For a password i used the old "infected":

MWRoboMan.7z
 
Last edited:
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
RoboMan said:
Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead :)

For a password i used the old "infected":

MWRoboMan.7z
Click to expand...
How can a file contain "spotify accounts"? Does that make sense to anyone here?
 
  • Like
Reactions: RoboMan
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
shmu26 said:
If you open a Word file and you get JS scripts, you can be 100% sure it is malware.
You can bet your last dollar on it.
Click to expand...
I agree as well! But it's always nice to share it and giving you guys something to play with :rolleyes:

And maybe our researchers/analyzers would like to analyse it and trace it down, whatever they want to do :)
 
  • Like
Reactions: shmu26 and Winter Soldier
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Code: 
Function abfcacbee() As String
    Dim bbfcdbcbe As Object
    Set bbfcdbcbe = CreateObject("Scripting.FileSystemObject")
    deebadabfadbddef = "\cfeaabcfaccbf.js"
    babfdacaffcdcadff = CStr(bbfcdbcbe.GetSpecialFolder(2))

Just a very quick look at the VT report tells us about the method GetSpecialFolder of the FileSystemObject object that returns the path of some Windows folders. The method in question accepts a single parameter that can be valued as:

(0) WindowsFolder - system files folder

(1) SystemFolder - folder of the libraries, fonts and drives

I this case:

(2) TemporaryFolder - temporary file folder.

But an extended analysis of the sample and of any dropped files may give us more info about its behavior.
 
  • Like
Reactions: Marko :), frogboy, RoboMan and 1 other person
You must log in or register to reply here.

Similar threads

enaph
    • Like
    • Wow
    • Sad
Security News Inside the Massive Naz.API Credential Stuffing List
Replies
1
Views
1,780
Security News
ProblematicPions
P
Gandalf_The_Grey
    • Like
New Update Thunderbird Mail gets a new logo design
Replies
2
Views
689
Office, email and business apps
sartic
sartic
Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
1,922
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top