Need help analyzing possible ransomware

RoboMan

RoboMan

Level 38
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
High Reputation
Forum Veteran
Jun 24, 2016
2,614
24,627
3,600
Hidden Village of Hispanic America
Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead :)

For a password i used the old "infected":

MWRoboMan.7z
 
Last edited:
RoboMan said:
Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead :)

For a password i used the old "infected":

MWRoboMan.7z
Click to expand...
How can a file contain "spotify accounts"? Does that make sense to anyone here?
 
  • Like
Reactions: RoboMan
shmu26 said:
If you open a Word file and you get JS scripts, you can be 100% sure it is malware.
You can bet your last dollar on it.
Click to expand...
I agree as well! But it's always nice to share it and giving you guys something to play with :rolleyes:

And maybe our researchers/analyzers would like to analyse it and trace it down, whatever they want to do :)
 
  • Like
Reactions: shmu26 and Winter Soldier
Code: 
Function abfcacbee() As String
    Dim bbfcdbcbe As Object
    Set bbfcdbcbe = CreateObject("Scripting.FileSystemObject")
    deebadabfadbddef = "\cfeaabcfaccbf.js"
    babfdacaffcdcadff = CStr(bbfcdbcbe.GetSpecialFolder(2))

Just a very quick look at the VT report tells us about the method GetSpecialFolder of the FileSystemObject object that returns the path of some Windows folders. The method in question accepts a single parameter that can be valued as:

(0) WindowsFolder - system files folder

(1) SystemFolder - folder of the libraries, fonts and drives

I this case:

(2) TemporaryFolder - temporary file folder.

But an extended analysis of the sample and of any dropped files may give us more info about its behavior.
 
  • Like
Reactions: Marko :), frogboy, RoboMan and 1 other person
You must log in or register to reply here.

You may also like...