AR18-337B: MAR-10166283.r1.v1 – SamSam2

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Description

These files are related to SamSam ransomware. SamSam is a variety of ransomware based on the .NET framework.

For a downloadable copy of IOCs, see:

• MAR-10166283.r1.v1.stix

Submitted Files (6)

2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 (winnetuse.exe)

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d (ss2.exe)

594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c (ss2.stubbin)

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb (SORRY-FOR-FILES.html)

bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 (g04inst.bat)

da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 (sdgasfse.dll)

Domains (1)

jcmi5n4c3mvgtyt5.onion

594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c

Tags

obfuscatedransomwaretrojan

Details

Name	ss2.stubbin
Size	278032 bytes
Type	data
MD5	9202651c295369eb01cc7a10cd59adff
SHA1	ff2f511009b2813af9d12c6103206828560869db
SHA256	594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c
SHA512	547efea0c2407d1e2949e84fe107820a1efaab2eaddeaf60ceb8f23b53d635b7c86ceadb1e19c07432e51a3609d02f12aca99cb5e23b5d324febb67994f83a9c
ssdeep	6144:gXNGATWMK0AlJgQpQXFvr0Cn8wyrQ4EeGiEb53fSEnetKA:gjDoWiUFe+NPSEnQH
Entropy	7.999190

Antivirus

Ahnlab	BinImage/Obfuscated
Antiy	GrayWare/Win32.Presenoker
Cyren	Trojan.FTIO-1
McAfee	Ransomware-SAMAS
Sophos	Troj/Samas-G
TrendMicro	Ransom_.67284F17
TrendMicro House Call	Ransom_.67284F17

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

594b9b42a2…

Contains

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d

Description

This file is an encrypted data file with “.stubbin” extension. It contains the AES encrypted SamSam ransomware ss2.exe (1afc39b101a64c61b763fdf07fde1d55).

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d

Tags

dropperransomwaretrojan

Details

Name	ss2.exe
Size	278016 bytes
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	1afc39b101a64c61b763fdf07fde1d55
SHA1	89fe55d2669e6c995b9a0d9ed5d5aa404d20713b
SHA256	427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d
SHA512	35b066679ce733b0de20b79cb7570570164eb695307cbb96173bd7c4485b62a42e5b67caab8b9373e45b9cd9abe72ab0eb78960256420144b9f609c3734320f0
ssdeep	1536:VLDPjQejqUjWMuX/28KIGsA/Nu4vlIXa5CjZwEclPcx6KtCNvmuxOfgQBAMyOk3t:V3Mexh8KIXAV9vOX6mz6ylgr
Entropy	4.757791

Antivirus

Avira	TR/Dropper.MSIL.Gen
BitDefender	Generic.Ransom.SamSam.82D17683
ClamAV	Win.Ransomware.Samsam-6425958-0
ESET	a variant of MSIL/Filecoder.Samas.B trojan
Emsisoft	Generic.Ransom.SamSam.82D17683 (B)
Ikarus	Trojan-Ransom.Samas
McAfee	Trojan-FNEY!1AFC39B101A6
Sophos	Troj/Samas-L
Symantec	Ransom.SamSam

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

427091e188…	Contained_Within	594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c
427091e188…	Downloaded	a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb

Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware.

The ransomware accepts the following three arguments during runtime:

–Begin arguments–
“nonpenetrable”
“6”
“0.8”
–End arguments–

When executed, it searches and if installed will load a key file with a “.keyxml” extension into the %CurrentDirectory%. The key file contains a RSA public key in the following format:

–Begin RSA public key–
“<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>”
–End RSA public key–

The key file was not available for analysis.

The ransomware searches for files to encrypt on all drives installed on the victim’s system. The malware avoids encrypting files with the following extensions and files in the following folders:

–Begin files–
“desktop.ini”
“g04inst.bat”
“ntuser.dat”
“search-ms”
.search-ms”
“.exe”
“.msi”
“.lnk”
“.wim”
“.scf”
“microsoft\\windows”
“appdata”
.ini”
.sys”
“.dll”                        
–End files–

It randomly generates the following keys for encrypting the target files:

–Begin randomly generated keys–
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
–End randomly generated keys–

Displayed below is the code snippet for generating unique keys for each target file.

–Begin key generation–
public static string myff1(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
byte[] key = encc.GenerateRandom(16); ; ==> Rijndael key
byte[] iv = encc.GenerateRandom(16); ; ==> Rijndael IV
encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
return null;
–End key generation–

The malware reads the target file into memory and encrypts it using an AES algorithm in CBC mode by using the generated AES key. The encrypted data from the original file is stored into a newly created file. The newly created file has the same name as the original file, but with a “.weapologize” extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

–Begin base64 encodes data–
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
–End base64 encodes data–

Displayed below is the code used to RSA encrypt and Base64 encode data prepended at the beginning of each encrypted file:

–Begin encrypting and encoding–
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
byte[] bytesFromString = encc.GetBytesFromString(string.Concat(new object[]
{
“<AAAAAAAAAAAAAAAAAAAAA>”,
encc.nnnlllll,
“<AAA>”,
text,
“</AAA>”,
encc.nnnlllll,
“<AA>”,
text2,
“</AA>”,
encc.nnnlllll,
“<AAAAA>xPN1oBWSqfQgInnB6ydF204jiHN/uqljySnn1fkhqUk=</AAAAA>”,
encc.nnnlllll,
“<AAAAAAAAAAAA>”,
text3,
“</AAAAAAAAAAAA>”,
encc.nnnlllll,
“<AAAAAAAAAAAAAAAAAA>”,
fileInfo.Length,
“</AAAAAAAAAAAAAAAAAA>”,
encc.nnnlllll,
“</AAAAAAAAAAAAAAAAAAAAA>”
}));
–End encrypting and encoding–

Following encryption, the original files are deleted and the ransomware note contents are DES encrypted and Base64 encoded in the malware. Displayed below is the hard-coded DES key and the IV used to decrypt the contents of the ransomware note.

–Begin DES key and IV–
DES KEY: 61 58 62 32 75 79 34 7A (aXb2uy4z)                
IV: 0C 15 2B 11 39 23 43 1B
–End DES key and IV–

It installs the ransomware note “SORRY-FOR-FILES.html” on the victim system. Next, the malware kills any open process, which file name contains “sql.”

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb

Details

Name	SORRY-FOR-FILES.html
Size	3547 bytes
Type	HTML document, ASCII text, with very long lines, with no line terminators
MD5	074e52525d5ec2b2af8675477180b5f0
SHA1	631e5f4b9a3ba6855dd93dbdccb416337560491d
SHA256	a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb
SHA512	16d5cab293ffe44a8bfe247fc8f60167741d4a44cb12542b378cf26b689abcff95065ab44e4725b2ab3e85295925faa695bce1159d06211c1bf971d437398414
ssdeep	96:2RPS2X4/vpRMdu4JW4Qy06pZu42yNSSa/kZLCXWQJxZEzQx:GulKuwscsR5
Entropy	4.871033

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Process	PID	PPID
lsass.exe	468	(384)
iexplore.exe	2628	(2332)
explorer.exe	1412	(1368)

Relationships

a660cc6155…	Downloaded_By	427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d
a660cc6155…	Contains	jcmi5n4c3mvgtyt5.onion

Description

This file is the ransom displayed to the victim. This ransomware note contains the ransom payment information and how to obtain the RSA private key to recover encrypted files. Displayed below are the embedded blog and Bitcoin addresses in the ransomware note:

–Begin blog and Bitcoin addresses–
blog address: “http://jcmi5n4c3mvgtyt5.onion/”
Bitcoin address: “1HbJu2kL4xDNK1L9YUDkJnqh3yiC119YM2”
–End blog and Bitcoin addresses–

Screenshots