Original release date: December 3, 2018
Description
NotificationThis report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. SummaryDescriptionThese files are related to SamSam ransomware. SamSam is a variety of ransomware based on the .NET framework. For a downloadable copy of IOCs, see: Submitted Files (6)2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 (winnetuse.exe) 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d (ss2.exe) 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c (ss2.stubbin) a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb (SORRY-FOR-FILES.html) bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 (g04inst.bat) da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 (sdgasfse.dll) Domains (1)jcmi5n4c3mvgtyt5.onion Findings594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424cTagsobfuscatedransomwaretrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file is an encrypted data file with “.stubbin” extension. It contains the AES encrypted SamSam ransomware ss2.exe (1afc39b101a64c61b763fdf07fde1d55). 427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989dTagsdropperransomwaretrojan Details
Antivirus
Yara RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. The ransomware accepts the following three arguments during runtime: –Begin arguments– When executed, it searches and if installed will load a key file with a “.keyxml” extension into the %CurrentDirectory%. The key file contains a RSA public key in the following format: –Begin RSA public key– The key file was not available for analysis. The ransomware searches for files to encrypt on all drives installed on the victim’s system. The malware avoids encrypting files with the following extensions and files in the following folders: –Begin files– It randomly generates the following keys for encrypting the target files: –Begin randomly generated keys– Displayed below is the code snippet for generating unique keys for each target file. –Begin key generation– The malware reads the target file into memory and encrypts it using an AES algorithm in CBC mode by using the generated AES key. The encrypted data from the original file is stored into a newly created file. The newly created file has the same name as the original file, but with a “.weapologize” extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file: –Begin base64 encodes data– Displayed below is the code used to RSA encrypt and Base64 encode data prepended at the beginning of each encrypted file: –Begin encrypting and encoding– Following encryption, the original files are deleted and the ransomware note contents are DES encrypted and Base64 encoded in the malware. Displayed below is the hard-coded DES key and the IV used to decrypt the contents of the ransomware note. –Begin DES key and IV– It installs the ransomware note “SORRY-FOR-FILES.html” on the victim system. Next, the malware kills any open process, which file name contains “sql.” a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbDetails
AntivirusNo matches found. Yara RulesNo matches found. ssdeep MatchesNo matches found. Process List
Relationships
DescriptionThis file is the ransom displayed to the victim. This ransomware note contains the ransom payment information and how to obtain the RSA private key to recover encrypted files. Displayed below are the embedded blog and Bitcoin addresses in the ransomware note: –Begin blog and Bitcoin addresses– Screenshots |