MAR-10166283.r1.v1 – SamSam2

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Description

These files are related to SamSam ransomware. SamSam is a variety of ransomware based on the .NET framework.

For a downloadable copy of IOCs, see:

• MAR-10166283.r1.v1.stix

Submitted Files (6)

2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 (winnetuse.exe)

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d (ss2.exe)

594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c (ss2.stubbin)

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb (SORRY-FOR-FILES.html)

bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 (g04inst.bat)

da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 (sdgasfse.dll)

Domains (1)

jcmi5n4c3mvgtyt5.onion

594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c

Tags

obfuscatedransomwaretrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is an encrypted data file with ".stubbin” extension. It contains the AES encrypted SamSam ransomware ss2.exe (1afc39b101a64c61b763fdf07fde1d55).

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d

Tags

dropperransomwaretrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware.

The ransomware accepts the following three arguments during runtime:

--Begin arguments--
"nonpenetrable"
"6"
"0.8"
--End arguments--

When executed, it searches and if installed will load a key file with a ".keyxml" extension into the %CurrentDirectory%. The key file contains a RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The key file was not available for analysis.

The ransomware searches for files to encrypt on all drives installed on the victim’s system. The malware avoids encrypting files with the following extensions and files in the following folders:

--Begin files--
"desktop.ini"
"g04inst.bat"
"ntuser.dat"
"search-ms"
.search-ms"
".exe"
".msi"
".lnk"
".wim"
".scf"
"microsoft\\windows"
"appdata"
.ini"
.sys"
".dll"                        
--End files--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generated keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generated keys--

Displayed below is the code snippet for generating unique keys for each target file.

--Begin key generation--
public static string myff1(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
byte[] key = encc.GenerateRandom(16); ; ==> Rijndael key
byte[] iv = encc.GenerateRandom(16); ; ==> Rijndael IV
encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
return null;
--End key generation--

The malware reads the target file into memory and encrypts it using an AES algorithm in CBC mode by using the generated AES key. The encrypted data from the original file is stored into a newly created file. The newly created file has the same name as the original file, but with a ".weapologize" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode data prepended at the beginning of each encrypted file:

--Begin encrypting and encoding--
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
byte[] bytesFromString = encc.GetBytesFromString(string.Concat(new object[]
{
"<AAAAAAAAAAAAAAAAAAAAA>",
encc.nnnlllll,
"<AAA>",
text,
"</AAA>",
encc.nnnlllll,
"<AA>",
text2,
"</AA>",
encc.nnnlllll,
"<AAAAA>xPN1oBWSqfQgInnB6ydF204jiHN/uqljySnn1fkhqUk=</AAAAA>",
encc.nnnlllll,
"<AAAAAAAAAAAA>",
text3,
"</AAAAAAAAAAAA>",
encc.nnnlllll,
"<AAAAAAAAAAAAAAAAAA>",
fileInfo.Length,
"</AAAAAAAAAAAAAAAAAA>",
encc.nnnlllll,
"</AAAAAAAAAAAAAAAAAAAAA>"
}));
--End encrypting and encoding--

Following encryption, the original files are deleted and the ransomware note contents are DES encrypted and Base64 encoded in the malware. Displayed below is the hard-coded DES key and the IV used to decrypt the contents of the ransomware note.

--Begin DES key and IV--
DES KEY: 61 58 62 32 75 79 34 7A (aXb2uy4z)                
IV: 0C 15 2B 11 39 23 43 1B
--End DES key and IV--

It installs the ransomware note "SORRY-FOR-FILES.html" on the victim system. Next, the malware kills any open process, which file name contains "sql.”

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Relationships

Description

This file is the ransom displayed to the victim. This ransomware note contains the ransom payment information and how to obtain the RSA private key to recover encrypted files. Displayed below are the embedded blog and Bitcoin addresses in the ransomware note:

--Begin blog and Bitcoin addresses--
blog address: "http://jcmi5n4c3mvgtyt5.onion/"
Bitcoin address: "1HbJu2kL4xDNK1L9YUDkJnqh3yiC119YM2"
--End blog and Bitcoin addresses--

Screenshots

2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9

Tags

ransomwaretrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit Windows .NET compiled executable designed to search and loads the encrypted data file ss2.stubbin (9202651c295369eb01cc7a10cd59adff) on the victim's system. If ss2.stubbin exists, it will utilize Rijndael algorithm in the Class Library file ClassLibrary1.dll to decrypt the data file. Winnetuse.exe deletes the encrypted data file after decryption.

bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0

Tags

trojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a batch file designed to execute winnetuse.exe (5b168ad87a0de81c443656cc144df29a) with predefine arguments. Displayed are the arguments:
--Begin arguements--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: winnetuse.exe nvWvlIHNSzASiWhnMWCR nonpenetrable 6 0.8
--End arguements--

da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5

Tags

ransomwaretrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

This file is .NET Class Library module designed for decrypting the encrypted data file with ".stubbin” extension using Rijndael encryption algorithm. Displayed are the Key and the initialization vector used for decryption.

--Begin key--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu ==> 7E 7C C0 90 0A E8 7C 3B F1 38 6C 9E 7E 89 B8 29 10 76 C1 E4 FF 6C A3 F8 42 2B 9F 8C 83 7F AC FE
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg ==> F1 38 6C 9E 7E 89 B8 29 C3 93 32 02 C5 A0 08 10
--End key--

jcmi5n4c3mvgtyt5.onion

URLs

• http://jcmi5n4c3mvgtyt5.onion/

Relationships

Description

The domain was identified in the ransom note.

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

• 1-888-282-0870
• NCCICCustomerService@us-cert.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.