Analysis Report

MAR-10164494.r1.v1 – SamSam4

Last Revised
Alert Code
AR18-337D

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary

Description

Three artifacts were submitted for analysis.

For a downloadable copy of IOCs, see:

MAR-10164494.r1.v1.stix

Submitted Files (3)

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 (mswinupdate.exe)

9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 (ClassLibrary1.dll)

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 (g04inst.bat)

Findings

9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12

Tags

downloaderransomwaretrojan

Details
Name ClassLibrary1.dll
Size 5120 bytes
Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 76bd79f774ae892fd6a30b6463050a91
SHA1 4d7a60bd1fb3677a553f26d95430c107c8485129
SHA256 9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12
SHA512 67e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829
ssdeep 48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII
Entropy 4.004964
Antivirus
Ahnlab Trojan/Win32.Black
Antiy Trojan/Win32.AGeneric
BitDefender Trojan.GenericKD.30369417
ClamAV Win.Trojan.Agent-6538241-0
Cyren W32/Trojan.URRI-3517
ESET a variant of MSIL/Runner.N trojan
Emsisoft Trojan.GenericKD.30369417 (B)
Ikarus Ransom.MSIL.Samas
K7 Riskware ( 0040eff71 )
McAfee Ransomware-GJY!76BD79F774AE
Microsoft Security Essentials Ransom:MSIL/Samas.D
NANOAV Trojan.Win32.Runner.ffvfbl
Sophos Troj/Samas-F
Symantec Trojan.Gen.2
Systweak trojan.downloader
TrendMicro TROJ_STUBDCRYP.A
TrendMicro House Call TROJ_STUBDCRYP.A
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-01-28 06:09:15-05:00
Import Hash dae02f32a21e03ce65412f6e56942daa
File Description ClassLibrary1
Internal Name ClassLibrary1.dll
Legal Copyright Copyright © 2018
Original Filename ClassLibrary1.dll
Product Name ClassLibrary1
Product Version 1.0.0.0
PE Sections
MD5 Name Raw Size Entropy
34943f18fd2a99cc3f5cabe43b4765f8 header 512 2.547920
06219fe6e30e15dce12688ca2b434890 .text 3072 4.856670
11b58fc9ac45168b871cc50399b7c86c .rsrc 1024 2.888335
ec45a535f38fb6dc4ac4ed7cbf63b754 .reloc 512 0.081539
Description

This file is a .NET Class Library module designed to decrypt the encrypted data file with a ".stubbin” extension using a Rijndael encryption algorithm.

Displayed below is the encryption key and the initialization vector used for decryption.

--Begin encryption information--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg
--End encryption information--

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86

Tags

ransomwaretrojan

Details
Name mswinupdate.exe
Size 6144 bytes
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 b96620d8a08fa436ea22ef480dd883ce
SHA1 a1ab74d2f06a542e77ea2c6d641aae4ed163a2da
SHA256 738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86
SHA512 2a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6
ssdeep 48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt
Entropy 4.238961
Antivirus
Ahnlab Trojan/Win32.Samas
Antiy Trojan[Ransom]/MSIL.Samas
Avira TR/Samas.qybuh
BitDefender Trojan.GenericKD.30367991
Cyren W32/Trojan.VYAP-2611
ESET a variant of MSIL/Runner.N trojan
Emsisoft Trojan.GenericKD.30367991 (B)
Ikarus Ransom.MSIL.Samas
K7 Riskware ( 0040eff71 )
McAfee Ransomware-GJX!B96620D8A08F
Microsoft Security Essentials Ransom:MSIL/Samas
NANOAV Trojan.Win32.Generic.eymsce
NetGate Malware.Generic
Sophos Mal/Kryptik-BV
Symantec Trojan.Gen.2
Systweak malware.shuriken
TrendMicro TROJ_RUNNER.GBB
TrendMicro House Call TROJ_RUNNER.GBB
Zillya! Trojan.Samas.Win32.32
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-01-28 06:09:17-05:00
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744
Company Name oiauoyqtfhqiwur578q26trgqiwue ffh iufiuqwytf 78wt8
File Description dkhjkasyfafa udfiu asd fuiysfd fiusdfh oiafiuay
Internal Name rock2.exe
Legal Copyright iusy ergy8wej udg uy
Original Filename rock2.exe
Product Name 98y4798t qiy er998ergg iuery 8 o8uieyfui qewhfiuoyafibuwy ey7fq iuyi
Product Version 76.7.99.12
PE Sections
MD5 Name Raw Size Entropy
7f1dc4bd716bc037dea251c4dff12cdd header 512 2.538579
c8076584486a2745281e4945da9b8b13 .text 3072 4.946272
1efe88aa4756d059ec1d3b49e342de5d .rsrc 2048 3.917395
7048daac38c935b38e086adcd8035d2a .reloc 512 0.081539
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Description

This file is a PE32 .NET executable designed to search and load an encrypted data file with a ".stubbin" extension onto the victim's system. If the file exists, it will utilize the Rijndael algorithm in the Class Library file (ClassLibrary1.dll) to decrypt the data file. After decryption, the file deletes the encrypted data file. The encrypted file with a ".stubbin" extension was not available for analysis.

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58

Tags

ransomwaretrojan

Details
Name g04inst.bat
Size 276 bytes
Type ASCII text, with CRLF line terminators
MD5 02c19bbf8e19bb69fc7870ec872d355e
SHA1 cc76586ef94122329e825c78aad2ecb9ac064343
SHA256 bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58
SHA512 283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99
ssdeep 6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW
Entropy 4.962735
Antivirus
McAfee BAT/Starter.h
Microsoft Security Essentials Ransom:BAT/Samas
Sophos Troj/RansRun-A
Symantec Trojan.Malscript
Yara Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a batch file designed to execute mswinupdate.exe with predefined arguments. Displayed below are the arguments:

--Begin arguments--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: mswinupdate.exe <password> juxtapositional 5 0.8
--End arguments--

Recommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.

Revisions

December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.