<img height="1" width="1" alt="" style="display:none" src="https://www.facebook.com/tr?id=619966238105738&amp;ev=PixelInitialized">

Scarab Ransomware blocked by ensilo

CUSTOMER ADVISORY WARNING: Scarab Ransomware

During June 2017, the Scarab Ransomware was detected for the first time by several security professionals. The scarab Ransomware spreads to victims across the world via necurs which is the largest email spam botnet spreading across the Internet. The malware spreads through malicious emails with an attached Zip file that contains a VBScript Downloader:

figure 1-2.png  FIGURE 1: The malicious email with the vbascript

 

The subject line might contain one of these subject lines:

Scanned from Lexmark
Scanned from Epson

Scanned from HP
Scanned from Canon

 

                                                                See for yourself, see a demo today                                                                      Sign-up for a Demo Today

ANALYSIS OF THE VBSCRIPT DOWNLOADER

When reading through the code of the VBScript downloader it will show that it uses some obfuscation techniques to attempt and hide its functionality. However, nothing special here and reversing this obfuscation is pretty straight-forward. Once executed, the VBScript attempts to download a payload from the following links:

hard-grooves[.]com/JHgd476
pamplonarecados[.]com/JHgd476
miamirecyclecenters[.]com/JHgd476

 

If the download was successful, it will attempt to execute this payload using Windows cmd.exe CommadLine interface. That payload is the Scarab Ransomware binary.

FILE CHARACTERISTICS:

  • File Size: 3901 BYTES
  • SHA256: C7E3C4BAD00C92A1956B6D98AAE0423170DE060D2E15C175001AAEAF76722A52

 

ANALYSIS OF THE SCARAB RANSOMWARE

 CHARACTERISTICS:

The Scarab ransomware binary file contains the following static characteristics

Filename: JHgd476.exe
SHA256 Hash: 7a60e9f0c00bcf5791d898c84c26f484b4c671223f6121dc3608970d8bf8fe4f
File size: 365056 Bytes
Compile Time: 2017-11-23 01:58:16

On execution, the Scarab Ransomware attempts to accomplish the following things:

1. Encrypts all files on the system
2. Disable default Windows recovery features
3. Delete the original copy of itself
4. Demands payment via message prompt 

The Ransomware also copies itself to the following location:

cmd.exe /c copy /y “JHgd476.exe” “c:\%APPDATA%\sevnz.exe”

In an effort to stay persistent, the Ransomware creates a registry entry in the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uSjBVNE = "%Application Data%\sevnz.exe


Then the Ransomware proceeds to encrypt files. The encryption process is conducted via the AES encryption algorithm to encrypt the files and the base64 encoding to rename them. The most targeted file types, which are encrypted, are the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

The files that are encrypted are then renamed in the following format:

File_name +. [suupport@protonmail.com].scarab

 

FIGURE2.jpgFIGURE 2: The encrypted files

 

When running, the Ransomware executes the following commands to disable default Windows recovery features:

cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
cmd.exe /c wmic SHADOWCOPY DELETE
cmd.exe /c vssadmin Delete Shadows /All /Quiet
cmd.exe /c bcdedit /set {default} recoveryenabled No
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

 

Finally, once the encryption process is completed, it deletes the original copy of itself.

 

When the Ransomware finishes encrypting all files a message is presented within Scarab Ransomware text file:

FIGURE3.jpg

FIGURE 3: The scarab message

 

Unlike typical Ransomware note that usually demands a fixed amount of ransom to be paid by the victim, the Scarab Ransomware specify that the ransom price is based on how fast the victim can pay the ransom. The faster it is, the less amount of money the victim will have to pay. That said, the Ransomware also offers to decrypt three files for free to prove the decryption works. The note states the following "Before paying you can send us up to 3 files for free decryption."

 

ENSILO POST-INFECTION PLATFORM IN ACTION

 

The Scarab Ransomware sample was executed in a controlled environment protected by enSilo platform.

 FIGURE4.png

 

FIGURE 4: ENSILO DETECTED AND BLOCKED THE scarab RANSOMWARE ACTIVITY AND STOPPED THE FILE ENCRYPTION

 

The enSilo ransomware prevention rule of detection, detected a binary file named Sacarabransome.exe (the Scarab ransomware) attempted to use Process-hollowing method and file creation (%Application Data%\sevnz.exe) the copy of the Ransomware. Since this process was blocked by enSilo, the attack vector of this malware stopped for proceeding forward to its next phase.

FINAL NOTE

 

This blog post demystified the functionality of the Scarab Ransomware from its initial phase whereas the victim received a phishing email with the VBScript downloads all the way until all the important files are encrypted and the victim receives a ransom note. That said, the most important part in this post reveal how enSilo post infection protection is capable of detecting and preventing attacks by the Scarab Ransomware.

 

File IOCs

 

VBScript SHA-256

SHA256: c7e3c4bad00c92a1956b6d98aae0423170de060d2e15c175001aaeaf76722a52

SHA256: 7a60e9f0c00bcf5791d898c84c26f484b4c671223f6121dc3608970d8bf8fe4f

Network IOCs

 

hard-grooves[.]com/JHgd476
pamplonarecados[.]com/JHgd476
miamirecyclecenters[.]com/JHgd476

 

See for yourself, see a demo today                                                                              

Sign-up for a Demo Today

 

CATEGORIES

FEATURED ARTICLES

tag cloud