U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Malware Analysis Report (AR18-337C)

MAR-10158513.r1.v1 – SamSam3

Original release date: December 03, 2018

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary

Description

14 files were submitted for analysis. These files are designed to encrypt a victim's system files for a ransom payment.

For a downloadable copy of IOCs, see:

Submitted Files (17)

036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 (samsam.exe)

0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac (samsam.exe)

32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f (selfdel.exe)

45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b (samsam.exe)

553967d05b83364c6954d2b55b8cfc2ea3808a17c268b2eee49090e71976ba29 (553967d05b83364c6954d2b55b8cfc...)

58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e (samsam.exe)

6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 (HELP_DECRYPT_YOUR_FILES.html)

6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307 (samsam.exe)

7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 (samsam.exe)

89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805 (samsam.exe)

939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8 (samsam.exe)

946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4 (samsam.exe)

979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868 (samsam.exe)

97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 (del.exe)

a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e (samsam.exe)

e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155 (samsam.exe)

ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626 (samsam.exe)

Domains (10)

anonyme.com

evilsecure9.wordpress.com

followsec7.wordpress.com

key88secu7.wordpress.com

keytwocode.wordpress.com

lordsecure4u.wordpress.com

payforsecure7.wordpress.com

secangel7d.wordpress.com

union83939k.wordpress.com

zeushelpu.wordpress.com

Findings

0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac

Tags

dropperransomwaretrojan

Details
Namesamsam.exe
Size218624 bytes
TypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5a14ea969014b1145382ffcd508d10156
SHA1ff6aa732320d21697024994944cf66f7c553c9cd
SHA2560f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac
SHA51273f28bed4ee700e15d1c0eb9871e37bdda77e3ef3c14b63a1597b9628e7407dc31f8382e0ec52c8c65f68c00a4f321f5971359f865eb35b35dc62e9f5e8e7be1
ssdeep3072:ZVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbP:Za1i6UHVyLV0poZa1jrD099on9
Entropy6.249245
Antivirus
AhnlabTrojan/Win32.Samas
AntiyTrojan/Win32.SGeneric
AviraTR/Ransom.lhumd
BitDefenderGeneric.Ransom.SamSam.12451789
ClamAVWin.Trojan.Samas-1
CyrenW32/Trojan.MPPP-7951
ESETMSIL/Filecoder.AR trojan
EmsisoftGeneric.Ransom.SamSam.12451789 (B)
IkarusTrojan-Ransom.SamSam
K7Trojan ( 700000121 )
McAfeeRansomware-SAMAS!A14EA969014B
Microsoft Security EssentialsRansom:MSIL/Samas.A
NANOAVTrojan.Win32.Ransom.eamswz
Quick HealTrojan.Inject.TL3
SophosTroj/RansmSam-A
SymantecTrojan.Gen.2
Systweakmalware.gen-r
TrendMicroRansom_CRYPSAM.B
TrendMicro House CallRansom_CRYPSAM.B
Vir.IT eXplorerTrojan.Win32.MSIL9.BGXA
VirusBlokAdaTrojan-Ransom.MSIL.Samas
Zillya!Dropper.Agent.Win32.229787
Yara Rules

No matches found.

ssdeep Matches
97036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050
PE Metadata
Compile Date2016-01-05 19:14:43-05:00
Import Hashf34d5f2d4577ed6d9ceec516c1f5a744
Company NameMicrosoft
File DescriptionMicrosoftSAM
Internal Namesamsam.exe
Legal CopyrightCopyright \xa9 2014
Original Filenamesamsam.exe
Product NameMicrosoftSAM
Product Version2.4.8.4
PE Sections
MD5NameRaw SizeEntropy
37c3e95eb9901183e02df0ba1de6caf2header5122.774592
7a556f246357051b2d82ea445571ddbb.text2160646.270810
d0b581056989efaa1de31a61a8f4a9ec.rsrc15364.110334
06441ad348b483e2458a535949e809cf.reloc5120.101910
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
0f2c5c3949...Connected_Tounion83939k.wordpress.com
0f2c5c3949...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21
0f2c5c3949...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f
0f2c5c3949...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95
Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The input text file was not available for analysis.

Displayed below is the code snippet designed to accept an input text file as the command-line argument:

--Begin command line argument--
private static void Main(string[] args)
{
   if (args.Length != 1)
   {
       return;
   }
   if (!string.IsNullOrEmpty(args[0]))
   {
       Program.publickey = File.ReadAllText(args[0]);
   }
   Program.create_from_resource();
--End command line argument--

It searches the drives installed on the victim system for files with the following file extensions:

--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--

The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:

Displayed below is the code snippet used to avoid encrypting files in the folders:

--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--

Displayed below is the code snippet for generating the unique keys for a target file:

--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
   byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
   byte[] key = encc.GenerateRandom(16); ==> Rijndael key
   byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
   encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
   return null;
--End key generation--

It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.

The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.

--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
   "<MtAeSKeYForFile>",
   encc.sn,
   "<Key>",
   text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
   "</Key>",
   encc.sn,
   "<IV>",
   text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
   "</IV>",
   encc.sn,
   "<Value>",
   text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
   "</Value>",
   encc.sn,
   "<EncryptedKey>",
   text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
   "</EncryptedKey>",
   encc.sn,
   "<OriginalFileLength>",
   fileInfo.Length, ==> The length of the original file
   "</OriginalFileLength>",
   encc.sn,
   "</MtAeSKeYForFile>"
});
--End encrypting and encoding--

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

Displayed below is the embedded blog and Bitcoin address for the ransomware note:

--Begin blog and Bitcoin address--
Blog address: "http[:]//union83939k.wordpress.com"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address--

7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044

Tags

ransomwaretrojan

Details
Namesamsam.exe
Size218112 bytes
TypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD514721036e16587594ad950d4f2db5f27
SHA1ed1797c282f0817d2ad8f878f8dd50ab062501ac
SHA2567aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044
SHA5124d9e75850713f0bf6892fca8d74f462a5b2c0ccec2ed089fd830b8babcce7aedbd3bcb56e25c81cb6bf285bba9111ef89913d0c665593b2ba8da5f57d9505d32
ssdeep3072:gUOsdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199JWbk9f7b1v:gzL1i6UHVyLV0poZa1jrD099Qbk9V
Entropy6.248108
Antivirus
AhnlabTrojan/Win32.Samas
AntiyTrojan[Ransom]/MSIL.Samas
AviraTR/Ransom.lhumd
BitDefenderGeneric.Ransom.SamSam.B120689A
CyrenW32/Trojan.HBQK-8340
ESETa variant of MSIL/Filecoder.AR trojan
EmsisoftGeneric.Ransom.SamSam.B120689A (B)
IkarusTrojan-Ransom.SamSam
K7Trojan ( 700000121 )
McAfeeRansomware-SAMAS!14721036E165
Microsoft Security EssentialsRansom:MSIL/Samas.A
NANOAVTrojan.Win32.Samas.eajeha
Quick HealTrojan.Inject.TL3
SophosTroj/RansmSam-A
SymantecRansom.SamSam!gen1
Systweaktrojan-spy.filecryptor
TrendMicroRansom_.2933F726
TrendMicro House CallRansom_.2933F726
Vir.IT eXplorerTrojan.Win32.Atros3.CWX
VirusBlokAdaTrojan-Ransom.MSIL.Samas
Zillya!Trojan.Filecoder.Win32.2108
Yara Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
7aa585e6fd...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21
7aa585e6fd...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f
7aa585e6fd...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95
7aa585e6fd...Connected_Tounion83939k.wordpress.com
Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The input text file was not available for analysis.

Displayed below is the code snippet designed to accept an input text file as the command-line argument:

--Begin command line argument--
private static void Main(string[] args)
{
   if (args.Length != 1)
   {
       return;
   }
   if (!string.IsNullOrEmpty(args[0]))
   {
       Program.publickey = File.ReadAllText(args[0]);
   }
   Program.create_from_resource();
--End command line argument--

It searches the drives installed on the victim system for files with the following file extensions:

--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--

The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:

Displayed below is the code snippet used to avoid encrypting files in the folders:

--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--

Displayed below is the code snippet for generating the unique keys for a target file:

--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
   byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
   byte[] key = encc.GenerateRandom(16); ==> Rijndael key
   byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
   encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
   return null;
--End key generation--

It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.

The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.

--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
   "<MtAeSKeYForFile>",
   encc.sn,
   "<Key>",
   text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
   "</Key>",
   encc.sn,
   "<IV>",
   text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
   "</IV>",
   encc.sn,
   "<Value>",
   text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
   "</Value>",
   encc.sn,
   "<EncryptedKey>",
   text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
   "</EncryptedKey>",
   encc.sn,
   "<OriginalFileLength>",
   fileInfo.Length, ==> The length of the original file
   "</OriginalFileLength>",
   encc.sn,
   "</MtAeSKeYForFile>"
});
--End encrypting and encoding--

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

Displayed below is the embedded blog and Bitcoin address for the ransomware note:

--Begin blog and Bitcoin address--
blog address: "http://union83939k.wordpress.com"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address--

union83939k.wordpress.com

URLs
  • http://union83939k.wordpress.com
Whois

Domain Name: WORDPRESS.COM
Registry Domain ID: 21242797_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-01-12T22:53:10Z
Creation Date: 2000-03-03T12:13:23Z
Registry Expiry Date: 2020-03-03T12:13:23Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.WORDPRESS.COM
Name Server: NS2.WORDPRESS.COM
Name Server: NS3.WORDPRESS.COM
Name Server: NS4.WORDPRESS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-03-27T18:16:17Z <<<
NetRange:     192.0.64.0 - 192.0.127.255
CIDR:         192.0.64.0/18
NetName:        AUTOMATTIC
NetHandle:     NET-192-0-64-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Assignment
OriginAS:     AS2635
Organization: Automattic, Inc (AUTOM-93)
RegDate:        2012-11-20
Updated:        2012-11-20
Ref:            https://whois.arin.net/rest/net/NET-192-0-64-0-1


OrgName:        Automattic, Inc
OrgId:         AUTOM-93
Address:        60 29th Street #343
City:         San Francisco
StateProv:     CA
PostalCode:     94110
Country:        US
RegDate:        2011-10-05
Updated:        2013-11-01
Ref:            https://whois.arin.net/rest/org/AUTOM-93


OrgAbuseHandle: ABUSE3970-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-273-8550
OrgAbuseEmail: abuse@automattic.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3970-ARIN

OrgTechHandle: NOC12276-ARIN
OrgTechName: NOC
OrgTechPhone: +1-877-273-8550
OrgTechEmail: ipadmin@automattic.com
OrgTechRef:    https://whois.arin.net/rest/poc/NOC12276-ARIN

OrgNOCHandle: NOC12276-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-877-273-8550
OrgNOCEmail: ipadmin@automattic.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC12276-ARIN

Relationships
union83939k.wordpress.comConnected_From0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac
union83939k.wordpress.comConnected_From7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044

036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050

Tags

dropperransomwaretrojan

Details
Namesamsam.exe
Size218624 bytes
TypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5fe998080463665412b65850828bce41f
SHA1203bb8ec1da6b237a092bab71fa090849c7db9bd
SHA256036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050
SHA5129ade6edde3f063fc935f53366ffc9cb6cf7e17691d22fd2fe107d779da3b61eaed006ef7679b456bc16aca8b686d035f09aaf42bf06fa62b872e0a89046994eb
ssdeep3072:bVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbM:ba1i6UHVyLV0poZa1jrD099on9
Entropy6.249304
Antivirus
AhnlabTrojan/Win32.Samas
AntiyTrojan/Win32.SGeneric
AviraTR/Ransom.lhumd
BitDefenderGeneric.Ransom.SamSam.CDB17A36
ClamAVWin.Trojan.Samas-1
CyrenW32/SamSam.D.gen!Eldorado
ESETMSIL/Filecoder.AR trojan
EmsisoftGeneric.Ransom.SamSam.CDB17A36 (B)
IkarusTrojan-Ransom.SamSam
K7Trojan ( 700000121 )
McAfeeRansomware-SAMAS!FE9980804636
Microsoft Security EssentialsRansom:MSIL/Samas.A
NANOAVTrojan.Win32.Ransom.eamenb
NetGateTrojan.Win32.Malware
Quick HealTrojan.Inject.TL3
SophosTroj/RansmSam-A
SymantecRansom.SamSam!gen1
Systweakmalware.gen-r
TrendMicroRansom_.2933F726
TrendMicro House CallRansom_.2933F726
Vir.IT eXplorerTrojan.Win32.MSIL9.BGXA
VirusBlokAdaTrojan-Ransom.MSIL.Samas
Zillya!Dropper.Agent.Win32.229787
Yara Rules

No matches found.

ssdeep Matches
970f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
036071786d...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21
036071786d...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f
036071786d...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95
036071786d...Connected_Tokeytwocode.wordpress.com
Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public

Revisions

  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top