U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Malware Analysis Report (AR18-337D)

MAR-10164494.r1.v1 – SamSam4

Original release date: November 29, 2018 | Last revised: December 03, 2018

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary

Description

Three artifacts were submitted for analysis.

For a downloadable copy of IOCs, see:

MAR-10164494.r1.v1.stix

Submitted Files (3)

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 (mswinupdate.exe)

9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 (ClassLibrary1.dll)

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 (g04inst.bat)

Findings

9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12

Tags

downloaderransomwaretrojan

Details
NameClassLibrary1.dll
Size5120 bytes
TypePE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD576bd79f774ae892fd6a30b6463050a91
SHA14d7a60bd1fb3677a553f26d95430c107c8485129
SHA2569b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12
SHA51267e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829
ssdeep48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII
Entropy4.004964
Antivirus
AhnlabTrojan/Win32.Black
AntiyTrojan/Win32.AGeneric
BitDefenderTrojan.GenericKD.30369417
ClamAVWin.Trojan.Agent-6538241-0
CyrenW32/Trojan.URRI-3517
ESETa variant of MSIL/Runner.N trojan
EmsisoftTrojan.GenericKD.30369417 (B)
IkarusRansom.MSIL.Samas
K7Riskware ( 0040eff71 )
McAfeeRansomware-GJY!76BD79F774AE
Microsoft Security EssentialsRansom:MSIL/Samas.D
NANOAVTrojan.Win32.Runner.ffvfbl
SophosTroj/Samas-F
SymantecTrojan.Gen.2
Systweaktrojan.downloader
TrendMicroTROJ_STUBDCRYP.A
TrendMicro House CallTROJ_STUBDCRYP.A
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date2018-01-28 06:09:15-05:00
Import Hashdae02f32a21e03ce65412f6e56942daa
File DescriptionClassLibrary1
Internal NameClassLibrary1.dll
Legal CopyrightCopyright © 2018
Original FilenameClassLibrary1.dll
Product NameClassLibrary1
Product Version1.0.0.0
PE Sections
MD5NameRaw SizeEntropy
34943f18fd2a99cc3f5cabe43b4765f8header5122.547920
06219fe6e30e15dce12688ca2b434890.text30724.856670
11b58fc9ac45168b871cc50399b7c86c.rsrc10242.888335
ec45a535f38fb6dc4ac4ed7cbf63b754.reloc5120.081539
Description

This file is a .NET Class Library module designed to decrypt the encrypted data file with a ".stubbin” extension using a Rijndael encryption algorithm.

Displayed below is the encryption key and the initialization vector used for decryption.

--Begin encryption information--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg
--End encryption information--

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86

Tags

ransomwaretrojan

Details
Namemswinupdate.exe
Size6144 bytes
TypePE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5b96620d8a08fa436ea22ef480dd883ce
SHA1a1ab74d2f06a542e77ea2c6d641aae4ed163a2da
SHA256738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86
SHA5122a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6
ssdeep48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt
Entropy4.238961
Antivirus
AhnlabTrojan/Win32.Samas
AntiyTrojan[Ransom]/MSIL.Samas
AviraTR/Samas.qybuh
BitDefenderTrojan.GenericKD.30367991
CyrenW32/Trojan.VYAP-2611
ESETa variant of MSIL/Runner.N trojan
EmsisoftTrojan.GenericKD.30367991 (B)
IkarusRansom.MSIL.Samas
K7Riskware ( 0040eff71 )
McAfeeRansomware-GJX!B96620D8A08F
Microsoft Security EssentialsRansom:MSIL/Samas
NANOAVTrojan.Win32.Generic.eymsce
NetGateMalware.Generic
SophosMal/Kryptik-BV
SymantecTrojan.Gen.2
Systweakmalware.shuriken
TrendMicroTROJ_RUNNER.GBB
TrendMicro House CallTROJ_RUNNER.GBB
Zillya!Trojan.Samas.Win32.32
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date2018-01-28 06:09:17-05:00
Import Hashf34d5f2d4577ed6d9ceec516c1f5a744
Company Nameoiauoyqtfhqiwur578q26trgqiwue ffh iufiuqwytf 78wt8
File Descriptiondkhjkasyfafa udfiu asd fuiysfd fiusdfh oiafiuay
Internal Namerock2.exe
Legal Copyrightiusy ergy8wej udg uy
Original Filenamerock2.exe
Product Name98y4798t qiy er998ergg iuery 8 o8uieyfui qewhfiuoyafibuwy ey7fq iuyi
Product Version76.7.99.12
PE Sections
MD5NameRaw SizeEntropy
7f1dc4bd716bc037dea251c4dff12cddheader5122.538579
c8076584486a2745281e4945da9b8b13.text30724.946272
1efe88aa4756d059ec1d3b49e342de5d.rsrc20483.917395
7048daac38c935b38e086adcd8035d2a.reloc5120.081539
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Description

This file is a PE32 .NET executable designed to search and load an encrypted data file with a ".stubbin" extension onto the victim's system. If the file exists, it will utilize the Rijndael algorithm in the Class Library file (ClassLibrary1.dll) to decrypt the data file. After decryption, the file deletes the encrypted data file. The encrypted file with a ".stubbin" extension was not available for analysis.

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58

Tags

ransomwaretrojan

Details
Nameg04inst.bat
Size276 bytes
TypeASCII text, with CRLF line terminators
MD502c19bbf8e19bb69fc7870ec872d355e
SHA1cc76586ef94122329e825c78aad2ecb9ac064343
SHA256bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58
SHA512283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99
ssdeep6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW
Entropy4.962735
Antivirus
McAfeeBAT/Starter.h
Microsoft Security EssentialsRansom:BAT/Samas
SophosTroj/RansRun-A
SymantecTrojan.Malscript
Yara Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a batch file designed to execute mswinupdate.exe with predefined arguments. Displayed below are the arguments:

--Begin arguments--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: mswinupdate.exe <password> juxtapositional 5 0.8
--End arguments--

Recommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.

Revisions

  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top