For several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages.
Infection of Jcry ransomware starts with a compromised website.
Flow of Execution:
Downloaded malware (flashplayer_install.exe) is Self-extracting archive. On execution, it will extract the below mentioned components in “Startup” directory to create its persistence.
As mentioned in the above figure malware extract components and starts msg.vbs along with enc.exe(Encryptor)
This file is used to impersonate the user that, the system tried to update adobe flash player but access is denied for the user.
This executable is responsible for file encryption and it is written in Go language.
On execution, it firstly checks for the existence of “personalKey.txt” file in the current directory, to determine that system is already infected or not. If the file exists then malware considers that the system is already infected and it terminates itself. As well as it deletes msg.vbs and Enc.exe with the help of decryptor file. During encryption, it uses the combination of AES and RSA algorithm. File encryption is performed using AES 128 bit algorithm with 16-byte initialization Vector in CBC mode. Hardcoded RSA public key is found in the enc.exe file which is later used to encrypt AES key.
It encrypts the below listed 138 extension files.
“3dm, 3ds, 3g2, 3gp, 7z, ai, aif, apk, app, asf, asp, avi, b, bak, bin, bmp, c, cbr, cer, cfg, cfm, cgi, cpp, crx, cs, csr, css, csv, cue, dat, db, dbf, dcr, dds, deb, dem, der, dmg, dmp, doc, dtd, dwg, dxf, eps, fla, flv, fnt, fon, gam, ged, gif, gpx, gz, h, hqx, htm, ics, iff, iso, jar, jpg, js, jsp, key, kml, kmz, log, lua, m, m3u, m4a, m4v, max, mdb, mdf, mid, mim, mov, mp3, mp4, mpa, mpg, msg, msi, nes, obj, odt, otf, pct, pdb, pdf, php, pkg, pl, png, pps, ppt, ps, psd, py, rar, rm, rom, rpm, rss, rtf, sav, sdf, sh, sln, sql, srt, svg, swf, tar, tex, tga, thm, tif, tmp, ttf, txt, uue, vb, vcd, vcf, vob, wav, wma, wmv, wpd, wps, wsf, xlr, xls, xml, yuv, zip”
To speed up the encryption, it encrypts only 1MB data for files of size more than 1 MB. After successful file encryption it appends “.jcry” extension to the filename.
After encryption of files, it deletes all shadow copies with the help of the below command.
“vssadmin delete shadows /all”
and launch Dec.exe using Powershell command.
On execution of Dec.exe firstly it terminates and deletes enc.exe. Dec.exe is console application which asks the decryption key (RSA private key). After entering valid key it may decrypt encrypted files.
It also drops ransom note on desktop location. To recover encrypted files it demands for 500$ as ransom and provides onion link (hxxp://kpx5wgcda7ezqjty.onion) where infected user will get private key after payment.
Enc.exe : 5B640BE895C03F0D7F4E8AB7A1D82947
Dec.exe : 6B4ED5D3FDFEFA2A14635C177EA2C30D
Recovery Link: hxxp://kpx5wgcda7ezqjty.onion
Wallet Id: 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt
Subject Matter Expert:
Nagesh lathakar, Pratik Pachpor | Quick Heal Security Labs