~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
The Opposite of Fileless Malware - NodeJS Ransomware

This one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?


This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about Ransom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum here.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

NodeJS Ransom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b

The VBS "Loader" is 46KiB big and contains 2417 empty lines before any Code (which is not obfuscated at all).

As one of the first steps the Malware will download a distributable of NodeJS Version 8.x (which is quite old). It is also assuming the User Agent of Firefox 52.

Downloading NodeJS

It will add the following registry keys to gain persistence on the System. The first one will run the vbs script (to prevent additional encryption it checks for AppData\Local\GFp0JAk\initdone which will be created once the vbs script ran fully once), the second reg key will show the CLI Version of the Ransomnote prompting for the decryption key and the last one will open the HTML Ransomnote.

Registry Keys

Because the Javascript has to interact with the system components somehow the criminals shipped a version of the graceful-fs npm package which is not downloaded from the Internet but rather shipped in the Script itself and written to the respective files.

The Javascript Portion requires the following dependencies: graceful-fs, crypto, path, child_process, readline, os

Writing Dependencies

Up next it will engage a loop to kill Microsoft Word, Excel, Outlook and Autocad. (Targeting business PCs / Workstations, no SQL or other Serives tho, so it's like not meant to infect servers)

Killing processes

Looks like they implemented a custom password generator for testing purposes, so let's take a quick look to see how terrible it is. The Length of the password is defined globally at the top of the VB script as 13 characters. The yellow section will set the boundaries for ASCII lower and upper case characters plus numbers. The variables called pCheckxxx are initialized with 0 and will be used in the green section later.

The author is using the Randomize() function (without a defined number, so it is seeding off the System timer) which is a horrible way of generating "pseudo random numbers". Btw. Rnd will return a number less than one but but greater or equal to 0. If you would like to know more about Rnd()s and Randomize()s flaws you should definitely check out this article: Link. Moving on to the Red Section we can see how they choose their characters for Lowercase, Uppercase and the Numbers. Funnily enough they defined an ASCII range for special characters as well but don't actually end up using it at all (which means less entropy yay) 🤓

Lastly the Green Section will check for atleast one Upper- Lowercase and Number in the password, otherwise it will discard it and start over.

Password Generation Routine

As I already mentioned this password generator was only used for testing purposes since the function call in the VB script has been commented out. This would have been a fun little exercise to bruteforce :D Never use Rnd() for crypto operations kids!

Work in Progress

The Public Key Blob is embedded into the Javascript code as well:

-----END PUBLIC KEY-----

Actually the Ransomware drops two notes: The HTML File and a one similarly phrased version of it in a console window:

CLI Ransomnote


T1035 --> Service Execution --> Execution

T1215 --> Kernel Modules and Extensions --> Persistence

T1179 --> Hooking --> Persistence

T1060 --> Registry Run Keys / Start Folder --> Persistence

T1055 --> Process Injection --> Privilege Escalation

T1179 --> Hooking --> Privilege Escalation

T1055 --> Process Injection --> Defense Evasion

T1112 --> Modify Registry -->Defense Evasion

T1107 --> File Deletion --> Defense Evasion

T1179 --> Hooking --> Credential Access

T1012 --> Query Registry --> Discovery

T1120 --> Peripheral Device Discovery --> Discovery

T1057 --> Process Discovery --> Discovery


NodeJS Ransom

GFp0JAk.exe --> SHA256: 3a97828f05008741097242c3e23612010c72f7b987037c30050cd283cd7cbcfb

4cdfb03db53a05603f6a096cf477dfdc.vbs --> SHA256: 90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c

lLT8PCI.js --> SHA256:  53a95c9126be8262afb0821da4d7137e6c8a4d9b363f91298249ca134d394bf4

GFp0JAk\node_modules\graceful-fs\fs.js --> SHA256: a54b9999ae69328c2ac676e255d0f7767f2083c5c95e1db98d15ae44e3d68896

GFp0JAk\node_modules\graceful-fs\package.json --> SHA256: 9bd1f57b72c1dede710f6f12ee3f713461d7667776d734b043884e18705505e4

GFp0JAk\node_modules\graceful-fs\graceful-fs.js --> SHA256: d4f59f5bea29583031919657f6a4a29554962cf48b61a6c4a5a22f37f4d3963e

GFp0JAk\node_modules\graceful-fs\legacy-streams.js --> SHA256: 5727b9a8597dc68011961504513ca8ce7caaf6df2431b2861d4f9d7af5f9465c

GFp0JAk\node_modules\graceful-fs\polyfills.js --> SHA256: 36b3c0109afc06172fe3a7a521700b0eb13ab58d221081c5411920b4657b5841

E-Mail Addresses / Contact


Bitcoin Address



Your files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer. To 
decrypt files you need to obtain the private key.The single copy of the private key, which will allow to decrypt files,
located on a remote server on the Internet.The server will destroy the key after a ' + tillDate + '. After that, nobody
will be able to restore files ...To obtain the private key for this computer, you need to send

0.4 BTC

to bitcoin address


You can easily delete this software, but know that without it, you will never be able to get your original files back.
Disable your antivirus to prevent the removal of this software.When your transaction will be verified and confirmed you
will receive your private key.

Approximate destruction time of your private key ' + tillDate + '

How to buy bitcoins







    more options


Not so nice after all - Afrodita Ransomware

A new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out

This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and I (@f0wlsec). Thank you for your contributions! @James_inthe_box @malwrhunterteam @Malwageddon 69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections....

Read More
"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware

Happy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D

Dot "MZP" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --> sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67 This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to...

Read More
Setting up a Malware Exchange for 36C3 with Viper

Since my original project for 36c3 (something with chinese gear and coreboot) didn't really work out in time I had an even better idea: Setting up a Malware Sample Exchange

After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time. To host this project at the MysteryHack Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC...

Read More
I literally can't think of a fitting pun - MrDec Ransomware

I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Read More
Another one for the collection - Mespinoza (Pysa) Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

Read More
A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Read More
A B C, easy as один, два, три - Lockbit (ABCD) Ransomware

Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

Read More
God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your...

Read More
Quick and painless - Reversing DeathRansom / "Wacatac"

No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Read More

  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.


A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis


An automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!


A tracking and logging system for Phishing and Malspam

Receive Updates


"Security is #1 priority"

Key OpenPGP Key