~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
Why would you even bother?! - JavaLocker

Today we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly and is therefore not for the faint of heart.

Hey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to get back into the analysis/blogging thing. I've been looking for interesting/"innovative" samples that differ from the common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in the most beautiful programming language there is sooner or later: Java. Let's get it over with.

This strain is without a doubt still in it's testing phase, so it is possible that there will be another version of it with proper encryption routines and other fixes in the next few days.

JavaLocker @ AnyRun | VirusTotal | HybridAnalysis --> sha256 9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b

First of all, this is the GUI that the vicitim is presented after a reboot. The Ransomware will encrypt the files on the systems without a delay, but this window isn't shown immediately after, so it's easily missed by Sandboxes like AnyRun that don't reboot for analysis. Apart from the terrible design and english grammar there's nothing more to this screen.


GUI


To display the Window with the ransomnote it will copy itself to the Startup Folder.

Start Menu


To decompile the JAR file that I pulled from AnyRun I'm using JD-GUI. To preserve the eyesight of potential readers I later opted to copy the code to a dark-mode capable texteditor.

The Ransomware implements four classes in addition to JavaFX for the GUI:

JAVABASIC : Handles the core functions of the Malware.

Encryption : Derives a password for the encryption routine and hashes it with MD5.

crea : Writes another instance of the ransomware to the disk.

key : Holds the encryption and decryption routines.


Classes


The "scanner" function looks for other attached drives connected to the vicitims PC. One thing to take note of is that the ransomware will only check the drive letters from C through H, so naming and mounting your network drives X:, Y: or Z: might actually save you to some extent.

FS Scanner


A few things that stand out in the next screenshot: The ransomware will spare the C:\Windows path. Secondly the dropped ransomnote will be named "readmeonnotepad.javaencrypt" with the following content:

"Q: What Happen to my computer?\n A:Your personal files are encrypted by javalocker!\nQ How can I recover my Files? A You need to send 300$ of bitcoins to the following adress:BAW4VM2dhxYgXeQepOHKHSQVG6NgaEb94 then contact soviet@12334@gmail.com!"

Another interesting fact is that the wallet address mentioned in the ransomnote is just a random string (another indicator for a test build). The address format doesn't match any of the ones used in mainnet, bchtest or testnet. For the BTC mainnet it would have to start with either 1, 3 or bc1 and it also contains an illegal character ("O"). For further reference I would recommend this guide by AllPrivateKeys.

The functions find2 and ret are also pretty redundant which indicates lack of knowledge or time spent on it.


Redundant Functions


Let's check which filetypes are affected at the moment. Normally these extension lists are sorted alphabetically, but this one is not. Looks like they cobbled this one together rather than using one of the premade "popular file extensions" lists.

".accdb", ".pub", ".reg", ".ico", ".mui", ".onetoc2", ".dwg", ".wk1", ".wks", ".vsdx", ".vsd", ".eml", ".msg", ".ost", ".pst", ".pptx", ".jfif", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".ost", ".msg", ".eml", ".vsd", ".txt", ".csv", ".rtf", ".123", ".wks", ".pdf", ".dwg", ".onetoc2", ".snt", ".snt", ".jpeg", ".jpg", ".docb", ".docm", ".zip", ".7z", ".rar", ".mp4", ".wav", ".mp3", ".cpp", ".gho", ".iso", ".mui", ".flv", ".wma", ".key", ".sln", ".vbs", ".bat", ".cs", ".ini", ".cmd", ".lv", ".c", ".js", ".php", ".mp4", ".html", ".py", ".docb", ".pps", ".gz", ".gpg", ".xlsm", ".vmdk", ".vmx", ".pot", ".pps", ".ppsm", ".ppsx", ".ppam", ".potx", ".potm", ".edb", ".hwp", ".602", ".sxi", ".sti", ".sldx", ".sldm", ".vdi", ".aes", ".arc", ".paq", ".bz2", ".tbk", ".bak", ".tar", ".gz", ".backup", ".vcd", ".bmp", ".png", ".gif", ".raw", ".cgm", ".tif", ".tiff", ".nef", ".psd", ".ai", ".svg", ".djvu", ".m4u", ".m3u", ".mid", ".wma", ".3g2", ".mkv", ".3gp", ".mov", ".avi", ".asf", ".asf", ".mpeg", ".vob", ".mpg", ".wmv", ".fla", ".swf", ".wav", ".sh", ".rb", ".asp", ".php", ".jsp", ".brd", ".sch", ".dch", ".dip", ".dp", ".vb", ".vbs", ".ps1", ".asm", ".h", ".pas", ".suo", ".ldf", ".mdf", ".ibd", ".myi", ".myd", ".frm", ".obd", ".dbf", ".db", ".mdb", ".accdb", ".sql", ".sqlitedb", ".sqlite3", ".asc", ".lay6", ".lay", ".mml", ".sxm", ".otg", ".odg", ".uop", ".std", ".sxd", ".otp", ".odp", ".wb2", ".slk", ".dif", ".stc", ".sxc", ".ots", ".ods", ".3dm", ".max", ".3ds", ".uot", ".stw", ".sxw", ".ott", ".odt", ".pem", ".p12", ".csr", ".crt", ".pfx", ".der"


This build of the ransomware uses DES via javax.crypto.Cipher to encrypt the victim's files. The Seed Value for the DES SecureRandom function is hardcoded and held in variable td.

Encryption / Decryption Routines


Fellow researcher @jishuzhain found that the DES key derived from the td seed is static which should enable victims affected by this exact version to get their files back.


And this is where we come to the point of the article headline. Why would someone even bother to: 1. build a Ransomware in JAVA; 2. build it from scratch, because there are, of course, open source ransomware projects on Github like the one below (I selected this one because it can't be directly weaponized, but you probably know my stance on OSS ransomware) 🙄.



MITRE ATT&CK

T1179 --> Hooking --> Persistence

T1179 --> Hooking --> Privilege Escalation

T1179 --> Hooking --> Credential Access

T1114 --> Email Collection --> Collection


IOCs

Javalocker

JAVABASIC.jar --> SHA256: 9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b
                  SSDEEP: 768:/OJ3GtaE64BWRRJcU99iOZlkp8DOJ3GtaE64BWRRJcU9+0de:/O4tG4cJb9XnLDO4tG4cJD+4e

Associated Files

JAVABASIC.jar
readmeonnotepad.javaencrypt
DESkey.dat

The Opposite of Fileless Malware - NodeJS Ransomware

This one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?

This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about Ransom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum here. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of...

Read More
Not so nice after all - Afrodita Ransomware

A new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out

This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and I (@f0wlsec). Thank you for your contributions! @James_inthe_box @malwrhunterteam @Malwageddon 69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections....

Read More
"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware

Happy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D

Dot "MZP" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --> sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67 This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to...

Read More
I literally can't think of a fitting pun - MrDec Ransomware

I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Read More
Another one for the collection - Mespinoza (Pysa) Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

Read More
A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Read More
A B C, easy as один, два, три - Lockbit (ABCD) Ransomware

Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

Read More
God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your...

Read More
Quick and painless - Reversing DeathRansom / "Wacatac"

No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Read More


  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

https://sandbox.lol

An automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

Receive Updates

ATOM

"Security is #1 priority"

Key OpenPGP Key