Introduction 

Ransomware confirms to be one of the most pervasive threats of the last years. We saw during these last years the infamous phenomenon of Double Extorsion, where well-organized cyber-criminal groups perform highly sophisticated red team operations to achieve the highest level of privileges inside the perimeter of victim networks and, before releasing the ransomware, they steal all the sensitive data to extort the target the payment of ransom. 

The diffusion of this trend, however, did not implied classic ransomware operation have been deprecated. In fact, the "old-style" ransomware operation model is still very active: victims keep receiving e-mails with malicious attachments that, once opened, automatically execute the ransomware payload on the unlucky machine. 

This malicious operational model is still enabling many micro-criminals to profit on users and the production of entry-level ransomware tools is growing and evolving. For instance, JobCrypter ransomware has been recently spread over the Italian cyber-landscape. In this article we decided to dissect and observe the latest updates of this 3 years old ransomware family weaponizing many cyber-criminals all around the world.  

Technical Analysis  

The infection chain starts with a malicious JavaScript delivered to the victim with the following static information: 

Table 1. Sample information 

The script code is quite simple to understand it is composed by an obfuscated hex string, which is immediately deobfuscated by a unique main function. The structure of the code is the following: 

var _0xc6c2=[OBFUSCATED PAYLOAD]; 

function nnt(_0x7883x2) // Deobfuscation routine 

{ 

[..]  

return _0x7883x7 

} 

var rrn=(_0xc6c2[6]); 

var myObject; 

efiiiiooollll=  new ActiveXObject(_0xc6c2[7]);erfvgttyyytbgg= efiiiiooollll.GetSpecialFolder(2)+ _0xc6c2[8];var rouuurtoliii=nnt(rrn); 

var foularouuuuuuu= new ActiveXObject(_0xc6c2[9]); 

foularouuuuuuu[_0xc6c2[10]]= 2;foularouuuuuuu[_0xc6c2[11]]= _0xc6c2[12];foularouuuuuuu.Open();foularouuuuuuu.WriteText(rouuurtoliii);foularouuuuuuu.SaveToFile(erfvgttyyytbgg,2);foularouuuuuuu.Close();efiiiiooollll=  new ActiveXObject(_0xc6c2[13]);efiiiiooollll.Run(erfvgttyyytbgg) 

Code Snippet 1 

The script stores the decrypted executable inside the classic temporary Path: "C:\Users\%USER%\AppData\Local\Temp". The dropped payload is a .NET framework executable having the following static information: 

Table 1. Sample information 

This sample adopts many self-defense techniques, starting from a complex .NET packer, arriving to ant debug checks, making the analysis harder for the analyst. The first thing to notice is the considerable number of functions, and the presence of encrypted resources, decrypted at runtime: 

The Packer 

Figure 1:  Partial example of the functions 

So, one of the first checks is the presence of the debugger, like the following screen: 

Figure 2: Antidebug Check 

After this check is bypassed, the main decryption stub starts its work of decrypting the most important routines and information as array strings, like the following way: 

Figure 3: Example of decoding the interesing routines 

When this information is retrieved, the malware extracts another array from a very long method which has been protected through the usage of xor operations: 

Figure 4: Decrypting Pieces of code 

This array manipulation continues also with the support of more basic operations, like the conversion from byte to integer and similar, like the following way: 

Figure 5: Conversion byte to char 

In the end of that custom decryption routine, we obtain the configuration file of the ransomware.  

Figure 6: Piece of the configuration file 

After those decoding operations, the malware immediately guarantees itself the persistence by copying itself in the "%ROAMING%" path with the name "ERFFREEED.exe" and creates a simple javascript file inside the path "C:\Users\%USER%\AppData\Roaming\Microsoft\Windows Start Menu\Programs\Startup\REZZZS.js", which has the purpose to launch the malicious executable. 

The Encryption Key Exchange 

Through this configuration file we obtain the first interesting information about the sample. It uses the SMTP client as medium to communicate to the C2 the key to decrypt the files. This routine can be confirmed by the SMTP client retrieved inside the malicious code: 

Figure 7: Initialization of the SMTP Client 

One of the two email addresses is a compromised one used as sender of the mail with identificatory of the victim (retrieved by using the volume serial of the victim machine) and the key of the infection: 

Figure 8: Evidence of the Volume Serial Number 

That value will be used as subject of the mail sent to the c2, as shown in the intercepted traffic. With this e-mail message, the malware also sends to the cyber-criminal a long string composed by 96 digits: the encryption key. 

Figure 9: C2 communication 

The File Encryption Algorithm 

As shown in the above figure, the malware sends to the C2 a long string composed by 96 digits. It actually is the key adopted to encrypt the data. In fact, the next operation of the malware is to create that string by using a random generation algorithm provided by the .NET environment. 

Figure 10: Evidence of CreateRandomPassword 

That string is hashed with the MD5 algorithm and it now prepared to be used as encryption key. The encryption algorithm used to encrypt the victim’s data is Triple DES algorithm, the same used for the infection of about 2 years ago shown by TrendMicro: 

Figure 11: Encryption algorithm 

At this point, the question is: It is possible to restore the data? The answer could be yes, with a security monitoring appliance such as a Genku Probe able to intercept the mail sent to the C2. In this case, the advantage is so evident, because there is no encrypted channel, and the key is sent in cleartext. 

Figure 12: Example of decrypting data 

Conclusion 

Ransomware is still a big problem for many companies and users. Such kind of classic ransomware attacks run by micro-criminals could be lethal for SMB businesses and very harassing for Enterprises because, even if the decryption could be possible and the impact could be only local, this kind of attacks are becoming even more frequent nowadays and the costs of being continuously overwhelmed by user machine restoring operation is pose a relevant threat to IT departments.  

Investments in EDR solutions such as Yoroi’s Kanwa endpoint agent and SOC monitoring services such as the Yoroi’s Cyber Security Defence Services are valuable pieces in the sustainable Information Security strategy enabling IT resources to be free to focus on the business. 

Indicators of Compromise 

• C2 (email addresses) 

• laurent.pierre@pilote-seine[.fr (Compromised Email sender) 
• olaggoune235@protonmail[.ch 
• ouardia11@tutanota.]com 
• laggouneo11@gmail[.com 

• Hash 

• 682ab3a13d3b8f303e7947bcc03a36fa4977d82ae546f1b07e1f5684d2caff6d 
• 150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302 
• d7533dffcfe5215db5a1f06eb6f5096c8d22fa264379c763316ce6434db47421 

• Persistence 

• C:\Users\%USER%\AppData\Roaming\Microsoft\Windows Start Menu\Programs\Startup\REZZZS.js 
• C:\Users\%USER%\AppData\Roaming\ERFFREEED.exe 

Yara Rules 

rule JobCrypter_2104{ 

  

    meta: 

      description = "Yara Rule for JobCrypter Ransomware - End of March 2021 " 

      author = "Yoroi Malware ZLab" 

      last_updated = "2021-04-13" 

      tlp = "white" 

      category = "informational" 

  

    strings: 

   		 $a1 = { 3B C2 8D A0 ?? 00   } 

 $a2 = { 2A 28 C5 00 00 06 20 03 } 

 $a3 = { 20 BC 01 00 00 FE 0E 04 00 38 } 

 $a4 = { AB 39 00 00 83 54 00 00 8C } 

 $a5 = { 69 44 F4 E8 B7 78 50 EF } 

 $a6 = { 0E 03 6F 4F 02 00 06 } 

 $a7 = { 71 70 F4 48 B9 68 18 65 } 

  
    condition: 

uint16(0) == 0x5A4D and 4 of them 

} 

Ransom Note

We are human beings without a job, we are not looking for problems, we just want to feed our families, 

We encrypted all your files using a powerful algorithm. 

We ask you to pay a ransom of 500 euros to decrypt and restore your files. 

We guarantee your files will be fully opened 

Contact us by email to communicate the payment method :  

  

[email protected] 

[email protected] 

  

***** What guarantee you? **** 

You can send one of your encrypted files on your computer and we decrypt it for free 

But we can only decrypt one file for free. The file must not contain valuable information. 

Write this ID ######## in the title of your message  

  

  

  

You have 7 days to purchase your key from this date: 

If you exceed the deadline it will increase by $ 100 per day, so we advise you to respect the above mentioned deadlines 

This blog post was authored by Luigi Martire and Luca Mella of Yoroi Malware ZLAB