CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware

(Editor’s Note: The TAU-TIN related to this write up can be located here. )

GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper that destroys the data instead of encrypting it.

 

                                                           Figure 1 : Overall attack process

 

Technical Details

The spear phishing email will attach a ZIP file containing PDF files that pretend to be a PDF resumes for the sender. 

                                        Figure 2 : Screenshot of the spear phishing email

                                         Figure 3: Unzipped content of the attachment

However, the PDF file is actually a shortcut file (.LNK). This is confirmed by the file header format of a .lnk file that is 0x0000004C (saved in data as 4C 00 00 00).

      Figure 4 : File header of the email attachment file which pretends to be a PDF file. 

           Figure 5 : Properties of the .lnk shortcut file

This shortcut file will actually execute a PowerShell command to download and execute an HTA file, which will then download and launch the GermanWiper ransomware payload.

                                                   Figure 6: Screenshot of CB Defense’s event log 

The HTA file will execute another powershell script to download the GermanWiper payload from the following C&C:

hxxp://expandingdelegation[.]top/Bewerbung-Lena-Kretschmer.exe (Decoded from the powershell script)

                                                            Figure 7: Part of HTA file content

                                                          Figure 8: PowerShell executed command line

Upon the execution of GermanWiper, it will terminate the following list of software or database application’s process:

notepad.exe

agntsvc.exe

dbeng50.exe

sql.exe

sqbcoreservice.exe

sqld.exe

encsvc.exe

mysql.exe

mydesktopservice.exe

mysqld.exe

isqlplussvc.exe

oracle.exe

After that, it will scan the system to avoid destroying certain folder and file types that are required for the system to remain function properly. 

                                Figure 9: Screenshot from unpacked GermanWiper binary

The complete list of the files and folders that it will skip to destroy are shown below:

Folder and files: 

windows

programme (x86)

desktop.ini

recycle.bin

programdata

iconcache.db

mozilla

perflogs

ntldr

google

intel

ntuser.dat

boot

msocache

ntuser.dat.log

application data

system volume information

ntuser.ini

appdata

autorun.inf

bootmgr

program files

boot.ini

bootnxt

program files (x86)

bootfont.bin

thumbs.db

programme

bootsect.bak

 

File type (file extension):

.386

.bat

.CAB

.cpl

.DESKTHEMEPACK

.diagpkg

.DRV

.adv

.BAT

.cmd

.CPL

.diagcab

.DIAGPKG

.exe

.ADV

.bin

.CMD

.cur

.DIAGCAB

.dll

.EXE

.ani

.BIN

.com

.CUR

.diagcfg

.DLL

.hlp

.ANI

.cab

.COM

.deskthemepack

.DIAGCFG

.drv

.HLP

.icl

.ICO

.ldf

.mpa

.MSP

.nls

.OCX

.ICL

.ics

.lnk

.MPA

.msstyles

.NLS

.prf

.icns

.ICS

.LNK

.msc

.MSSTYLES

.nomedia

.PRF

.ICNS

.idx

.mod

.MSC

.msu

.NOMEDIA

.psl

.ico

.IDX

.MOD

.msp

.MSU

.ocx

.PSL

.rom

.SCR

.sys

.THEMEPACK

.hta

 

 

.ROM

.shs

.SYS

.wpx

.HTA

 

 

.rtp

.SHS

.theme

.WPX

.msi

 

 

.RTP

.spl

.THEME

.lock

.MSI

 

 

.scr

.SPL

.themepack

.LOCK

 

 

 

Then, GermanWiper will overwrite the data content with null value and append five random generated characters as file extension to the destroyed file.

                                    Figure 10: Wiped file by GermanWiper

After that, it will perform the deletion of volume shadow copies and disable Windows automatic startup repair to ensure all the data cannot be restored easily with the following command:  

“C:\Windows\System32\cmd.exe” /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The following is a screenshot of CB Threat Hunter process chart by GermanWiper.

                                        Figure 11: Screenshot of GermanWiper’s process chart from CB Threat Hunter

After the wiping file process is done, it will drop and open a ransom note that was written in German language as shown in figure 12. Other than that, GermanWiper will also create a file in ‘%AppData%\local\Temp\sasi.bmp’ and then change it as the desktop wallpaper. (Figure 13)

                                                               Figure 12: Screenshot of the ransom note

                                                                  Figure 13: Changed desktop wallpaper

From the ransom note, it requests the victim to pay the amount of 0.15038835 Bitcoins and randomly assign one bitcoin address to the victim for payment. 

              Figure 14: Screenshot from unpacked GermanWiper binary

The list of bitcoin address: (After decode from base64 string)

1KjBUvN4Gfipi3bGmuAPDcJEqx48Nx5m4i

17BJR98G3bpycgoicVVWHLmt1n7jwC3HTk

14XhwV3iBMcLE8qURtk4q2TR53oMSNgZHZ

17zGcqKji84sYg6XxefLFvkZouHMKQfSrb

1LRMFKpSKhrobVJa1uo5V7pnYnEV7S8hZE

135ug1diEkaGmTaHh4vP1kLLgswRVmZbKw

1NXZg59BzWSextDuvspbCJ6NRqHT4T7jbM

19sd86duTh7vkYUwMDJirP1F513Tvwo7fv

1JjkbfjDsi1UqqBgcGtsMdZefFMcVukwVa

1PyZ6yQdnMpVn5o9SfdaPEzAH137Ys9KHn

1CQjaKJd8YKuvzjhjtCKy8QGP9CY4X6Xyc

1J1MBbgNoB9pJXhzZs6DtnpgHPzaeqCx2x

1MRvr9bDBKb8LcctebM7RqXi8Xiiv35fUt

1DbAXfFY1sCqea4We28td8e3FUGh1MvKbT

16Cq2MpX1LDMXEa3eGuQ3FGWC3kNoowzjg

1JKN1uz6BaWUwftoPSah5RnvD9aTjimkZe

1FkCZkm74zEQ3UNCScBwUzuxYbbWH15h5z

1HugNNr72MHAd53S3ygHwJWAxi655tpBqa

17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF

1FZhTBLZMRQms5q8h4iHZAYdEpgr6dhpw2

1EJnYFmNmVeozrFjByzQmWBMbCb6sj8KNh

13iv6aUc8oEBg9R9MFREwvTRTjecy2TBXY

1E3s6S3YUfadZP27ZtwtPENbSzV4Mr3kv6

18tnmDSvLb5sxyVaid3K9YdEVfT9THTMfo

1Eh4C1RodoiFEM3G7ZozLojNSNGPLh8Xo1

19PEKTCo1J2Qh1jCHxnsXj4rAAvvnoyrDB

1Ft45aW8b3HeoJGe9NmJz8H3Hu7NpwdHzY

1DAkV3n3QZZtYZAmGDFCQyah7YTCRDNmH1

19cwrjV2FM3fw4BqBwnsBi9hDwMwUbJyy8

13AsdXkb7LG2aJzroZtZpCsqbhyhZgrpwc

167kVP1ctnw48eEM97ZHbwTTLEUaEoHtfN

1A8Rx1PHyYq4xJNSoDnkua9rsQaVuL7KSU

1D8TE2LRDjRU3b6143LR4GXWJbvhnzoiKu

1GJfdiu2AEQA9NsFyKypx7YMfoHFZi7KzR

1Hk2uAwoW6z5QdrtssKXBQ9d6VTvn8nPD8

19D4iUqYYd1y3Hn295yfsacXUykWwqZaov

Other than that, the ransom note contains a tracking script that, while open, will connect to a command and control server. It will then send the bitcoin address written in the ransom note and others information such as the appended extension on the wiped file. 

                                                   Figure 15: Ending code from the ransom note

Indicators of Compromise (IOCs)

Indicator

Type

Context

41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c

36ccd442755d482900b57188ae3a89a7

SHA256

MD5

GermanWiper Ransomware 

7a0c1477bdde6eef3646fe8e4ba7b68c366ed9b1209799bc5d437a9320878602

901a3a1ff5182b5583be5745db98a9ce

SHA256

MD5

Malicious Attachment (lnk file)

8ecd960adaf6609eb8ed9ed46ccbeeb181d1e32f1cda016cde47e35f9748f716

eecef3ce3d40ad0c092183b6c4b0c0e5

SHA256

MD5

Malicious Attachment (zip file)

6e7cb518f13564ae5a899d4cef77246eeae12ab1dc73b27d91af028e85232901

bc1ba6013db121e92548eaa24ee6fecd

SHA256

MD5

Malicious Payload (hta file)

hxxp://expandingdelegation[.]top

Domain

Command & Control Server

The post CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware appeared first on Carbon Black.

Article Link: https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/