(Editor’s Note: The TAU-TIN related to this write up can be located here. )
GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper that destroys the data instead of encrypting it.
Figure 1 : Overall attack process
Technical Details
The spear phishing email will attach a ZIP file containing PDF files that pretend to be a PDF resumes for the sender.
Figure 2 : Screenshot of the spear phishing email
Figure 3: Unzipped content of the attachment
However, the PDF file is actually a shortcut file (.LNK). This is confirmed by the file header format of a .lnk file that is 0x0000004C (saved in data as 4C 00 00 00).
Figure 4 : File header of the email attachment file which pretends to be a PDF file.
Figure 5 : Properties of the .lnk shortcut file
This shortcut file will actually execute a PowerShell command to download and execute an HTA file, which will then download and launch the GermanWiper ransomware payload.
Figure 6: Screenshot of CB Defense’s event log
The HTA file will execute another powershell script to download the GermanWiper payload from the following C&C:
hxxp://expandingdelegation[.]top/Bewerbung-Lena-Kretschmer.exe (Decoded from the powershell script)
Figure 7: Part of HTA file content
Figure 8: PowerShell executed command line
Upon the execution of GermanWiper, it will terminate the following list of software or database application’s process:
notepad.exe |
agntsvc.exe |
dbeng50.exe |
sql.exe |
sqbcoreservice.exe |
sqld.exe |
encsvc.exe |
mysql.exe |
mydesktopservice.exe |
mysqld.exe |
isqlplussvc.exe |
oracle.exe |
After that, it will scan the system to avoid destroying certain folder and file types that are required for the system to remain function properly.
Figure 9: Screenshot from unpacked GermanWiper binary
The complete list of the files and folders that it will skip to destroy are shown below:
Folder and files:
windows |
programme (x86) |
desktop.ini |
recycle.bin |
programdata |
iconcache.db |
mozilla |
perflogs |
ntldr |
|
intel |
ntuser.dat |
boot |
msocache |
ntuser.dat.log |
application data |
system volume information |
ntuser.ini |
appdata |
autorun.inf |
bootmgr |
program files |
boot.ini |
bootnxt |
program files (x86) |
bootfont.bin |
thumbs.db |
programme |
bootsect.bak |
|
File type (file extension):
.386 |
.bat |
.CAB |
.cpl |
.DESKTHEMEPACK |
.diagpkg |
.DRV |
.adv |
.BAT |
.cmd |
.CPL |
.diagcab |
.DIAGPKG |
.exe |
.ADV |
.bin |
.CMD |
.cur |
.DIAGCAB |
.dll |
.EXE |
.ani |
.BIN |
.com |
.CUR |
.diagcfg |
.DLL |
.hlp |
.ANI |
.cab |
.COM |
.deskthemepack |
.DIAGCFG |
.drv |
.HLP |
.icl |
.ICO |
.ldf |
.mpa |
.MSP |
.nls |
.OCX |
.ICL |
.ics |
.lnk |
.MPA |
.msstyles |
.NLS |
.prf |
.icns |
.ICS |
.LNK |
.msc |
.MSSTYLES |
.nomedia |
.PRF |
.ICNS |
.idx |
.mod |
.MSC |
.msu |
.NOMEDIA |
.psl |
.ico |
.IDX |
.MOD |
.msp |
.MSU |
.ocx |
.PSL |
.rom |
.SCR |
.sys |
.THEMEPACK |
.hta |
|
|
.ROM |
.shs |
.SYS |
.wpx |
.HTA |
|
|
.rtp |
.SHS |
.theme |
.WPX |
.msi |
|
|
.RTP |
.spl |
.THEME |
.lock |
.MSI |
|
|
.scr |
.SPL |
.themepack |
.LOCK |
|
|
|
Then, GermanWiper will overwrite the data content with null value and append five random generated characters as file extension to the destroyed file.
Figure 10: Wiped file by GermanWiper
After that, it will perform the deletion of volume shadow copies and disable Windows automatic startup repair to ensure all the data cannot be restored easily with the following command:
“C:\Windows\System32\cmd.exe” /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
The following is a screenshot of CB Threat Hunter process chart by GermanWiper.
Figure 11: Screenshot of GermanWiper’s process chart from CB Threat Hunter
After the wiping file process is done, it will drop and open a ransom note that was written in German language as shown in figure 12. Other than that, GermanWiper will also create a file in ‘%AppData%\local\Temp\sasi.bmp’ and then change it as the desktop wallpaper. (Figure 13)
Figure 12: Screenshot of the ransom note
Figure 13: Changed desktop wallpaper
From the ransom note, it requests the victim to pay the amount of 0.15038835 Bitcoins and randomly assign one bitcoin address to the victim for payment.
Figure 14: Screenshot from unpacked GermanWiper binary
The list of bitcoin address: (After decode from base64 string)
1KjBUvN4Gfipi3bGmuAPDcJEqx48Nx5m4i 17BJR98G3bpycgoicVVWHLmt1n7jwC3HTk 14XhwV3iBMcLE8qURtk4q2TR53oMSNgZHZ 17zGcqKji84sYg6XxefLFvkZouHMKQfSrb 1LRMFKpSKhrobVJa1uo5V7pnYnEV7S8hZE 135ug1diEkaGmTaHh4vP1kLLgswRVmZbKw 1NXZg59BzWSextDuvspbCJ6NRqHT4T7jbM 19sd86duTh7vkYUwMDJirP1F513Tvwo7fv 1JjkbfjDsi1UqqBgcGtsMdZefFMcVukwVa 1PyZ6yQdnMpVn5o9SfdaPEzAH137Ys9KHn 1CQjaKJd8YKuvzjhjtCKy8QGP9CY4X6Xyc 1J1MBbgNoB9pJXhzZs6DtnpgHPzaeqCx2x 1MRvr9bDBKb8LcctebM7RqXi8Xiiv35fUt 1DbAXfFY1sCqea4We28td8e3FUGh1MvKbT 16Cq2MpX1LDMXEa3eGuQ3FGWC3kNoowzjg 1JKN1uz6BaWUwftoPSah5RnvD9aTjimkZe 1FkCZkm74zEQ3UNCScBwUzuxYbbWH15h5z 1HugNNr72MHAd53S3ygHwJWAxi655tpBqa 17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF 1FZhTBLZMRQms5q8h4iHZAYdEpgr6dhpw2 1EJnYFmNmVeozrFjByzQmWBMbCb6sj8KNh 13iv6aUc8oEBg9R9MFREwvTRTjecy2TBXY 1E3s6S3YUfadZP27ZtwtPENbSzV4Mr3kv6 18tnmDSvLb5sxyVaid3K9YdEVfT9THTMfo 1Eh4C1RodoiFEM3G7ZozLojNSNGPLh8Xo1 19PEKTCo1J2Qh1jCHxnsXj4rAAvvnoyrDB 1Ft45aW8b3HeoJGe9NmJz8H3Hu7NpwdHzY 1DAkV3n3QZZtYZAmGDFCQyah7YTCRDNmH1 19cwrjV2FM3fw4BqBwnsBi9hDwMwUbJyy8 13AsdXkb7LG2aJzroZtZpCsqbhyhZgrpwc 167kVP1ctnw48eEM97ZHbwTTLEUaEoHtfN 1A8Rx1PHyYq4xJNSoDnkua9rsQaVuL7KSU 1D8TE2LRDjRU3b6143LR4GXWJbvhnzoiKu 1GJfdiu2AEQA9NsFyKypx7YMfoHFZi7KzR 1Hk2uAwoW6z5QdrtssKXBQ9d6VTvn8nPD8 19D4iUqYYd1y3Hn295yfsacXUykWwqZaov |
Other than that, the ransom note contains a tracking script that, while open, will connect to a command and control server. It will then send the bitcoin address written in the ransom note and others information such as the appended extension on the wiped file.
Figure 15: Ending code from the ransom note
Indicators of Compromise (IOCs)
Indicator |
Type |
Context |
41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c 36ccd442755d482900b57188ae3a89a7 |
SHA256 MD5 |
GermanWiper Ransomware |
7a0c1477bdde6eef3646fe8e4ba7b68c366ed9b1209799bc5d437a9320878602 901a3a1ff5182b5583be5745db98a9ce |
SHA256 MD5 |
Malicious Attachment (lnk file) |
8ecd960adaf6609eb8ed9ed46ccbeeb181d1e32f1cda016cde47e35f9748f716 eecef3ce3d40ad0c092183b6c4b0c0e5 |
SHA256 MD5 |
Malicious Attachment (zip file) |
6e7cb518f13564ae5a899d4cef77246eeae12ab1dc73b27d91af028e85232901 bc1ba6013db121e92548eaa24ee6fecd |
SHA256 MD5 |
Malicious Payload (hta file) |
hxxp://expandingdelegation[.]top |
Domain |
Command & Control Server |
The post CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware appeared first on Carbon Black.
Article Link: https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/