Home / malware Ransom:Win32/Sobnot.A
First posted on 27 October 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Sobnot.A.
Explanation :
Installation
This threat may be installed by the Magnitude exploit kit.
When run, it checks the machine's default system language. If the system language is Korean, it launches its malicious routines. Otherwise, self-deletes after three seconds.
If the system language is Korean, this threat drops a copy of itself into the %TEMP% folder and tries to ensure persistance by using task scheduler:
It creates a scheduled task so that it will be re-launched every 15 minutes by issuing the following command:
- schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR "pcalua.exe -a %temp%/ihsdj.exe"
This ransomware generates a pseudo-random 19-character long ID using lowercase letters and digits used to uniquely identify the machine.
Payload
Encrypts files
This ransomware encrypts files using AES 128-bit in CBC mode using Windows Crypto API.
It attempts to fetch the encryption key from the following servers:
- http://(uniqueID).bankme.date/new1
- http://(uniqueID).jobsnot.services/new1
- http://(uniqueID).carefit.agency/new1
- http://(uniqueID).hotdisk.world/new1
Any of the above URLs may respond with a 16-bit key to be used for encryption. However, if all domains fail to provide a response, this ransomware uses hardcoded key: S25943n9Gt099y4K.
For initialization vector, this threats always uses the hardcoded key: EP866p5M93wDS513. It also drops a file containing the initialization vectors in the %TEMP% folder:
It then scans all drives and starts the encryption process. It encrypts files with the following file name extensions:
.123 .1cd .3dm .3ds .3g2 .3gp .4d .4db .4mp .602 .7z .a3d .abm .abs .abw .accdb .act .adn .adp .aes .af2 .af3 .aft .afx .agif .agp .ahd .ai .aic .aim .albm .alf .ans .apd .apm .apng .aps .apt .apx .arc .art .arw .asc .ase .asf .ask .asm .asp .asw .asy .aty .avi .awdb .awp .awt .aww .azz .backup .bad .bak .bay .bbs .bdb .bdp .bdr .bean .bib .bm2 .bmp .bmx .bna .bnd .boc .bok .brd .brk .brn .brt .bss .btd .bti .btr .bz2 .c .c4 .c4d .ca .cals .can .cd .cd5 .cdb .cdc .cdg .cdmm .cdmt .cdmz .cdr .cdr3 .cdt .cf .cfu .cgm .cimg .cin .cit .ckp .class .clkw .cma .cmx .cnm .cnv .colz .cpc .cpd .cpg .cpp .cps .cpx .cr2 .crd .crt .crw .cs .csr .csv .csy .ct .cv5 .cvg .cvi .cvs .cvx .cwt .cxf .cyi .dad .daf .db .db2 .db3 .dbc .dbf .dbk .dbs .dbt .dbv .dbx .dc2 .dca .dcb .dch .dcr .dcs .dct .dcx .dd .dds .ded .der .df1 .dgn .dgs .dgt .dhs .dib .dif .dip .diz .djv .djvu .dm3 .dmi .dmo .dnc .dne .doc .docb .docm .docx .docz .dot .dotm .dotx .dp1 .dpp .dpx .dqy .drw .drz .dsk .dsn .dsv .dt .dt2 .dta .dtsx .dtw .dv .dvi .dwg .dx .dx .dxb .dxf .eco .ecw .ecx .edb .efd .egc .eio .eip .eit .em .emd .emf .emlx .ep .epf .epp .eps .epsf .eq .erf .err .etf .etx .euc .exr .fa .faq .fax .fb .fb2 .fbx .fcd .fcf .fdf .fdr .fds .fdt .fdx .fdxt .fes .fft .fh10 .fh11 .fh3 .fh4 .fh5 .fh6 .fh7 .fh8 .fi .fic .fid .fif .fig .fla .flr .flv .fm5 .fmv .fo .fodt .fp3 .fp4 .fp5 .fp7 .fpos .fpt .fpx .frm .frt .frx .ft10 .ft11 .ft7 .ft8 .ft9 .ftn .fwdn .fxc .fxg .fzb .fzv .g3 .gcdp .gdb .gdoc .gem .geo .gfb .gfie .ggr .gif .gih .gim .gio .glox .gpd .gpg .gpn .gro .grob .grs .gsd .gthr .gtp .gv .gwi .gz .h .hbk .hdb .hdp .hdr .hht .his .hp .hpg .hpg .hpi .hs .htc .hwp .hz .i3d .ib .ibd .icn .icon .icpr .idc .idea .idx .igt .igx .ihx .ii .iiq .imd .info .ink .ipf .ipx .iso .itc2 .itdb .itw .iwi .j .j2c .j2k .jar .jas .java .jb2 .jbig .jbmp .jbr .jfif .jia .jis .jng .joe .jp1 .jp2 .jpe .jpeg .jpg .jpg2 .jps .jpx .jrtf .js .jsp .jtf .jtx .jw .jxr .kdb .kdbx .kdc .kdi .kdk .kes .key .kic .klg .knt .kon .kpg .kwd .lay .lay6 .lbm .lbt .ldf .lgc .lis .lit .ljp .lmk .lnt .lp2 .lrc .lst .ltr .ltx .lue .luf .lwo .lwp .lws .lyt .lyx .m3d .m3u .m4u .ma .mac .man .map .maq .mat .max .mb .mbm .mbox .mdb .mdf .mdn .mdt .me .mef .mel .mft .mgcb .mgmf .mgmt .mgmx .mgtx .mid .min .mkv .mm .mmat .mnr .mnt .mos .mov .mp3 .mp4 .mpeg .mpf .mpg .mpo .mrg .mrxs .msg .mt9 .mud .mwb .mwp .mx .my .myd .myi .ncr .nct .ndf .nef .nfo .njx .nlm .now .nrw .ns2 .ns3 .ns4 .nsf .nv2 .nyf .nzb .obj .oc3 .oc4 .oc5 .oce .oci .ocr .odb .odg .odm .odo .odp .ods .odt .of .oft .omf .onetoc2 .oplc .oqy .ora .orf .ort .orx .ost .ota .otg .oti .otp .ots .ott .ovp .ovr .owc .owg .oyx .ozb .ozj .ozt .p .p12 .p7s .p96 .p97 .pa .pan .pano .pap .paq .pas .pbm .pc1 .pc2 .pc3 .pcd .pcs .pdb .pdd .pdf .pdm .pds .pdt .pe4 .pef .pem .pff .pfi .pfs .pfv .pfx .pgf .pgm .phm .php .pi1 .pi2 .pi3 .pic .pict .pix .pjpg .pjt .plt .pm .pmg .png .pni .pnm .pntg .pnz .pobj .pop .pot .potm .potx .pp4 .pp5 .ppam .ppm .pps .ppsm .ppsx .ppt .pptm .pptx .prt .prw .ps1 .psd .psdx .pse .psid .psp .pst .psw .ptg .pth .ptx .pu .pvj .pvm .pvr .pwa .pwi .pwr .px .pxr .pz3 .pza .pzp .pzs .qd .qmg .qpx .qry .qvd .rad .rar .ras .raw .rb .rctd .rcu .rd .rdb .rft .rgb .rgf .rib .ric .riff .ris .rix .rle .rli .rng .rpd .rpf .rpt .rri .rs .rsb .rsd .rsr .rst .rt .rtd .rtf .rtx .run .rw .rw2 .rzk .rzn .s2mv .s3m .saf .sam .sbf .scad .scc .sch .sci .scm .sct .scv .scw .sdb .sdf .sdm .sdoc .sdw .sep .sfc .sfw .sgm .sh .sig .sk1 .sk2 .skm .sla .sld .sldm .sldx .slk .sln .sls .smf .sms .snt .sob .spa .spe .sph .spj .spp .spq .spr .sq .sqb .sqlite3 .sqlitedb .sr2 .srw .ssa .ssk .st .stc .std .sti .stm .stn .stp .str .stw .sty .sub .suo .svf .svg .svgz .swf .sxc .sxd .sxg .sxi .sxm .sxw .tab .tar .tbk .tcx .tdf .tdt .te .tex .text .tgz .thp .tif .tiff .tlb .tlc .tm .tmd .tmv .tmx .tne .tpc .trm .tvj .u3d .u3i .udb .ufr .unx .uof .uop .uot .upd .usr .utf8 .utxt .v12 .vb .vbr .vbs .vcd .vct .vdb .vdi .vec .vm .vmdk .vmx .vnt .vob .vpd .vrm .vrp .vsd .vsdm .vsdx .vsm .vstm .vstx .vue .vw .wallet .wav .wb2 .wbk .wcf .wdb .wgz .wire .wk1 .wks .wma .wmdb .wmv .wn .wp .wp .wp4 .wp5 .wp6 .wp7 .wpa .wpd .wpg .wps .wpt .wpw .wri .wsc .wsd .wsh .wtx .x .x3d .xar .xd .xdb .xlc .xld .xlf .xlgc .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xps .xwp .xy3 .xyp .xyw .ya .ybk .ym .z3d .zabw .zdb .zdc .zip .zw
Each encrypted file will have the initialization vector written in the first 16 bytes.
This ransomware uses the file name extension .ihsdj to encrypted files.
It does not encrypt files in the following folders:
- :\documents and settings\all users\
- :\documents and settings\default user\
- :\documents and settings\localservice\
- :\documents and settings\networkservice\
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\
- \local settings\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\
- \$recycle.bin
- \$windows.~bt
- \$windows.~ws
- \boot
- \intel
- \msocache
- \perflogs
- \program files (x86)
- \program files
- \programdata
- \recovery
- \recycled
- \recycler
- \system volume information
- \windows.old
- \windows10upgrade
- \windows
- \winnt
Displays ransom note
This ransomware drops a ransom note in every folder where it encrypted at least one file. The ransomware note has the file name READ_ME_FOR_DECRYPT__.txt.
After completing the encryption process, this ransomware attempts to call the server to signal the completion by accessing the following URLs:
- http://
.bankme.date/end1 - http://
.jobsnot.services/end1 - http://
.carefit.agency/end1 - http://
.hotdisk.world/end1
It then displays the ransom note by opening Notepad. It also schedules a task to display the ransom note every 15 minutes.
The ransom note contains instructions to follow one of several links to get further instructions about recovering files. The same domains used in the encryption routine (to fetch encryption key and to report completion of encryption) are used:
- http://(uniqueID).bankme.date/EP866p5M93wDS513
- http://(uniqueID).jobsnot.services/EP866p5M93wDS513
- http://(uniqueID).carefit.agency/EP866p5M93wDS51
- http://(uniqueID).hotdisk.world/EP866p5M93wDS513
Note that EP866p5M93wDS513 is the hardcoded initialization vector used in the AES encryption process.
Additionally, an .onion address is provided along with instructions for the user to install Tor browser:
Analysis by: Danut Antoche-AlbisorLast update 27 October 2017