Why doesn't ESET have this System Watcher module?

[itman 1,659]

Here's a Joe's Cloud Sandbox analysis: https://www.joesandbox.com/analysis/905264 . Brief review of this indicates sleeper behavior.

[Marcos 5,074]

14 minutes ago, itman said:

So are you saying that all the VirusTotal detection's of this supposed "corrupted" file are bogus?

I was referring just to the specific file with SHA1 EB2C417A29D2F08E37D63F3B75CDC61B42855E91, not to other files.

[itman 1,659]

A quick Joe's Cloud Sandbox analysis review of this ransomware shows what's going on:

[itman 1,659]

Here's a description of RagnarLocker ransonware: https://www.acronis.com/en-us/blog/posts/ragnar-locker/

Of note:

Quote

Uses a specially-crafted virtual machine image for its payload execution in order to evade anti-malware detection.

Further described as:

Quote

The attacker sometimes deploys a VirtualBox virtual machine (VM) with a Windows XP image to evade detection: an early use of a virtual machine image in this manner to run the ransomware encryption attack. The technique has been adopted since by the Maze family of ransomware operators.

The specially-crafted VM image is loaded to the VirtualBox VM, mapping all local drives as read/writable into the virtual machine. This allows the ransomware process running inside the VM to encrypt all files. To the host files, the encryption appears to be a trusted VirtualBox process and thus will be ignored by many security products.

Also the ransomware is not new; dating to April , 2020.

As far as this specific RagmarLocker sample, I suspect this might have been deployed:

Quote

In the past, the Java programming language was seldomly used to create malware because the Java Runtime Environment (JRE) is needed to run the code. Similarly, Java Image (JIMAGE) files have rarely been used in malware attacks. Even developers avoid working with these largely undocumented files, opting to use the popular Java Archive (JAR) files instead.

Because of this past, some cybercriminals decided to use Java to create a new strain of ransomware and compile it into a JIMAGE file. “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats,” explained the BlackBerry and KPMG researchers who discovered the new ransomware strain. “We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”

https://chipscs.com/3-significant-developments-in-ransomware-campaigns-2/

Edited June 12, 2022 by itman

[AnthonyQ 48]

3 hours ago, itman said:

A quick Joe's Cloud Sandbox analysis review of this ransomware shows what's going on:

This sample is indeed corrupt (https://app.any.run/tasks/91032682-65d8-4ba5-9e93-8899b2d592d8/).

Joe sandbox's results indicate this sample crashed during analysis. Other vendors may detect corrupt samples because they contain malicious code, which I don't think is a false positive. 

[AnthonyQ 48]

Hi @Marcos, another two samples missed by ESET:

1. Screen locker + MBR locker (https://www.virustotal.com/gui/file/afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0). Submitted yesterday but detection is still not added. Sandbox analysis: https://tria.ge/220613-b9zjwshcd5/behavioral1.

2. Suspicious backdoor (https://www.virustotal.com/gui/file/62e3529e3ed9fd63ca02f139e2ed564ad785e6d546bd402c3cd93ffa1c14d24b).

[Marcos 5,074]

6 hours ago, itman said:

Here's a description of RagnarLocker ransonware: https://www.acronis.com/en-us/blog/posts/ragnar-locker/

RagnarLocker is about 2 years old and virtually every vendor detects it:

https://www.virustotal.com/gui/file/7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929

[itman 1,659]

12 hours ago, AnthonyQ said:

Joe sandbox's results indicate this sample crashed during analysis.

Review it again. Closely observe behavior of WerFault.exe.

[AnthonyQ 48]

11 minutes ago, itman said:

Review it again. Closely observe behavior of WerFault.exe.

You can run this sample on your VM to see if it's corrupt. 

[Marcos 5,074]

Confirmed by analysts that the file is corrupt.

[itman 1,659]

1 minute ago, AnthonyQ said:

You can run this sample on your VM to see if it's corrupt. 

Don't have a VM installed. What this sample does is run Java at next system startup to run the payload previously created by WerFault.exe.

Here's a better example showing payload being created from WerFault.exe:

https://www.joesandbox.com/analysis/323226/0/html

Finally, you would not have all those detections at VT if this was actually a corrupted file.

[Marcos 5,074]

Also the .unpack extension suggests that it's a dumped file, ie. it won't run when executed.

[AnthonyQ 48]

19 minutes ago, itman said:

Don't have a VM installed. What this sample does is run Java at next system startup to run the payload previously created by WerFault.exe.

Here's a better example showing payload being created from WerFault.exe:

https://www.joesandbox.com/analysis/323226/0/html

Finally, you would not have all those detections at VT if this was actually a corrupted file.

This Joe sandbox report refers to another ransomware sample which is not corrupt and already detected by ESET as Win32/Filecoder.RagnarLocker.A.

[itman 1,659]

Here's VT's SysInternals analysis of this RagnarLocker sample that "supposedly doesn't run": https://www.virustotal.com/gui/file/f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d/behavior/Microsoft Sysinternals Hum ..... I see a lot of remote communication going on. I am done with wasting my time on this.

[Marcos 5,074]

19 minutes ago, itman said:

I see a lot of remote communication going on.

MS IP addresses. Contacted likely when the system was searching for a possible solution of the crash and to upload the crash report.

[itman 1,659]

Getting back on topic, it should be noted that Kaspersky at VT also did not detect this RagarLocker ransomware sample discussed. 

At this point, I will give Kaspersky a pass on this baring proof otherwise. This sample only "sets the stage" for the ransomware to run at next system restart time. At that time, System Watcher anti-ransomware behavior methods would have detected the files being encrypted.

Edited June 13, 2022 by itman