BAT file based Ransomware targeting people in China

By

The SonicWall Capture Labs Threat Research Team has observed a BAT file related to CXK-NMSL V3.2 Ransomware targeting people in China.

The batch file uses ‘FOR’ looping command for listing the files in the directory. The listed files are renamed with “.cxkdata” suffix.
The renamed files are then base64 encoded using the “certutil –encode” command and saved into new file having .cxk_nmsl as extension, the original files are later deleted.

The Ransomware encodes files found in the following locations:

• %SystemDrive%\
• %UserProFile%\
• %UserProFile%\Desktop\
• %UserProFile%\Downloads\
• %UserProFile%\Favorites\
• %UserProFile%\Searches\
• %UserProFile%\Saved Games\
• %UserProFile%\Contacts\
• %UserProFile%\Links\
• %UserProFile%\Videos\
• %UserProFile%\Pictures\
• %UserProFile%\Documents\
• %UserProFile%\Music\

The batch file contains base64 encoded PE file which is saved into the disk as “X”.

The file “X” is later decoded and saved into the disk using Certutil command as show below:

The PE file tries to load Krnln.fnr Dll and execute the “GetNewSock” API. This API provides capabilities for remote administration.

It also has base64 encoded zip file containing the wallpaper.jpg

Wallpaper.jpg

It creates the .JS file which is used to decode the base64 encoded file (wallpaper.jpg)

It also creates a VBS file which is used to display the message box in Chinese language.

It modifies the registry and sets the values of wallpaper to its own wallpaper.jpg.

And executes the below command which is a preferred method for refreshing the wallpaper without the user being logging off and back on.

The Ransomware note is in Chinese language; which asks the victim to pay 100 B coins as ransom and for more information regarding the B coins it directs user to below site.

https://www.bilibili.com/blackboard/help.htmlprice.

Ransomware note

And at the end it drops the MP3 file and plays the song.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: Ransom.BatCXK_NMSL (Trojan)

Indicators of Compromise:

  • 01b575a1012b97988655980a48430dbb
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.