Analysis
On the 6th of July, a group of threat analysts released a report examining a HavanaCrypt ransomware posed as a google software update.
The Havana crypt pushes fake google software update application, once it arrives, the code of the ransomware is obfuscated by an obfuscator(an open-source obfuscation tool) and it was designed to hide from dynamic analysis in a virtual machine, upon execution it hides its window by a show window function, then it checks the registry to see if any google update registry is available.
Then it follows the procedure to check whether it is running in the virtual environment, by looking for services used by virtual machines such as VMWare Tools, vmmouse, and files related to virtual machines. After that it downloads a malicious file from the Microsoft web hosting service IP address and saves it as a .bat file and then execute the batch file where it terminates certain processes such as agntsvc, axlbridge and ccevtmgr.
The Havanacrypt gathers system information and sends it to the command-and-control server before encryption, after encryption it appends the “.havana” as an extension for encrypted files, it saves the logs of encrypted files in the file “foo.txt”.
Prevention
- Create signature-based rules for the detection of ransomware and malware.
- Take regular backups of servers, end devices, and other storage devices to reduce the impact of any kind of ransomware attacks.
- Educate employees to download applications from a legitimate site and create awareness about phishing.
Indicators of Compromise (IOC)
Files
b37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87
bf58fe4f2c96061b8b01e0f077e0e891871ff22cf2bc4972adfa51b098abb8e0
aa75211344aa7f86d7d0fad87868e36b33db1c46958b5aa8f26abefbad30ba17
URLs
http://20[.]227[.]128[.]33/2.txt
http://20[.]227[.]128[.]33/index.php
http://20[.]227[.]128[.]33/ham.php
References:
Trend Micro
