November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz threat Alert – SpeakUp Malware Infecting Linux Devices
March 11, 2019
Rewterz Threat Alert – Two Malspam Campaigns Detected
March 12, 2019
Rewterz threat Alert – SpeakUp Malware Infecting Linux Devices
March 11, 2019
Rewterz Threat Alert – Two Malspam Campaigns Detected
March 12, 2019
Severity
Medium
Analysis Summary
Discovered in January 2019, this ransomware is seen affecting Windows in multiple attacks. Ransom.Pots is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt them. It appends its extensions after the encrypted file names and leaves a ransom note with instructions to be followed for the decryption procedure.
When the Trojan is executed, it creates the following files:
- %AppData%\[GUID]\1.exe
- %AppData%\[GUID]\2.exe
- %AppData%\[GUID]\3.exe
- %AppData%\[GUID]\updatewin.exe
- %AppData%\script.ps1
The Trojan also creates the following file in all folders where it encrypts files:
- [PATH TO MALWARE]\_openme.txt
The Trojan creates the following registry entry so that it runs every time Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SysHelper” = “”%AppData%\c76335f4-3ef1-46c4-a9e2-49f4d190a4f3\[MALWARE NAME]” –AutoStart”
The Trojan also creates the following registry entries:
- HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows Defender\”DisableAntiSpyware” = “1”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1”
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\”ExecutionPolicy” = “RemoteSigned”
Next, the Trojan executes the following file to disable Windows Defender’s real-time monitoring:
- %AppData%\script.ps1
The Trojan also executes the following file to modify the hosts file:
- %AppData%\[GUID]\2.exe
Indicators of compromise are given below.
Impact
Pots Ransomware
Files Encryption
Indicators of Compromise
| IP(s) / Hostname(s) | 127[.]0[.]0[.]1 bana911[.]ru morgem[.]ru |
| URLs | bana911[.]ru grovyroet[.]online hxxp[:]//bana911[.]ru/004/get[.]php?pid=6D27C36D808D643FFA69ACAEFF8AD4B1 hxxp[:]//bana911[.]ru/004/get[.]php?pid=8585BA8504C2EBE0D147EFFF1E60C5C7 hxxp[:]//bana911[.]ru/1[.]exe hxxp[:]//bana911[.]ru/2[.]exe hxxp[:]//bana911[.]ru/666666/get[.]php?pid=2485E9F082250E269EA0EF635E0D382D hxxp[:]//bana911[.]ru/6666662323232/get[.]php?pid=2E0A56D692DB85ABBAFDB89C7340910A hxxp[:]//bana911[.]ru/66666623232329988/get[.]php hxxp[:]//bana911[.]ru/66666623232329988/get[.]php?pid=854A7AB3FE26B183822D6FDA75462A8C hxxp[:]//bana911[.]ru/xxx233232/updatedwin[.]exe hxxp[:]//bana911[.]ru/xxx233232/updatewin[.]exe hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=46662869E203E1189EE9E31C6EDF75B7 hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=753292965DBD0DCF5668ACA7E107EEB9 hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=9A952F08347B2468D7D2AB96FD55E680 hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=CFB9E1D13F3511F732BB484410812F00 hxxp[:]//grovyroet[.]online/xxx/2[.]exe hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=%5Bmachine_id%5D hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=C338CC1F2EED1FBC1FA98988C16CD4BE hxxp[:]//morgem[.]ru/test/get[.]php?pid=BA6B0E094A69F421C5A8CA214C57FA05 hxxp[:]//morgem[.]ru/test2/get[.]php?pid=6C607A125012B48A10CA4C9FBCDA0EF6 hxxp[:]//morgem[.]ru/xxx/2[.]exe hxxp[:]//morgem[.]ru/xxx/3[.]exe hxxp[:]//morgem[.]ru/xxx/39[.]exe hxxp[:]//morgem[.]ru/xxx/updatewin[.]exe hxxp[:]//mx[.]rosalos[.]ug//asdsfsghtyuAssdffgASdYDIUysiySdtfyewy73465o7yafihduaouirty7old/ hxxp[:]//mx[.]rosalos[.]ug//kuaofkzmdjhfqeoruSDIhfvbSdew66sdjfvsjHweuywoafhdjSdhfbuntuold/ hxxp[:]//rosalos[.]ug/kuSidwkKSdjnVjdnYDfSDfCJSDoiSDfpkSfFUISDASdJSHdubuntuold/get[.]php?pid=8191A331D30AB3860E4E30ACD8643907 hxxp[:]//rosalos[.]ug/trtasdgvgpoidfg87gs7df754ad4asdxzffdfasdfreer/update[.]exe hxxp[:]//rosalos[.]ug/YTtyusdftsGHJBVxcvxcvRT98789old/get[.]php?pid=4EB8EBDDCA3D4FC9135AEBD602FB7A00 rosalos[.]ug |
| Filename | 0A80000.ex dump-2228224.mem 315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f.bin 44DE.TMP.EXE 1.exe updatewin.exe 2.exe Copy of _00920000.mem9 |
| Extension | .djvu .rumba .tfudet .tro |
| Malware Hash (MD5/SHA1/SH256) | 24e781ea90b71c782164d998006a050d88e6dc040b30b34ad6229f7a51f4c7eb a78ccb4babd8f76e17366e0c34c9cc9d 2bae2122ae0e4b3f61132ad93d109f6a17171fc0b82286d23d1103cc115ecc81 9840be8b3721f996afcaf27c76120e4e 315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f 7aa8eb034a46d81d86f7abd6342b0923 48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9 734210184c461f58f6983644b1cb0c87 4f6d6e3f4e722f276ba448373ca4012e2436e3fdc38b5eb6edf453b6abec662b 2479673beacb567ed2a8885d435de40e 6966599b3a7786f81a960f012d540866ada63a1fef5be6d775946a47f6983cb7 dcb9cb3abc689f8c0eb39af6429c1c2f 6b9d282c01a5b20bea3183bf71ff8d2f97f0f7313ba57ce833a7b0418cf519c3 a72199bf14763fff60dd2b50e3d9a081 74949570d849338b3476ab699af78d89a5afa94c4529596cc0f68e4675a53c37 44fbfadb6a088da850f521dd8b783344 91a1122ed7497815e96fdbb70ea31b381b5243e2b7d81750bf6f6c5ca12d3cee 4009ee32ad44697619cee80616220782 b22a4ee6962714dad7adda4f93d1281185c1e2c8eabb1ba09725cb4cdedc550a 31977515894aad33f8e07f7d7fbf3cf7 |
Affected Products
Windows
Remediation
Block the threat indicators at their respective controls.