The image below illustrates the domain name with which the malware tries to communicate.įigure 9 Domain with which the Malware is Communicating The following Wireshark image depicts the post-infection communication between the victim machine and the C2 server.įigure 8 Communication Traffic Between the Malware and the C2 Server
#Djvu downloader mac#
Once the encryption process is complete, the malware calls the C2 server with the unique ID based on the victims’ MAC address. As showcased in the image below, the C2 server then responds by providing a personal ID. The malware then generates a scheduled task called the Time Trigger Task that regularly encrypts newly added files.įigure 7 Personal ID of the Victim Machine Generated by the C2 Server The malware also prevents users from requesting security assistance from various security provider websites by changing the victim’s Windows host files.Using a PowerShell script, the malware disables the functionalities of the Windows Defender Anti-virus, such as real-time protection.Here are the evasion techniques used by the malicious dropped files.
#Djvu downloader download#
Payload download URL: “hxxp://asvb.top/files/penelop/updatewin2exe” The image below shows the ransomware trying to download multiple stagers from various URLs.įigure 6 Malware Downloading Stagers from Various URLs The image below showcases the process in which the malware tries to download and execute malicious payload files. Once the malware enters the victim machine, it performs an infection sequence in several steps. These involve modifying the system files, changing Windows registry entries, and deleting shadow volume copies to avoid file recovery. Next, the parent executable gets installed into the LocalAppData and then downloads several child files: updatewin1.exe, updatewin2.exe, and 1.exe. The malware payload uses customized AES or RSA encryption algorithms for encrypting files and adding various extensions. In most cases, the infection by the DJVU ransomware can be instantly identified by victims because the files are added with an extension that specifies the name of the virus. The image below clearly shows that in the case of the malware sample we analysed, after encryption the files are appended with the extension “.QSCX”.įigure 4 Encrypted Files in the Victim Machine The screenshot below shows the API list, along with the anti-debugging APIs.įigure 3 Windows API List Used in the Malware
The screenshot below showcases a schematic representation of the processes (Process Tree) of the malware.įigure 2 Output of the Malware Process Tree The text section of the malware sample has a high entropy value, indicating that it is packed/encrypted. The malware has been developed using the C/C++ language, and its static information is shown in figure 1.įigure 1 Static Information of the Sample
#Djvu downloader software#
The Cyble research team found a sample of the DJVU malware and performed the technical analysis. We have identified that the malware enters the systems of users when they download and execute malicious files masquerading as software cracks or keygens that allow users to use paid software for free by downloading from torrent. In the course of our routine darkweb monitoring, the Cyble research team discovered a new variant of the DJVU malware that belongs to the STOP ransomware family. This new variant has become one of the most widespread file-encrypting viruses of 2021.ĭJVU was first identified in December 2018. In addition to attacks in the United States, most of its victims are from Europe, Asia, South American, and Africa. The DJVU malware uses Advanced Encryption Standard (AES) or RSA cryptography algorithms for encrypting files in the victim machine.
0 kommentar(er)
