MVISION Insights: The Bazar ransomware story continues
Technical Articles ID:
KB95229
Last Modified: 1/25/2022
Last Modified: 1/25/2022
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.
Summary
Detects the malicious file locker.bat.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Threat Hunting:
| YARA | rule mal_host2_143 { meta: description = "mal - file 143.dll" author = "TheDFIRReport" date = "2021-11-29" hash1 = "6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610" strings: $x1 = "object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=" ascii $x2 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc" ascii $x3 = " to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA" ascii $x4 = "Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer" ascii $x5 = "GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32" ascii $x6 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f" ascii $x7 = "unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock" ascii $x8 = "file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ" ascii $x9 = ".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg" ascii $x10 = "Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf" ascii $x11 = "entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe" ascii $x12 = "ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c" ascii $s13 = "y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt" ascii $s14 = "ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs" ascii $s15 = ".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc" fullword ascii $s16 = "ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile" ascii $s17 = "mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr" ascii $s18 = "structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg" ascii $s19 = "garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar" ascii $s20 = "tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad " ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) and all of them } |
| YARA | rule mal_host1_D8B3 { meta: description = "mal - file D8B3.dll" author = "TheDFIRReport" date = "2021-11-29" hash1 = "4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6" strings: $x1 = "object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=" ascii $x2 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc" ascii $x3 = " to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA" ascii $x4 = "Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer" ascii $x5 = "GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32" ascii $x6 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f" ascii $x7 = "unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock" ascii $x8 = "file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ" ascii $x9 = ".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg" ascii $x10 = "Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf" ascii $x11 = "entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe" ascii $x12 = "ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c" ascii $s13 = "y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt" ascii $s14 = "ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs" ascii $s15 = ".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc" fullword ascii $s16 = "ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile" ascii $s17 = "mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr" ascii $s18 = "structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg" ascii $s19 = "garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar" ascii $s20 = "tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad " ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) and all of them } |
| YARA | rule mal_host2_AnyDesk { meta: description = "mal - file AnyDesk.exe" author = "TheDFIRReport" date = "2021-11-29" hash1 = "8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7" strings: $x1 = " $s3 = " $s5 = "4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O" fullword ascii $s6 = "(Symantec SHA256 TimeStamping Signer - G3" fullword ascii $s7 = "(Symantec SHA256 TimeStamping Signer - G30" fullword ascii $s8 = "http://ocsp.digicert.com0N" fullword ascii $s9 = "http://www.digicert.com/CPS0" fullword ascii $s10 = "Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0" fullword ascii $s11 = " $s12 = "/http://crl3.digicert.com/sha2-assured-cs-g1.crl05" fullword ascii $s13 = "/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L" fullword ascii $s14 = "%jgmRhZl%" fullword ascii $s15 = "5ZW:\"Wfh" fullword ascii $s16 = "5HRe:\\" fullword ascii $s17 = "ysN.JTf" fullword ascii $s18 = "Z72.irZ" fullword ascii $s19 = "Ve:\\-Sj7" fullword ascii $s20 = "ekX.cFm" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 11000KB and 1 of ($x*) and 4 of them } |
| YARA | rule ProcessHacker { meta: description = "mal - file ProcessHacker.exe" author = "TheDFIRReport" date = "2021-11-29" hash1 = "d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f" strings: $x1 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" fullword wide $x2 = "D:\\Projects\\processhacker2\\bin\\Release32\\ProcessHacker.pdb" fullword ascii $x3 = "ProcessHacker.exe" fullword wide $x4 = "kprocesshacker.sys" fullword wide $x5 = "ntdll.dll!NtDelayExecution" fullword wide $x6 = "ntdll.dll!ZwDelayExecution" fullword wide $s7 = "PhInjectDllProcess" fullword ascii $s8 = "_PhUiInjectDllProcess@8" fullword ascii $s9 = "logonui.exe" fullword wide $s10 = "Executable files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl)" fullword wide $s11 = "\\x86\\ProcessHacker.exe" fullword wide $s12 = "user32.dll!NtUserGetMessage" fullword wide $s13 = "ntdll.dll!NtWaitForKeyedEvent" fullword wide $s14 = "ntdll.dll!ZwWaitForKeyedEvent" fullword wide $s15 = "ntdll.dll!NtReleaseKeyedEvent" fullword wide $s16 = "ntdll.dll!ZwReleaseKeyedEvent" fullword wide $s17 = "\\kprocesshacker.sys" fullword wide $s18 = "\\SystemRoot\\system32\\drivers\\ntfs.sys" fullword wide $s19 = "_PhExecuteRunAsCommand2@36" fullword ascii $s20 = "_PhShellExecuteUserString@20" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) and 4 of them } |
| YARA | rule unlocker { meta: description = "mal - file unlocker.exe" author = "TheDFIRReport" date = "2021-11-29" hash1 = "09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53" strings: $s1 = "For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline" fullword wide $s2 = "(Symantec SHA256 TimeStamping Signer - G20" fullword ascii $s3 = " $s4 = "(Symantec SHA256 TimeStamping Signer - G2" fullword ascii $s5 = "Causes Setup to create a log file in the user's TEMP directory." fullword wide $s6 = "Prevents the user from cancelling during the installation process." fullword wide $s7 = "Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file." fullword wide $s8 = " $s9 = "The Setup program accepts optional command line parameters." fullword wide $s10 = "Instructs Setup to load the settings from the specified file after having checked the command line." fullword wide $s11 = "Overrides the default component settings." fullword wide $s12 = "/MERGETASKS=\"comma separated list of task names\"" fullword wide $s13 = "/PASSWORD=password" fullword wide $s14 = "Specifies the password to use." fullword wide $s15 = "yyyyvvvvvvvvvxxw" fullword ascii $s16 = "yyyyyyrrrsy" fullword ascii $s17 = " processorArchitecture=\"x86\"" fullword ascii $s18 = " processorArchitecture=\"x86\"" fullword ascii $s19 = "Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requ" wide $s20 = "/DIR=\"x:\\dirname\"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 7000KB and 8 of them } |
| YARA | rule mal_host2_locker { meta: description = "mal - file locker.bat" author = "TheDFIRReport" date = "2021-11-29" hash1 = "1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3" strings: $x1 = "_locker.exe -m -net -size 10 -nomutex -p" ascii condition: uint16(0) == 0x7473 and filesize < 8KB and $x1 } |
This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
Campaign IOC
| Type | Value |
| SHA256 | 6F844A6E903AA8E305E88AC0F60328C184F71A4BFBE93124981D6A4308B14610 |
| SHA256 | 14BCCFECAAEC8353E3E8F090EC1D3E9C87EB8CEB2A7ABEDFC47C3C980DA8AD71 |
| SHA256 | FB38061BF601001C45AAFE8D0C5FEAA22C607D2FF79CFB841788519CA55A17B4 |
| DOMAIN | millscruelg.com |
| DOMAIN | volga.azureedge.net |
| DOMAIN | five.azureedge.net |
| DOMAIN | checkauj.com |
| URL | checkauj.com/jquery-3.3.1.min.js |
| URL | checkauj.com |
| IP-DST | 64.227.65.60 |
| IP-DST | 161.35.147.110 |
| IP-DST | 161.35.155.92 |
| IP-DST | 64.227.69.92 |
| IP-DST | 82.117.252.143 |
| IP-DST | 82.117.252.143 |
Minimum Content Versions:
| Content Type | Version |
| V2 DAT (VirusScan Enterprise) | 10187 |
| V3 DAT (Endpoint Security) | 4639 |
Detection Summary
| IOC | Scanner | Detection |
| 6F844A6E903AA8E305E88AC0F60328C184F71A4BFBE93124981D6A4308B14610 | AVEngine V2 | Trojan-downloader.ac |
| AVEngine V3 | Trojan-downloader.ac | |
| JTI (ATP Rules) | JTI/Suspect.393538 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| 14BCCFECAAEC8353E3E8F090EC1D3E9C87EB8CEB2A7ABEDFC47C3C980DA8AD71 | AVEngine V2 | XML/Trickbot.a |
| AVEngine V3 | XML/Trickbot.a | |
| JTI (ATP Rules) | JTI/Suspect.393538 | |
| RP Static | - | |
| RP Dynamic | - |
| IOC | Scanner | Detection |
| FB38061BF601001C45AAFE8D0C5FEAA22C607D2FF79CFB841788519CA55A17B4 | AVEngine V2 | HTML/Downloader.bg |
| AVEngine V3 | HTML/Downloader.bg | |
| JTI (ATP Rules) | - | |
| RP Static | - | |
| RP Dynamic | - |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Rule ID: 322 Prevent mshta from being launched by any process for all rule group assignments
Rule ID: 301 Blocks cmd.exe from being spawned by office applications
Endpoint Security - Exploit Prevention:
Rule ID: 6107 MS Word trying to execute unwanted programs
Host Intrusion Prevention:
Rule ID: 6107 MS Word trying to execute unwanted programs
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Access Protection Custom Rules:
Rule: 1
Executables (Include):
winword.exe
Subrules:
Subrule Type: Files
Operations:
create
Targets (Include):
?:\users\public\*.hta
winword.exe
Subrules:
Subrule Type: Files
Operations:
create
Targets (Include):
?:\users\public\*.hta
VirusScan Enterprise - Access Protection Custom Rules:
Rule: 1
Rule Type: File
Process to include: winword.exe
File or folder name to block: *\users\public\*.hta
File actions to prevent: Create
Process to include: winword.exe
File or folder name to block: *\users\public\*.hta
File actions to prevent: Create
Host Intrusion Prevention:
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 6011 Generic Application Invocation Protection
