Fake DocuSign Download Page Leads to Hentai Onichan Ransomware

by Security Research & Analysis

We recently received samples that we suspected were “phishy” in nature, but after analyzing the email attachment a severe threat was exposed.

Figure 1.0 Email sample

The emails had a ZIP attachment containing an HTML that was designed to look like an invoice signed by DocuSign, which is a well-known service that allows organizations to manage electronic agreements securely. Unfortunately, because it is widely used, this service is often used as a theme in phishing or targeted malware campaigns.

Figure 1.1 DocuSign themed invoice for review

Viewing the source of the HTML page reveals that a file named “ProformaInvoice.zip” will be saved to the disk, mimicking a downloaded file.

Figure 2. Excerpt of the script code found in the phishing HTML

The zip archive contains 3 files:

  • AdobeSign.pdf
  • Alternative_View.OnlineWeb_;.lnk
  • ClientSignatureNote.vbs

Clicking Alternative_View.OnlineWeb_;.lnk executes ClientSignature.vbs. The AdobeSign.pdf is not actually a PDF, but an encrypted file, which is decrypted by the ClientSignature.vbs. A quick look at the contents of the pdf suggested that it was encrypted using XOR with a single byte key.

Figure 3. AdobeSign.PDF with trailing “0x63” bytes

To confirm that the PDF file was indeed encrypted using XOR, we needed to analyze the VBS file. The contents of the file were filled with the Attribution-ShareAlike 4.0 International license as line comments, and in between them is the actual VBS code. Cleaning up the file revealed that the actual code was just six lines. The content of the variable “DocuSign”, which was delimited by a “;”, was decrypted using a simple algorithm. By adding six characters on each value, and then converting it to the corresponding charter code. The first entry was 73 + 6 = 79, 0x4F in hexadecimal form, which corresponded to the “O” character. The output was then concatenated and formed a new VBS code that ran using the “execute” function.

Figure 4.1. Excerpt of the VBS code with license as line comments

Figure 4.2. VBS code without line comments

To check the decrypted code, dump the contents of DocuRead. The first part of the code is straightforward. It tries to decrypt the file AdobeSign.pdf, and drops a copy as svchost.exe. To check our assumption earlier that AdobeSign.pdf was encrypted using XOR, we checked the “Encode” function, which saved the decrypted executable to “C:\Windows\System32\spool\drivers\color\svchost.exe”.

Figure 5.1. Start of decrypted VBS code

Figure 5.2. Part of “Encode” function using XOR to decrypt a file

There was a privilege elevation attack, which involved an increase of privileged access beyond what a user already has.

Figure 6. check if it was executed with the “elevate” parameter

It also runs two Powershell commands. The first file extension that the malware will use is from scheduled, custom, and real-time scanning of Windows Defender. The second file tries to disable the Ransomware Protection of Windows.

Figure 7.1. 2 Powershell with encoded commands

Figure 7.2 Decoded Powershell command strings

Uninstalls.bat is created with the purpose to execute svchost.exe. After creating the batch file, it decodes another component using base64 which is saved to a disk as johntask.ps1.

Figure 8.1. Batch file that will execute a main payload

Figure 8.2. Base64 encoded contents of the Powershell file

Figure 8.3. Decoded johntask.ps1

Before finally executing the PowerShell script johntask.ps1, virtual machines were checked to see if they were infected with possible default names. If found, it will try to merge the undo disks of that virtual machine and a SCSI controller. It also tries to attach the floppy and ROM drives.

Undo disks save changes to a virtual machine’s data and configuration in a separate undo disk, in case you want to revert the changes.

Figure 9.1 Redacted most of the code to show the  code sequence

Figure 9.2 Code for attaching the Floppy and ROM drives

At this point the PowerShell script (johntask.ps1) executes and attaches a task to a random Windows event. The main purpose is to automatically launch the malware payload via the batch file component whenever the selected event is triggered.

The main payload is a copy of a ransomware called “Hentai OniChan Last Version Real OniHentai”. Once svchost.exe are executed, processes that are related to anti-malware tools, such as the ones listed in the table below, are terminated.

Autorun.exe Autoruns.exe Cain.exe Charles.exe
FakeNet.exe Fiddler.exe Fiddler.exe FolderChangesView.exe
HipsDaemon.exe HipsMain.exe HipsTray.exe HookExplorer.exe
HxD32.exe HxD64.exe ILSpy.exe Il2CppInspector-cli.exe
Il2CppInspector.exe ImmunityDebugger.exe ImportREC.exe MegaDumper.exe
MpCmdRun.exe OLLYDBG.EXE PETools.exe PPEE.exe
ProcessHacker.exe Procmon.exe Procmon64.exe Procmon64a.exe
QMDL.exe QMPersonalCenter.exe QQPCPatch.exe QQPCRTP.exe
QQPCRealTimeSpeedup.exe QQPCTray.exe QQRepair.exe QtWebEngineProcess.exe
ResourceHacker.exe Scylla_x64.exe Scylla_x86.exe SysInspector.exe
Taskmgr.exe Wireshark.exe apimonitor-x64.exe apimonitor-x86.exe
autoruns.exe autorunsc.exe autorunsc64.exe autorunsc64a.exe
binaryninja.exe bincat.exe c2newspeak.exe cstool.exe
cutter.exe die.exe diec.exe diesort.exe
dnSpy-x86.exe dnSpyx64.exe dumpcap.exe fibonacci32.exe
fibonacci64.exe filemon.exe httpdebugger.exe ida.exe
ida64.exe idaq.exe idaq64.exe inVtero.ps1
inVteroPS.ps1 inVteroPS.psm1 joeboxcontrol.exe joeboxserver.exe
kscan.exe kwsprotect64.exe kxescore.exe kxetray.exe
loaddll.exe ollydbg.exe ollydbg64.exe pe-sieve64.exe
pestudio.exe peview.exe proc_analyzer.exe procexp.exe
procexp32.exe procexp64.exe procmon.exe py.exe
python.exe r2agent.exe rabin2.exe radare2.exe
radiff2.exe rafind2.exe ragg2.exe rahash2.exe
rarun2.exe rasm2.exe rax2.exe regmon.exe
rpcapd.exe sample3.exe sample_loop_eax.exe sample_x86.exe
sniff_hit.exe sysAnalyzer.exe tcpview.exe windbg.exe
wireshark.exe x32dbg.exe x64dbg.exe x64dbg.exe
x96dbg.exe      

Table 1.0 Processes terminated by ransomware

To prevent the user from recovering encrypted files, it tries to disable some window services, and other services related to backup/anti-malware software as listed below.

wuauserv DoSvc bits Acronis VSS Provider
AcronisAgent AcrSch2Svc Antivirus ARSM
AVP BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDeviceMediaService
BackupExecJobEngine BackupExecManagementService BackupExecRPCService BackupExecVSSProvider
bedbg ccEvtMgr ccSetMgr Culserver
dbeng8 dbsrv12 DCAgent DefWatch
EhttpSrv ekrn Enterprise Client Service EPSecurityService
EPUpdateService EraserSvc11710 EsgShKerne ESHASRV
FA_Scheduler IISAdmin IMAP4Svc KAVFS
KAVFSGT kavfsslp klnagent macmnsvc
masvc MBAMService MBEndpointAgent McAfeeEngineService
McAfeeFramework McAfeeFrameworkMcAfeeFramework McShield McTaskManager
mfefire mfemms mfevtp MMS
mozyprobackup MsDtsServer MsDtsServer100 MsDtsServer110
MSExchangeES MSExchangeIS MSExchangeMGMT MSExchangeMTA
MSExchangeSA MSExchangeSRS msftesql$PROD msmdsrv
MSOLAP$SQL_2008 MSOLAP$SYSTEM_BGC MSOLAP$TPS MSOLAP$TPSAMA
MSSQL$BKUPEXEC MSSQL$ECWDB2 MSSQL$PRACTICEMGT MSSQL$PRACTTICEBGC
MSSQL$PROD MSSQL$PROFXENGAGEMENT MSSQL$SBSMONITORING MSSQL$SHAREPOINT
MSSQL$SOPHOS MSSQL$SQL_2008 MSSQL$SQLEXPRESS MSSQL$SYSTEM_BGC
MSSQL$TPS MSSQL$TPSAMA MSSQL$VEEAMSQL2008R2 MSSQL$VEEAMSQL2012
MSSQLFDLauncher MSSQLFDLauncher$PROFXENGAGEMENT MSSQLFDLauncher$SBSMONITORING MSSQLFDLauncher$SHAREPOINT
MSSQLFDLauncher$SQL_2008 MSSQLFDLauncher$SYSTEM_BGC MSSQLFDLauncher$TPS MSSQLFDLauncher$TPSAMA
MSSQLSERVER MSSQLServerADHelper MSSQLServerADHelper100 MSSQLServerOLAPService
MySQL57 MySQL80 NetMsmqActivator ntrtscan
OracleClientCache80 PDVFSService POP3Svc QBCFMonitorService
QBIDPService QuickBoooks.FCS ReportServer ReportServer$SQL_2008
ReportServer$SYSTEM_BGC ReportServer$TPS ReportServer$TPSAMA RESvc
RTVscan SAVAdminService SavRoam SAVService
SepMasterService ShMonitor Smcinst SmcService
SMTPSvc SNAC SntpService Sophos Agent
Sophos AutoUpdate Service Sophos Clean Service Sophos Device Control Service Sophos File Scanner Service
Sophos Health Service Sophos MCS Agent Sophos MCS Client Sophos Message Router
Sophos Safestore Service Sophos System Protection Service Sophos Web Control Service sophossps
SQL Backups sqladhlp SQLADHLP sqlagent
SQLAgent$BKUPEXEC SQLAgent$CITRIX_METAFRAME SQLAgent$CXDB SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC SQLAgent$PRACTTICEMGT SQLAgent$PROD SQLAgent$PROFXENGAGEMENT
SQLAgent$SBSMONITORING SQLAgent$SHAREPOINT SQLAgent$SOPHOS SQLAgent$SQL_2008
SQLAgent$SQLEXPRESS SQLAgent$SYSTEM_BGC SQLAgent$TPS SQLAgent$TPSAMA
SQLAgent$VEEAMSQL2008R2 SQLAgent$VEEAMSQL2012 sqlbrowser SQLBrowser
SQLsafe Backup Service SQLsafe Filter Service SQLSafeOLRService sqlserv
SQLSERVERAGENT SQLTELEMETRY SQLTELEMETRY$ECWDB2 sqlwriter
SQLWriter svcGenericHost swi_filter swi_service
swi_update swi_update_64 Symantec System Recovery TmCCSF
tmlisten tomcat6 TrueKey TrueKeyScheduler
TrueKeyServiceHelper UI0Detect Veeam Backup Catalog Data Service VeeamBackupSvc
VeeamBrokerSvc VeeamCatalogSvc VeeamCloudSvc VeeamDeploymentService
VeeamDeploySvc VeeamEnterpriseManagerSvc VeeamHvIntegrationSvc VeeamMountSvc
VeeamNFSSvc VeeamRESTSvc VeeamTransportSvc vmware-converter
vmware-usbarbitator64 W3Svc wrapper WRSVC
zhundongfangyu Zoolz 2 Service    

Table 2.0 Services disabled by the ransomware

It also skips some files with a specific extension when trying to encrypt the victim’s files, as listed below:

.bac .bak
.bat .bkf
.cmd .com
.dll .docm
.dsk .exe
.js .jse
.lnk .msc
.ps1 .set
.sys .vbe
.vbs .vhd
.wbcat .win

Table 3.0 Skipped file extensions

When it completes the malicious routine, a ransom note is posted on the infected machine as a wallpaper, as shown below.

Figure 10.0 Hentai OniChan Ransom Note

Indicators of Compromise

File Name   SHA256 Description Detection
RE: [ Reminder ] your outstanding payments 4/30/2021 12:28:51 AM   a4cc1ff7ca40082dc11ecd9c49df5aab7 50f9a86a5e21eab1c4727e26d29026b Malicious email JS/Onigent.A
payment.zip   4e708ba3c256d6f6a35f4c77293749178 b43d1044b1c6a23febc05b681680cd1 ZIP attachment JS/Onigent.A
payment.html   85e73044a76483d1d4c9d11304d4a20d 3945d35dcc102a4de9115b14803efb8b Fake DocuSign Page JS/Onigent.A
Alternative_View.OnlineWeb_;.lnk   72698dadde8854a15f046d9b561f207b e1463c13413bc865717a2747d170a08e Shortcut File launching ClientSignatureNote.vbs LNK/Onigent.A
ClientSignatureNote.vbs   bd3cedbaef4fd8d4f0e6490e9fb30f4b a8cc83d700c99f5e387dab866aaadf6f Encrypted malware launcher VBS/Onigent.A
johntask.ps1   a61269d530dcabaf986c40a88df6177e 041074d062361ff75e691079718b7fce Auto-start mechanism PSH/Onigent.A
AdobeSign.htm   95ccbde1ccda4dacd5f3457b6f8adf35 8c6405532f2951c65f93d7d4bca4cb51 Encrypted malware payload W64/RansomHen.A
svchost.exe   f04002af72fe6e060f816fdf695dffd09 2909559f077fa8050e03268e5c290eb Malware payload W64/RansomHen.A

Table 4.0 Indicators of Compromise

Go back