Question about ransomware_filemodications.py

[Clevero]

Hello,

I created some kind of ransomware that is appending .w to the current filename. So just renaming

I was told that there is the ransomware_filemodications.py signature for it. But I couldn't get it to trigger yet.

As far as I understand the code, the signature is triggered when 50 and above files are renamed? There were 60 files renamed in my test.

Also those new files like 45.txt.w are not listed in the report.json in any kind.

Do I something wrong or misunderstood the code?

@kevross33

[lillypad]

@Clevero please share the file hash so we may download the sample and test this ourselves.

This way we can better troubleshoot your issue.

[Clevero]

File: Adds_.w_ToFilenamesOnDesktop.jar.zip Exported report: 11.zip Cuckoo version: 2.0.6

The files on the desktop are generated withe the following powershell command:

1..60 | % { New-Item -Path C:\Users\my_username\Desktop\ -Name "$_.txt" -Value (
Get-Date).toString() -ItemType file}

The source code of the malware:

import java.io.File;

public class Main {

    public static void main(String[] args) {

        String path = System.getProperty("user.home") + "/Desktop";

        File folder = new File(path);
        File[] listOfFiles = folder.listFiles();

        for (int i = 0; i < listOfFiles.length; i++) {

            if (listOfFiles[i].isFile()) {

                // if it ends with .w, we remove it
                if (listOfFiles[i].getName().endsWith(".w")) {
                    listOfFiles[i].renameTo(new File(path + "/"
                            + (listOfFiles[i].getName().substring(0, listOfFiles[i].getName().length() - 2))));
                }
                // if there is no .w, we append it
                else {
                    listOfFiles[i].renameTo(new File(path + "/" + listOfFiles[i].getName() + ".w"));
                }
            }

        }

    }

}

[lillypad]

@Clevero thank you, I will have a look at this as soon as I get the chance it could be things that go through the JVM are not being picked up on in regards to file renames. File renames are technically file moves so will be interesting to see.

[Clevero]

I've tested it under Windows 7 64 Bit:

• Java 8 64 Bit: does not execute the .jar properly. No error messages are shown in the console. Don't have checked the JVM log. But I think it's the behavior described in https://github.com/cuckoosandbox/cuckoo/issues/1560
• Java 8 32 Bit: executing as expected also the signatures are triggered (exported report 7.zip)

The issue was originally opened with a Windows 10 vm with Java 8 32 Bit installed (should have mentioned that)