Fake DocuSign Download Page Leads to Hentai Onichan Ransomware

We recently received samples that we suspected were “phishy” in nature, but after analyzing the email attachment a severe threat was exposed. 

Figure 1.0 Email sample

The emails had a ZIP attachment containing an HTML that was designed to look like an invoice signed by DocuSign, which is a well-known service that allows organizations to manage electronic agreements securely. Unfortunately, because it is widely used, this service is often used as a theme in phishing or targeted malware campaigns.

Figure 1.1 DocuSign themed invoice for review

Viewing the source of the HTML page reveals that a file named “ProformaInvoice.zip” will be saved to the disk, mimicking a downloaded file.

Figure 2. Excerpt of the script code found in the phishing HTML

The zip archive contains 3 files:

  • AdobeSign.pdf
  • Alternative_View.OnlineWeb_;.lnk
  • ClientSignatureNote.vbs

Clicking Alternative_View.OnlineWeb_;.lnk executes ClientSignature.vbs. The AdobeSign.pdf is not actually a PDF, but an encrypted file, which is decrypted by the ClientSignature.vbs. A quick look at the contents of the pdf suggested that it was encrypted using XOR with a single byte key.

Figure 3. AdobeSign.PDF with trailing “0x63” bytes

To confirm that the PDF file was indeed encrypted using XOR, we needed to analyze the VBS file. The contents of the file were filled with the Attribution-ShareAlike 4.0 International license as line comments, and in between them is the actual VBS code. Cleaning up the file revealed that the actual code was just six lines. The content of the variable “DocuSign”, which was delimited by a “;”, was decrypted using a simple algorithm. By adding six characters on each value, and then converting it to the corresponding charter code. The first entry was 73 + 6 = 79, 0x4F in hexadecimal form, which corresponded to the “O” character. The output was then concatenated and formed a new VBS code that ran using the “execute” function.

Figure 4.1. Excerpt of the VBS code with license as line comments

Figure 4.2. VBS code without line comments

To check the decrypted code, dump the contents of DocuRead. The first part of the code is straightforward. It tries to decrypt the file AdobeSign.pdf, and drops a copy as svchost.exe. To check our assumption earlier that AdobeSign.pdf was encrypted using XOR, we checked the “Encode” function, which saved the decrypted executable to “C:WindowsSystem32spooldriverscolorsvchost.exe”.

Figure 5.1. Start of decrypted VBS code

Figure 5.2. Part of “Encode” function using XOR to decrypt a file

There was a privilege elevation attack, which involved an increase of privileged access beyond what a user already has.

Figure 6. check if it was executed with the “elevate” parameter

It also runs two Powershell commands. The first file extension that the malware will use is from scheduled, custom, and real-time scanning of Windows Defender. The second file tries to disable the Ransomware Protection of Windows.

Figure 7.1. 2 Powershell with encoded commands

Figure 7.2 Decoded Powershell command strings

Uninstalls.bat is created with the purpose to execute svchost.exe. After creating the batch file, it decodes another component using base64 which is saved to a disk as johntask.ps1.

Figure 8.1. Batch file that will execute a main payload

Figure 8.2. Base64 encoded contents of the Powershell file

Figure 8.3. Decoded johntask.ps1

Before finally executing the PowerShell script johntask.ps1, virtual machines were checked to see if they were infected with possible default names. If found, it will try to merge the undo disks of that virtual machine and a SCSI controller. It also tries to attach the floppy and ROM drives.

Undo disks save changes to a virtual machine’s data and configuration in a separate undo disk, in case you want to revert the changes.

Figure 9.1 Redacted most of the code to show the code sequence

Figure 9.2 Code for attaching the Floppy and ROM drives

At this point the PowerShell script (johntask.ps1) executes and attaches a task to a random Windows event. The main purpose is to automatically launch the malware payload via the batch file component whenever the selected event is triggered.

The main payload is a copy of a ransomware called “Hentai OniChan Last Version Real OniHentai”. Once svchost.exe are executed, processes that are related to anti-malware tools, such as the ones listed in the table below, are terminated.

Autorun.exeAutoruns.exeCain.exeCharles.exe
FakeNet.exeFiddler.exeFiddler.exeFolderChangesView.exe
HipsDaemon.exeHipsMain.exeHipsTray.exeHookExplorer.exe
HxD32.exeHxD64.exeILSpy.exeIl2CppInspector-cli.exe
Il2CppInspector.exeImmunityDebugger.exeImportREC.exeMegaDumper.exe
MpCmdRun.exeOLLYDBG.EXEPETools.exePPEE.exe
ProcessHacker.exeProcmon.exeProcmon64.exeProcmon64a.exe
QMDL.exeQMPersonalCenter.exeQQPCPatch.exeQQPCRTP.exe
QQPCRealTimeSpeedup.exeQQPCTray.exeQQRepair.exeQtWebEngineProcess.exe
ResourceHacker.exeScylla_x64.exeScylla_x86.exeSysInspector.exe
Taskmgr.exeWireshark.exeapimonitor-x64.exeapimonitor-x86.exe
autoruns.exeautorunsc.exeautorunsc64.exeautorunsc64a.exe
binaryninja.exebincat.exec2newspeak.execstool.exe
cutter.exedie.exediec.exediesort.exe
dnSpy-x86.exednSpyx64.exedumpcap.exefibonacci32.exe
fibonacci64.exefilemon.exehttpdebugger.exeida.exe
ida64.exeidaq.exeidaq64.exeinVtero.ps1
inVteroPS.ps1inVteroPS.psm1joeboxcontrol.exejoeboxserver.exe
kscan.exekwsprotect64.exekxescore.exekxetray.exe
loaddll.exeollydbg.exeollydbg64.exepe-sieve64.exe
pestudio.exepeview.exeproc_analyzer.exeprocexp.exe
procexp32.exeprocexp64.exeprocmon.exepy.exe
python.exer2agent.exerabin2.exeradare2.exe
radiff2.exerafind2.exeragg2.exerahash2.exe
rarun2.exerasm2.exerax2.exeregmon.exe
rpcapd.exesample3.exesample_loop_eax.exesample_x86.exe
sniff_hit.exesysAnalyzer.exetcpview.exewindbg.exe
wireshark.exex32dbg.exex64dbg.exex64dbg.exe
x96dbg.exe

Table 1.0 Processes terminated by ransomware

To prevent the user from recovering encrypted files, it tries to disable some window services, and other services related to backup/anti-malware software as listed below.

wuauservDoSvcbitsAcronis VSS Provider
AcronisAgentAcrSch2SvcAntivirusARSM
AVPBackupExecAgentAcceleratorBackupExecAgentBrowserBackupExecDeviceMediaService
BackupExecJobEngineBackupExecManagementServiceBackupExecRPCServiceBackupExecVSSProvider
bedbgccEvtMgrccSetMgrCulserver
dbeng8dbsrv12DCAgentDefWatch
EhttpSrvekrnEnterprise Client ServiceEPSecurityService
EPUpdateServiceEraserSvc11710EsgShKerneESHASRV
FA_SchedulerIISAdminIMAP4SvcKAVFS
KAVFSGTkavfsslpklnagentmacmnsvc
masvcMBAMServiceMBEndpointAgentMcAfeeEngineService
McAfeeFrameworkMcAfeeFrameworkMcAfeeFrameworkMcShieldMcTaskManager
mfefiremfemmsmfevtpMMS
mozyprobackupMsDtsServerMsDtsServer100MsDtsServer110
MSExchangeESMSExchangeISMSExchangeMGMTMSExchangeMTA
MSExchangeSAMSExchangeSRSmsftesql$PRODmsmdsrv
MSOLAP$SQL_2008MSOLAP$SYSTEM_BGCMSOLAP$TPSMSOLAP$TPSAMA
MSSQL$BKUPEXECMSSQL$ECWDB2MSSQL$PRACTICEMGTMSSQL$PRACTTICEBGC
MSSQL$PRODMSSQL$PROFXENGAGEMENTMSSQL$SBSMONITORINGMSSQL$SHAREPOINT
MSSQL$SOPHOSMSSQL$SQL_2008MSSQL$SQLEXPRESSMSSQL$SYSTEM_BGC
MSSQL$TPSMSSQL$TPSAMAMSSQL$VEEAMSQL2008R2MSSQL$VEEAMSQL2012
MSSQLFDLauncherMSSQLFDLauncher$PROFXENGAGEMENTMSSQLFDLauncher$SBSMONITORINGMSSQLFDLauncher$SHAREPOINT
MSSQLFDLauncher$SQL_2008MSSQLFDLauncher$SYSTEM_BGCMSSQLFDLauncher$TPSMSSQLFDLauncher$TPSAMA
MSSQLSERVERMSSQLServerADHelperMSSQLServerADHelper100MSSQLServerOLAPService
MySQL57MySQL80NetMsmqActivatorntrtscan
OracleClientCache80PDVFSServicePOP3SvcQBCFMonitorService
QBIDPServiceQuickBoooks.FCSReportServerReportServer$SQL_2008
ReportServer$SYSTEM_BGCReportServer$TPSReportServer$TPSAMARESvc
RTVscanSAVAdminServiceSavRoamSAVService
SepMasterServiceShMonitorSmcinstSmcService
SMTPSvcSNACSntpServiceSophos Agent
Sophos AutoUpdate ServiceSophos Clean ServiceSophos Device Control ServiceSophos File Scanner Service
Sophos Health ServiceSophos MCS AgentSophos MCS ClientSophos Message Router
Sophos Safestore ServiceSophos System Protection ServiceSophos Web Control Servicesophossps
SQL BackupssqladhlpSQLADHLPsqlagent
SQLAgent$BKUPEXECSQLAgent$CITRIX_METAFRAMESQLAgent$CXDBSQLAgent$ECWDB2
SQLAgent$PRACTTICEBGCSQLAgent$PRACTTICEMGTSQLAgent$PRODSQLAgent$PROFXENGAGEMENT
SQLAgent$SBSMONITORINGSQLAgent$SHAREPOINTSQLAgent$SOPHOSSQLAgent$SQL_2008
SQLAgent$SQLEXPRESSSQLAgent$SYSTEM_BGCSQLAgent$TPSSQLAgent$TPSAMA
SQLAgent$VEEAMSQL2008R2SQLAgent$VEEAMSQL2012sqlbrowserSQLBrowser
SQLsafe Backup ServiceSQLsafe Filter ServiceSQLSafeOLRServicesqlserv
SQLSERVERAGENTSQLTELEMETRYSQLTELEMETRY$ECWDB2sqlwriter
SQLWritersvcGenericHostswi_filterswi_service
swi_updateswi_update_64Symantec System RecoveryTmCCSF
tmlistentomcat6TrueKeyTrueKeyScheduler
TrueKeyServiceHelperUI0DetectVeeam Backup Catalog Data ServiceVeeamBackupSvc
VeeamBrokerSvcVeeamCatalogSvcVeeamCloudSvcVeeamDeploymentService
VeeamDeploySvcVeeamEnterpriseManagerSvcVeeamHvIntegrationSvcVeeamMountSvc
VeeamNFSSvcVeeamRESTSvcVeeamTransportSvcvmware-converter
vmware-usbarbitator64W3SvcwrapperWRSVC
zhundongfangyuZoolz 2 Service

Table 2.0 Services disabled by the ransomware

It also skips some files with a specific extension when trying to encrypt the victim’s files, as listed below:

.bac.bak
.bat.bkf
.cmd.com
.dll.docm
.dsk.exe
.js.jse
.lnk.msc
.ps1.set
.sys.vbe
.vbs.vhd
.wbcat.win

Table 3.0 Skipped file extensions

When it completes the malicious routine, a ransom note is posted on the infected machine as a wallpaper, as shown below.

Figure 10.0 Hentai OniChan Ransom Note

Indicators of Compromise

File NameSHA256DescriptionDetection
RE: [ Reminder ] your outstanding payments 4/30/2021 12:28:51 AMa4cc1ff7ca40082dc11ecd9c49df5aab7 50f9a86a5e21eab1c4727e26d29026bMalicious emailJS/Onigent.A
payment.zip4e708ba3c256d6f6a35f4c77293749178 b43d1044b1c6a23febc05b681680cd1ZIP attachmentJS/Onigent.A
payment.html85e73044a76483d1d4c9d11304d4a20d 3945d35dcc102a4de9115b14803efb8bFake DocuSign PageJS/Onigent.A
Alternative_View.OnlineWeb_;.lnk72698dadde8854a15f046d9b561f207b e1463c13413bc865717a2747d170a08eShortcut File launching ClientSignatureNote.vbsLNK/Onigent.A
ClientSignatureNote.vbsbd3cedbaef4fd8d4f0e6490e9fb30f4b a8cc83d700c99f5e387dab866aaadf6fEncrypted malware launcherVBS/Onigent.A
johntask.ps1a61269d530dcabaf986c40a88df6177e 041074d062361ff75e691079718b7fceAuto-start mechanismPSH/Onigent.A
AdobeSign.htm95ccbde1ccda4dacd5f3457b6f8adf35 8c6405532f2951c65f93d7d4bca4cb51Encrypted malware payloadW64/RansomHen.A
svchost.exef04002af72fe6e060f816fdf695dffd09 2909559f077fa8050e03268e5c290ebMalware payloadW64/RansomHen.A

Table 4.0 Indicators of Compromise