“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time.

The subject line of the malspam samples that I received all started with “IMG_” and neither of them contained anything in the body. Below are some images of the malspam samples:

Both samples came from Gmail accounts and had attached .zip files. Opening the .zip file shows a .js file, found in %TEMP%:

open attachment

Both .js files were GlobeImposter downloaders, so executing them generated GET requests for payloads hosted on various domains. I successfully received a payload, even though my samples were days old.

Below is the image of the GET request:

GET for payload

As you can see from the GET request, the user-agent string is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”, which is Internet Explorer 6 and Windows 2000. Looking through the .js file shows the user-agent being set:


.JS file decoded and commented out by my friend IRDivision

You can also see how we GET the payloads:


In my sample, I ended up getting the payload from adelaidemotorshow[.]com[.]au/hg65fyJHG, with the backup location being trombositting[.]org/af/hg65fyJHG.

More locations were posted in a very helpful paste by @Racco42, which can also be seen below:


A Twitter user by the name of  also posted a paste of download locations being distributed on 8/8/17.

The payload is named XXSkRjf2.exe, saved in %TEMP%, and run:


Below are the folder and file extension exclusion list, which were found on a very detailed blog post by Fortinet.

Folder exclusion list (44 in total):

Windows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab, McAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera, YandexBrowser, ntldr, Wsus, ProgramData.

Extension exclusion list (170 in total):

.$er, .4db, .4dd, .4d, .4mp, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adn, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .cdb, .cdb, .cdb, .ckp, .clkw, .cma, .crd, .daconnections, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, .db-wa, .db2, .db3, .dbc, .dbf, .dbf, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dd, .df1, .dmo, .dnc, .dp1, .dqy, .dsk, .dsn, .dta, .dtsx, .dx, .eco, .ecx, .edb, .emd, .eq, .fcd, .fdb, .fic, .fid, .fi, .fm5, .fmp, .fmp12, .fmps, .fo, .fp3, .fp4, .fp5, .fp7, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, .jtx, .kdb, .lgc, .maq, .mdb, .mdbhtm, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .myd, .ndf, .ns2, .ns3, .ns4, .nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdm, .phm, .pnz, .pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdf, .spq, .sqb, .sq, .sqlite, .sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, .xdb, .xld, .xlgc, .zdb, .zdc

It copies itself to %PUBLIC% and modifies auto-execute functionality by creating the following value in the registry:



Like other ransomware variants, it also uses “vssadmin.exe Delete Shadows /All /Quiet” to delete shadow volume copies. You can read an article written by Lawrence Abrams, owner and editor in chief of BleepingComputer.com, as to why everyone should disable vssadmin.exe.

It accomplishes this task via a batch file:

batch file

Process tree:


After infection, an .HTML ransom note called RECOVER-FILES-726.html is dropped on the Desktop and in folders containing encrypted files:

Encrypted files are appended with the .726 file extension.

Below is an image of the ransom note, which contains instructions for how to decrypt your files, as well as links to the decryptor sites:

Ransom note (2)

Opening the ransom note also generates GET requests for serv1[.]xyz/counter.php?nu=105&fb=726, which returns your external IP address:

IP check 2

Below are images of the decryptor and “help desk” pages:

decryptordecryptor 2

Tor pagesubmit a ticket

They are charging 0.31 bitcoins to decrypt files. I always recommend that people NOT pay ransoms. Instead, look for free decryptors that are released by organizations or by people in the InfoSec community. If there isn’t a free decryptor available then I suggest keeping your encrypted files until (hopefully) one is released.

Network Traffic
  • – adelaidemotorshow.com.au – GET /hg65fyJHG??XXSkRjf=XXSkRjf
  • – serv1.xyz – GET /counter.php?nu=105&fb=726
  • n224ezvhg4sgyamb.onion.link/efwdaq.php
  • n224ezvhg4sgyamb.onion.link/sup.php
  • n224ezvhg4sgyamb.onion

SHA256: dc4a4ccb21190a7d73a0aacd7cb72391c07c999bdb6372ff2c603cdc780048f3
File name: IMG_1391.js

SHA256: af1b82ff61d13d045664bfe3b760736c1243b71f97b851473bbaaa58c0686f75
File name: IMG_6580.js

SHA256: 9e95f90c8bdd43f2ba0ec4a48ea56270d688e99d17a1b8a03a79807d2745515e
File name: XXSkRjf2.exe
Hybrid-Analysis Report

Downloads and Paste

Malicious Artifacts from GlobeImposter Malspam 080817.zip
Password is “infected”

Paste of the decoded and commented .js file —> https://pastebin.com/rDZMzK4J (thanks again, IRDivision!)

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: