virus logo Virus

MSIL/Ghost.C3C4!tr.ransom

description-logoAnalysis

MSIL/Ghost.C3C4!tr.ransom is a detection for Ghost Ransomware trojan.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %AppData%\ghost\ghost.bat : This batch file creates a service named ghostservice using the file ghostservice.exe
    • %AppData%\ghost\ghostservice.exe : This file is .Dotnet file and detected as MSIL/Ghost.2566!tr.ransom .
    • %AppData%\ghost\ghostservice.exe.config : This file is non-malicious data file.
    • %AppData%\ghost\ghostservice.pdb : This file is currently analyzed as none malicious.
    • %AppData%\ghost\ghostservice.vshost.exe : This is a legit .Net digital signed file and a product of Microsoft Visual Studio 2012.
    • %AppData%\ghost\ghosthammer.dll : This file is currently detected as MSIL/Ghost.C3C4!tr, the file appears to be associated as encryption utility.
    • %SystemDrive%\do_not_delete_codeid.txt : This file is a text file that contains the unique identifier to identify the infection.
    • %SystemDrive%\ghostform.exe : This file is currently analyzed as none malicious.
    • %SystemDrive%\ghosthammer.dll : This file is currently detected as MSIL/Ghost.C3C4!tr, the file appears to be associated as encryption utility.

  • Affected files of this Ransomware will use the filenaming format {Original_filename}.Ext.ghost

  • This Ransomware assigns an unique identifier to identify each infection.

  • Affected victims of this Ransomware are redirected by the attacker via:
    • paymemen@gmail.com

  • The attacker indicates a Payment site as listed below:
    • hxxp://blockchain[.]info/payment_request?address

  • This Ransomware attempts to connect to following domain:
    • www[.]12312312eewfef231[.]com

  • This Ransomware encrypts the files with following extensions:
    • .mdf
    • .txt
    • .bat
    • .dot
    • .doc
    • .wbk
    • .docx
    • .pst
    • .docm
    • .dotm
    • .xls
    • .xlt
    • .xlsx
    • .xlm
    • .xlsm
    • .ppt
    • .ldf
    • .pps
    • .pptx
    • .accdb
    • .accde
    • .pub
    • .xps
    • .pdf
    • .mp3
    • .mp4
    • .wav
    • .wma
    • .mpa
    • .7z
    • .rar
    • .zip
    • .iso
    • .tar
    • .gz
    • .csv
    • .mdb
    • .sql
    • .xml
    • .db
    • .dbf
    • .jar
    • .ai
    • .bmp
    • .mdf
    • .gif
    • .ico
    • .jpg
    • .png
    • .jpeg
    • .tif
    • .tiff
    • .svg
    • .js
    • .html
    • .php
    • .css
    • •.cs
    • .class
    • .vb
    • .bak
    • .ink
    • .avi

  • This malware may apply any of the following registry modification(s):
    • HKEY_LOCAL_MACHINE\System\Controlset001\Services\Ghostservice
      • Imagepath = %AppData%\ghost\ghostservice.exe


  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom notes.


    • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    Extreme
    FortiAPS
    FortiAPU
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR

    Version Updates

    Date Version Detail
    2018-12-11 64.82100 Sig Updated
    2018-12-06 64.70100 Sig Updated
    2018-11-20 64.31700 Sig Updated
    2018-11-14 64.17400 Sig Updated
    ID 7942861
    Released Dec 07, 2018
    Description
    Updated    		 Nov 14, 2018
    Aliases MSIL/Ghost.2566!tr.ransom,MSIL/LockScreen.AAW!tr,MSIL/Lockscreen.C3C4!tr.ransom,MSIL/Generic.AP.1527960!tr,HEUR:Trojan-Ransom.MSIL.Blocker.gen,Ransom_Blocker.R045C0WJT18,Mal/Generic-S,Gen:Variant.MSILPerseus.169505,MSIL/LockScreen.AAW trojan
    Platform Profile Microsoft Intermediate Language (used for MSIL compiled binaries)