Zepto Ransomware, The New Kid in Town

HTA Downloader delivers Zepto Ransomware

Attack Vector: Email Attachment
Malicious File: it5Ax.hta

The Zepto sample that we found this morning came in as a zipped email attachment that contained an HTML Application (.hta) file. HTA files are a combination of HTML and one or more scripting languages like VBScript or JScript. A quick look at this file below shows it is a combination of HTML with obfuscated JScript. One of the significant dangers with HTA files is once the file is downloaded and run, it is treated as a “fully trusted application”. Whereas when a regular HTML file is run the execution is confined to the security model of the web browser.

We’ve seen Zepto and its cousin Locky arrive in DOCM attachments in recent months and I am not surprised to see the evolution to HTA files. DOCM which stands for Document with Macros is a special document with embedded scripts written in VBA (Visual Basic Application). Macros however don’t run by themselves and require user assistance. Weather the file is an HTA or a DOCM, the result is the same; once run it downloads the malware from its C2 and runs it.

HTA Encoded JScript Downloader
HTA Encoded JScript Downloader
Exploit and Post Infection Traffic
Exploit and Post Infection Traffic

Post Compromise your files will be encrypted and file extensions changed to .zepto similar to Locky which changes your file extensions to .locky.

Post Compromise the file extensions changed to .zepto
Post Compromise the file extensions changed to .zepto

How to pay instructions will appear on the user Desktop and in every directory explaining your predicament.

Desktop Image displays Instructions
Desktop Image displays Instructions

Your personal identification ID in the help message is the same as the first half of each scrambled filename.

Locky and Zepto Ransomware are similar in several regards, for example both are distributed primarily in massive spam campaigns via zipped JScript attachments and they both leave behind the same type of files including a similar ransom note.

We expect to see more malware payloads sent as HTA documents so take a few precautions such as:

  • Change settings in control panel to show file extensions to protect against misleading file names.
  • Configure Office settings to not allow macros in documents to run from the internet.
  • Always open .JS files in Notepad.
  • Backup your files regularly.
  • Treat all attachments as suspect.

Network Packet Capture File Extraction Analysis

There are many tools available to security analysts that are used to export files from network packet captures commonly called pcap files. In many companies today security analysts only have these pcap files as the only evidence available that contain the files that transmit their networks. Exporting the complete file and maintaining file integrity is paramount in any cyber investigation. I have known for a long time some tools are better then others for this purpose but not until recently during an investigation where I exported a file using two separate tools on the same pcap file resulted in two different MD5 hashs for the same file. Hence the reason for the analysis in today’s post.

We chose four popular tools for this test that are known industry wide and commonly found in many Security Analysts toolkits. Three of the tools are open source Wireshark, BRO and Chaosreader and we are also testing a professional version of NetworkMiner. For consistency sake we are using a packet capture from our friends at malware-traffic-analysis.net which contains a nasty flash exploit file.

Packet Capture

We downloaded the 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap from malware-traffic-analysis April 2016 archive.


Wireshark                                                               https://www.wireshark.org/

Wirehark is the world’s foremost network protocol analyzer and used to examine packet capture files and capture network traffic.

After importing the pcap we downloaded we can see in tcp-stream 3 a Flash file was requested via a HTTP request Method GET and intimately downloaded via HTTP 200 response code with a file signature starting with CWS.

There are a couple methods to export a file in Wireshark but I will use the menu bar in this test.

In the Menu Select File > Export Objects > HTTP. This packet capture contains two Flash file we are going to test the 66 kB Flash file.

Select the file content type application/x-shockwave-flash.and chose Save As to save to disk.

Verify the md5 hash

Wireshark MD5 – 246690cd9b09f84456ddab98261510bd

Bro                                                                                 https://www.bro.org/bro-exchange-2013/exercises/faf.html

Bro Network Security Monitor (Bro) is a powerful network analysis framework that is commonly used for intrusion detection and analyzing packet capture files. Bro’s powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. In our analysis we will leverage the extract-all.bro script available on bro.org site see the url above.

Run the following command to export all files contained in the packet capture. Files will export into a directory export_files.

The script will drop all the files in a folder called extract_files; our file was renamed HTTP-FMBqgK2b8aa54wu7mc.

Verify the md5 hash

Bro MD5 – 246690cd9b09f84456ddab98261510bd

Chaosreader                                  http://www.brendangregg.com/chaosreader.html

Chaosreader is open source tool designed to aid in tracing TCP/UDP network sessions and file extraction and produces detailed HTML output which displays connection information in packet captures.

The file is renamed to session_0004.part_01.data however a view of the file properties confirms its our file.


Chaosreader MD5 – fc193d580ba0e80e20707baeb7f71f20

NetworkMiner                                                                      http://www.netresec.com/?page=NetworkMiner

One of the great features of NetworkMiner is host identification and file extraction. To get started we imported our pcap to the professional version of NetworkMiner.

Select File Import and select the Files Tab presents all files contained in the packet capture.

Right Select the Flashfile listed as x-shockwave-flash and Choose Open folder

Copy the file to disk


Verify the md5 hash                                                                                              Upload the file to Virustotal to confirm the md5 hash and community analysis

Note the MD5 hash is a match for two previous tests and the community AV results confirm its a known Flash exploit.


NetworkMiner MD5 246690cd9b09f84456ddab98261510bd


Of the four tools we analyzed we saw three tools export the complete file intact according to the MD5 hash. The tool that didn’t export the complete file in this test was Chaosreader. The lesson here is there are numerous tools security analysts use to resurrect files from pcaps but some tools preform better or more consistent then others so buyer beware. Our analysis was admittedly simplistic we didn’t test large files or files transmitted over various protocols such as SSH, SMB or FTP which we believe also will produce differing results between tools, we will save that for future article.