McAfee Labs Threat Advisory

SyncCrypt

August 24, 2017

McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent
malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to
mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive Malware and
Threat Reports at the following URL: https://sns.snssecure.mcafee.com/content/signup_login.

Summary
SyncCrypt belongs to a family of malware that encrypts user files available in the compromised system and
demands the user to pay ransom to retrieve the files.

Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:

Infection and Propagation Vectors

Mitigation
Characteristics and Symptoms
Restart Mechanism
Remediation
McAfee Foundstone Services

The minimum DAT versions required for detection are:

Detection Name MD5 of samples DAT Version Date

JS/Nemucod.xo D10C1BD17C1B84A22DB0D77515B7C V2: 8629 20 Aug
(Spam Attachment Infection 32E V3: 3080 2017
vector)
SyncCrypt!Zip 6c58b88f186f6dca233a4dc37dc5beb3 V2: 8629 20 Aug
V3: 3080 2017

The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please
review the Threat Library for the most up-to-date coverage information.

Infection and Propagation Vectors

Infection and propagation are achieved through spam mail campaigns. The spam emails contain Zip files with a wsf
file inside. Customers are advised to avoid opening such files received through emails.

Mitigation
Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee
products. Browse the product guidelines available here to mitigate the threats based on the behavior described
below in the Characteristics and symptoms section.

McAfee Endpoint Security

Mitigation methods for assorted malware is available in the following product guide:
http://b2b-download.mcafee.com/products/evaluation/Endpoint_Security/Evaluation/ens_1000_help_0-00_en-
us.pdf

Any specific mitigation steps, if necessary, will be described later in this advisory.
ENS 10.x
Refer to article KB86577 to create an Endpoint Security Threat Prevention user-defined Access Protection
Rule for a file or folder registry.

VSE
Refer to article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable regedit.
Refer to article KB53355 to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable Task Manager.
Refer to article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware
from changing folder options.

HIPS
To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329.
To create an application blocking rules policy to prevent the binary from running, refer to KB71794.
To create an application blocking rules policy that prevents a specific executable from hooking any other
executable, refer to KB71794.

MRI
To download and install McAfee Ransomware Interceptor, refer to McAfee Free Tools.

Characteristics and Symptoms

When executed on the machine, SyncCrypt downloads a JPG file to the %TEMP% folder from the following sites:

hxxps://image.ibb.co/mxRqXF/arrival.jpg
hxxp://sm.uploads.im/X8IOl.jpg
hxxp://185.10.202.115/images/arrival.jpg

The JPG file contains one Zip file, which contains a Zip file. The Zip file contains three files: sync.exe, readme.html,
and readme.png. The Zip file is extracted to the TEMP%\ BackupClient folder. After extracting, malware creates a
scheduled task to run sync.exe at the same time.

Scheduled task:

C:\Windows\System32\schtasks.exe" /CREATE /F /TN sync /TR

"C:\Users\User\AppData\Local\Temp\BackupClient\sync.exe -e \"C:\Users\User\desktop\"" /sc once /st <System
time>

Location on the disk for the files extracted from the Zip file:

C:\Users\User\AppData\Local\Temp\BackupClient\sync.exe
C:\Users\User\AppData\Local\Temp\BackupClient\readme.html
C:\Users\User\AppData\Local\Temp\BackupClient\readme.png

When sync.exe is executed, malware checks for arguments to execute its behavior. The malware copies
readme.html and readme.png to the desktop folder by executing the following commands:

C:\Windows\system32\cmd.exe /c move /y readme.html "C:\Users\User\Desktop\README\readme.html

C:\Windows\system32\cmd.exe /c move /y readme.png "C:\Users\User\Desktop\README\readme.png"

The malware checks the machines present in the network using:

C:\Windows\system32\cmd.exe /c cmd /c net view

The malware creates files on the desktop\Readme folder:

The encryption used by the malware to encrypt files is AES encryption with an RSA 4096 key. The AES key used
to encrypt the files will be encrypted with an embedded RSA-4096 public encryption key as saved
in %Desktop%\README\key.

The ammount.txt file is the ransom amount to be paid. The other two files are ransom notes.

RSA-4096 public encryption key:

The malware encrypts the following file types:

The malware also avoids encrypting files from the following folders:

windows\
program files (x86)\
program files\
programdata\
winnt\
\system volume information\
\desktop\readme\
\$recycle.bin\

The malware encrypts all files and adds the extension .kk. After encryption of all files present in system, it shows
the following:
AP Rule:

Blocking execution of EXE:

Remediation
Coverage of the Samples described in the Threat Alert are available in DAT 8632 and above.

Getting Help from the McAfee Foundstone Services team

This document is intended to provide a summary of current intelligence and best practices to ensure the highest
level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of
strategic and technical consulting services that can further help to ensure you identify security risk and build
effective solutions to remediate security vulnerabilities.

You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described; they are subject to change without notice.

Copyright 2014 McAfee, Inc. All rights reserved.