{ "id": "73312c8f-2f09-44ed-bc7f-d2618a78bcd6", "created_at": "2026-04-06T01:29:41.730259Z", "updated_at": "2026-04-10T13:11:34.584426Z", "deleted_at": null, "sha1_hash": "60e083637ff83bcd80db4f21b25c1ccc8077d74f", "title": "The opposite of fileless malware - nodejs ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4110670, "plain_text": "The opposite of fileless malware - nodejs ransomware\r\nBy f0wL\r\nPublished: 2020-01-23 · Archived: 2026-04-06 00:32:49 UTC\r\nThis one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?\r\nThis is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about\r\nRansom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was\r\nfirst discovered by Xavier Mertens in a post to the SANS ISC Forum here.\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nNodeJS Ransom @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\n9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b\r\nThe VBS \"Loader\" is 46KiB big and contains 2417 empty lines before any Code (which is not obfuscated at all).\r\nAs one of the first steps the Malware will download a distributable of NodeJS Version 8.x (which is quite old). It\r\nis also assuming the User Agent of Firefox 52.\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 1 of 7\n\nIt will add the following registry keys to gain persistence on the System. The first one will run the vbs script (to\r\nprevent additional encryption it checks for AppData\\Local\\GFp0JAk\\initdone which will be created once the vbs\r\nscript ran fully once), the second reg key will show the CLI Version of the Ransomnote prompting for the\r\ndecryption key and the last one will open the HTML Ransomnote.\r\nBecause the Javascript has to interact with the system components somehow the criminals shipped a version of the\r\ngraceful-fs npm package which is not downloaded from the Internet but rather shipped in the Script itself and\r\nwritten to the respective files.\r\nThe Javascript Portion requires the following dependencies: graceful-fs, crypto, path, child_process,\r\nreadline, os\r\nUp next it will engage a loop to kill Microsoft Word, Excel, Outlook and Autocad. (Targeting business PCs /\r\nWorkstations, no SQL or other Serives tho, so it's like not meant to infect servers)\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 2 of 7\n\nLooks like they implemented a custom password generator for testing purposes, so let's take a quick look to see\r\nhow terrible it is. The Length of the password is defined globally at the top of the VB script as 13 characters. The\r\nyellow section will set the boundaries for ASCII lower and upper case characters plus numbers. The variables\r\ncalled pCheckxxx are initialized with 0 and will be used in the green section later.\r\nThe author is using the Randomize() function (without a defined number, so it is seeding off the System timer)\r\nwhich is a horrible way of generating \"pseudo random numbers\". Btw. Rnd will return a number less than one but\r\nbut greater or equal to 0. If you would like to know more about Rnd()s and Randomize()s flaws you should\r\ndefinitely check out this article: Link. Moving on to the Red Section we can see how they choose their characters\r\nfor Lowercase, Uppercase and the Numbers. Funnily enough they defined an ASCII range for special characters as\r\nwell but don't actually end up using it at all (which means less entropy yay) 🤓\r\nLastly the Green Section will check for atleast one Upper- Lowercase and Number in the password, otherwise it\r\nwill discard it and start over.\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 3 of 7\n\nAs I already mentioned this password generator was only used for testing purposes since the function call in the\r\nVB script has been commented out. This would have been a fun little exercise to bruteforce :D Never use Rnd()\r\nfor crypto operations kids!\r\nWork in Progress\r\nThe Public Key Blob is embedded into the Javascript code as well:\r\n-----BEGIN PUBLIC KEY-----\r\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA403SyYJw3sUvumo0Gsjy\\nFoPgFtOEJ4ZxIhsw9MX3E/\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 4 of 7\n\nPpM3OxQqQitQtAfaKSTYT39s9kprxuFtW6ZXB/lNUp\\nMm9IZfbYyELUMyi+zHKkIi8PKEGdASogYD84VDkVPkVh\r\naXB2YvNeyJ7Rhup2SubG\\nO7MYtOYM57TOOHT/DDCX5Q3AEXPSMvSMgPgZ6hSKuVAgOhztcvgxMH3sYNQbNwL\\nj\r\nLD1MCk6eoVDqTRvarE9IoLjdBuGhbWJQ7afWkAAEv0vriPI22F5MAhhZLhuKjCg\\nTNELFzvWQEKWsZMyZS70V5w\r\nCGqCuocrmGFPBeS4ZdHS3W94jA18a36m8V76tnlbz\\n/gnWdtY81jBPdnHiXp22tIswtrpN+5UNn7A1WHhBkfdPp\r\niyHRzTmnYmLHKHPyYkR\\nGJj74fUiAuvwlCmmE3rfwH9uBuL3v+plMCbRs3Log09Q4GyTYd2Z2OacWTE4gRCf\\n2\r\n3wCYkyeZrfXhnFmH0TGsQak0lznZBkudJOL7Ms1NUIWa1zd/gqUGROR1Mb/BYVt\\nzmBo4VMak6RCwvuXhPmR+br\r\ngb6ul+74F0fHEsyBQoeurj9EqAVxmD4jMnzwQi1HB\\nEqOGcc2mAQvtVtgU17MQqVS3JFiYZTNn1SWuTUJCAF+xz\r\nNgVsjQuQVJZCXa2c4NL\\nK1iOlUsoOxkYTStUIdX1miUCAwEAAQ==\r\n-----END PUBLIC KEY-----\r\nActually the Ransomware drops two notes: The HTML File and a one similarly phrased version of it in a console\r\nwindow:\r\nMITRE ATT\u0026CK\r\nT1035 --\u003e Service Execution --\u003e Execution\r\nT1215 --\u003e Kernel Modules and Extensions --\u003e Persistence\r\nT1179 --\u003e Hooking --\u003e Persistence\r\nT1060 --\u003e Registry Run Keys / Start Folder --\u003e Persistence\r\nT1055 --\u003e Process Injection --\u003e Privilege Escalation\r\nT1179 --\u003e Hooking --\u003e Privilege Escalation\r\nT1055 --\u003e Process Injection --\u003e Defense Evasion\r\nT1112 --\u003e Modify Registry --\u003eDefense Evasion\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 5 of 7\n\nT1107 --\u003e File Deletion --\u003e Defense Evasion\r\nT1179 --\u003e Hooking --\u003e Credential Access\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nT1120 --\u003e Peripheral Device Discovery --\u003e Discovery\r\nT1057 --\u003e Process Discovery --\u003e Discovery\r\nIOCs\r\nNodeJS Ransom\r\nGFp0JAk.exe --\u003e SHA256: 3a97828f05008741097242c3e23612010c72f7b987037c30050cd283cd7cbcfb\r\n4cdfb03db53a05603f6a096cf477dfdc.vbs --\u003e SHA256: 90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8\r\nlLT8PCI.js --\u003e SHA256: 53a95c9126be8262afb0821da4d7137e6c8a4d9b363f91298249ca134d394bf4\r\nGFp0JAk\\node_modules\\graceful-fs\\fs.js --\u003e SHA256: a54b9999ae69328c2ac676e255d0f7767f2083c5c95e1db98d\r\nGFp0JAk\\node_modules\\graceful-fs\\package.json --\u003e SHA256: 9bd1f57b72c1dede710f6f12ee3f713461d7667776d\r\nGFp0JAk\\node_modules\\graceful-fs\\graceful-fs.js --\u003e SHA256: d4f59f5bea29583031919657f6a4a29554962cf48\r\nGFp0JAk\\node_modules\\graceful-fs\\legacy-streams.js --\u003e SHA256: 5727b9a8597dc68011961504513ca8ce7caaf6\r\nGFp0JAk\\node_modules\\graceful-fs\\polyfills.js --\u003e SHA256: 36b3c0109afc06172fe3a7a521700b0eb13ab58d221\r\nE-Mail Addresses / Contact\r\nn/a\r\nBitcoin Address\r\n18aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo\r\nRansomnote\r\nYour files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for th\r\ndecrypt files you need to obtain the private key.The single copy of the private key, which will allow\r\nlocated on a remote server on the Internet.The server will destroy the key after a ' + tillDate + '.\r\nwill be able to restore files ...To obtain the private key for this computer, you need to send\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 6 of 7\n\n0.4 BTC\r\nto bitcoin address\r\n18aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo\r\nYou can easily delete this software, but know that without it, you will never be able to get your ori\r\nDisable your antivirus to prevent the removal of this software.When your transaction will be verified\r\nwill receive your private key.\r\nApproximate destruction time of your private key ' + tillDate + '\r\nHow to buy bitcoins\r\n Xchange.cash\r\n 24paybank.com\r\n Change.me\r\n Kassa.cc\r\n Change.am\r\n Coinbase.com\r\n more options\r\n Bestchange.com\r\nSource: https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nhttps://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html" ], "report_names": [ "the-opposite-of-fileless-malware-nodejs-ransomware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438981, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60e083637ff83bcd80db4f21b25c1ccc8077d74f.pdf", "text": "https://archive.orkl.eu/60e083637ff83bcd80db4f21b25c1ccc8077d74f.txt", "img": "https://archive.orkl.eu/60e083637ff83bcd80db4f21b25c1ccc8077d74f.jpg" } }