{
	"id": "5ae0889e-3913-4759-a53d-5c605cbc4894",
	"created_at": "2026-04-06T00:22:13.744965Z",
	"updated_at": "2026-04-10T03:21:22.612481Z",
	"deleted_at": null,
	"sha1_hash": "b2aa12c2126b4ea59363a95ad367a735acd59afc",
	"title": "Analysis of New GlobeImposter Ransomware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2645026,
	"plain_text": "Analysis of New GlobeImposter Ransomware Variant\r\nBy Xiaopeng Zhang\r\nPublished: 2017-08-05 · Archived: 2026-04-05 12:42:18 UTC\r\nOver the past few days, FortiGuard Labs captured a number of JS (JavaScript) scripts. Based on my analysis, they\r\nwere being used to spread the new GlobeImposter ransomware variants.  I picked one of them and did a quick\r\nanalysis. The version of the variant I reviewed is “726”.\r\nFigure 1 shows part of the JS file list that we captured.  As you can see, the files with name that start with “IMG_”\r\nand “NIC” are all GlobeImposter downloaders.\r\nFigure 1. Captured JS file list\r\nDownload and Execution\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 1 of 9\n\nWhen the JS “IMG_8798.js” is executed, it downloads GlobeImposter from “hxxp://wendybull.com.au/87wefhi??\r\nJWbXSIl=JWbXSIl” and runs it. In my test environment, the downloaded file name is 87wefhi.txt.exe.  Next\r\nwe’ll look at how it works on a victim’s machine.\r\nWhen GlobeImposter is launched, it dynamically extracts code into a heap space. It then creates its child process\r\nwith the flag “CREATE_SUSPENDED”. It creates a suspended process, and later the code of the child process\r\nwill be replaced with previously extracted code. This extracted code will be executed when the child process\r\nresumes its execution. This behavior is the main part of GlobeImposter’s functionality.\r\nThe screenshot in Figure 2 shows the process tree when GlobeImposter is executed.\r\nFigure 2. The Process Tree\r\nThe initial process resumes the execution of its child process by calling “ResumeThread”, and then exits. All the\r\nanalysis below is about that child process.\r\nThe Child Process\r\nFirst, it calls the API function SetThreadExecutionState and passes 0x80000041H to it. With the parameter\r\n0x80000041H, the Windows system will never sleep while the ransomware is encrypting the files. The function is\r\ncalled again with 0x80000000 after its work is done.\r\nTo prevent it from being analyzed easily, most strings and part of its APIs are encrypted. They are decrypted\r\ndynamically when running. Afterwards, it decrypts the exclusion folder and file extension names. In this version,\r\nit sets two exclusion lists. While the ransomware goes through all the folders and files on the victim’s machine, it\r\nskips those files in the folders whose names are in an exclusion folder list and those files whose extension names\r\nare in an exclusion extension list. (In this version, it does do the extension name checking, it ignores the checking\r\nresult though. Maybe it’s a bug).\r\nBelow are the exclusion lists:\r\nFolder exclusion list: (44 in total)\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 2 of 9\n\nWindows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO,\r\nWindows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows\r\nPhone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows\r\nSidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab,\r\nMcAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume\r\ninformation, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox,\r\nOpera, YandexBrowser, ntldr, Wsus, ProgramData.\r\nExtension exclusion list: (170 in total)\r\n.$er .4db .4dd .4d .4mp .abs .abx .accdb .accdc .accde .accdr .accdt .accdw .accft .adn .adp .aft .ahd .alf .ask\r\n.awdb .azz .bdb .bib .bnd .bok .btr .cdb .cdb .cdb .ckp .clkw .cma .crd .daconnections .dacpac .dad .dadiagrams\r\n.daf .daschema .db .db-shm .db-wa .db2 .db3 .dbc .dbf .dbf .dbk .dbs .dbt .dbv .dbx .dcb .dct .dcx .dd .df1 .dmo\r\n.dnc .dp1 .dqy .dsk .dsn .dta .dtsx .dx .eco .ecx .edb .emd .eq .fcd .fdb .fic .fid .fi .fm5 .fmp .fmp12 .fmps .fo .fp3 .fp4\r\n.fp5 .fp7 .fpt .fzb .fzv .gdb .gwi .hdb .his .ib .idc .ihx .itdb .itw .jtx .kdb .lgc .maq .mdb .mdbhtm .mdf .mdn .mdt .mrg\r\n.mud .mwb .myd .ndf .ns2 .ns3 .ns4 .nsf .nv2 .nyf .oce .odb .oqy .ora .orx .owc .owg .oyx .p96 .p97 .pan .pdb .pdm\r\n.phm .pnz .pth .pwa .qpx .qry .qvd .rctd .rdb .rpd .rsd .sbf .sdb .sdf .spq .sqb .sq .sqlite .sqlite3 .sqlitedb .str .tcx .tdt\r\n.te .teacher .tmd .trm .udb .usr .v12 .vdb .vpd .wdb .wmdb .xdb .xld .xlgc .zdb .zdc\r\nRelocation and Startup Group\r\nAfterwards, it copies itself into “%AllUserProfile%\\Public\\” and adds the new file in the startup group in the\r\nvictim’s Windows registry. This allows it to be executed automatically whenever the system starts. Figure 3 shows\r\nthat GlobeImposter has been added (….RunOnce\\CerificatesCheck) into the startup group in the Windows\r\nregistry.\r\nFigure 3. Startup Group in Windows Registry\r\nPreparatory Work\r\nTo prevent the victim from restoring encrypted files from the Shadow Volume copies, it calls “vssadmin.exe\r\nDelete Shadows /All /Quiet” in an executable batch file to delete all shadows. In that batch file it also cleans up\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 3 of 9\n\nRemote Desktop information saved in the system registry as well as the file\r\n%UserProfile%\\Documents\\Default.rdp. The batch file is called again after the file encryption work is done.\r\nFigure 4 shows the content of the batch file.\r\nFigure 4. The Batch File\r\nNext, it initializes encryption related keys, data, etc. for encrypting files 2048-bit RSA. Part of the key related data\r\nis saved in a newly created file “%AllUserProfile%\\Public\\{hex numbers}”. The name of {hex numbers} is made\r\nfrom the hardware information of victim’s machine.\r\nBefore Encrypting Files\r\nKilling some running processes and generating an html file are the last two steps before its starts encrypting files.\r\nIt calls taskkill.exe to kill running processes whose names include \"sql\", \"outlook\", \"ssms\", \"postgre\", \"1c\",\r\n\"excel\" and \"word\". Killing these processes might cause them to release the files they are using, which could\r\nresult in this ransomware encrypting more files.\r\nFigure 5 shows the pseudo code used to do this.\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 4 of 9\n\nFigure 5. Kill Matched Processes\r\nAn HTML file (RECOVER-FILES-726.html) is then generated and dropped in the folder where the files are\r\nencrypted. Opening the HTML file informs the victim that the system’s files have been encrypted and provides\r\ninstructions on how to pay to get them back. The HTML file consists of the decrypted resources of this exe as well\r\nas a “personal ID”.\r\nThis “personal ID” is sent to the server when you see the payment page. That ID allows the attacker to identify\r\nyou and to generate the decryption key. Figure 6 is the screenshot of this HTML file content.\r\nFigure 6. RECOVER-FILES-726.html Content\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 5 of 9\n\nEncryption Process\r\nWhen GlobeImposter starts encrypting, it first scans files in all of the partitions on the victim’s machine. It then\r\nencrypts almost every file as long as its folder name is not in the folder exclusion list as mentioned before. It reads\r\nthe file and then encrypts the file content using the RSA algorithm and then overwrites the original content with\r\nencrypted content. The “personal ID” is also appended after encrypted content has been added to the file.\r\nFigure 7 shows the content of an encrypted file.\r\nFigure 7. File Content of Encrypted config.sys\r\nIt then appends “..726” to every encrypted file name to identify that the file has been encrypted.\r\nThe screenshot in Figure 8, below, shows that it is about to rename an encrypted file by calling API\r\nMoveFileExW.\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 6 of 9\n\nFigure 8. Rename Encrypted File\r\nFigure 9 shows the screenshot of encrypted files (including exe files) in the python installation folder.\r\nFigure 9. Encrypted Files in python Folder\r\nOpen RECOVER-FILES-726.html\r\nFigure 10 shows how you go to the payment page by opening the RECOVER-FILES-726.html. file.\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 7 of 9\n\nFigure 10. Open RECOVER-FILES-726.html\r\nSolution\r\nThrough this analysis, we know how GlobeImposter is downloaded onto a victim’s machine, and how it works to\r\nencrypt the files on victim’s machine. We also observed that many new JS samples are spreading this ransomware.\r\nSince it uses an RSA 2048-bit key to encrypt files, it’s very hard to decrypt them without the decryption key.\r\nThe URL in the JS file used to download the GlobeImposter has been rated as a “Malicious Website” by\r\nthe FortiGuard Webfilter service.\r\nThe JS file is detected as JS/GlobeImposter.A!tr by the FortiGuard Antivirus service.\r\nThe downloaded GlobeImposter is detected as W32/GlobeImposter.A!tr by the FortiGuard Antivirus\r\nservice.\r\nIOC\r\nURL:\r\nhxxp://wendybull.com.au/87wefhi??JWbXSIl=JWbXSIl\r\nSample SHA256:\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 8 of 9\n\nIMG_8798.js \r\n3328B73EF04DEA21145186F24C300B9D727C855B2A4B3FC3FBC2EDC793275EEA\r\n87wefhi.txt.exe\r\n10AA60F4757637B6B934C8A4DFF16C52A6D1D24297A5FFFDF846D32F55155BE0\r\nSource: https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nhttps://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant"
	],
	"report_names": [
		"analysis-of-new-globeimposter-ransomware-variant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434933,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2aa12c2126b4ea59363a95ad367a735acd59afc.pdf",
		"text": "https://archive.orkl.eu/b2aa12c2126b4ea59363a95ad367a735acd59afc.txt",
		"img": "https://archive.orkl.eu/b2aa12c2126b4ea59363a95ad367a735acd59afc.jpg"
	}
}