Threat analysis report: Save Yourself malware

Reason Labs



Recently, many users worldwide have been complaining about receiving emails from senders like '[email protected]'. The emails claim that the user's computer has been hacked and that they have been caught them in some awkward situations that will be shared publicly unless they pay a ransom in Bitcoin. In fact, the users receiving these emails have not been infected and there is no RAT controlling their computer (at least not this one).

The only malware involved is that which sends these emails from other compromised devices: these devices are used both as proxies to send blackmail emails to the victims, and for Monero mining. The victims' email addresses and passwords – used to make the emails appear more credible – were found in a password dump file. The capabilities of the malware are as follows:

  1. Blackmailing
  2. Monero mining

Infected devices were able to reach more than 110,000 users in a very short time thanks to the malware's spreading capability.

A quick Google search revealed many users complaining about the 'saveyourself' scam virus, as well as many sites offering their products for removal of the malware (although the users that received the email were not infected by the malware itself – their emails were just exposed in a dump), which in some cases could, ironically, lead to malware infections. It is very possible that the malware author has gathered and combined several viruses and modified them to suit their own needs.


Sample Analysed

Example sample details (the file that is downloaded):

  • Filename: e.exe, e[1].exe, a[1].exe
  • MD5: c3dd5eda4800c1d049d7b39d742705e1
  • SHA-1: 8a730173cfa801fac3fb1f5320de27b5490910d4
  • SHA-256: d0fcb364a1d37c93740edcb88695de72de8b53fcf29c6bb0fcbc792897fd9b8b
  • File size: 236 KB (241664 bytes)
  • File type: Win32 EXE

Example infected file:

  • Filename: NvContainer.exe (In this case, the infected file name can be any executable...)
  • MD5: 1c99a724a3ca3d722c9638e80f191941
  • SHA-1: 80196c3948204c49da4feec6e701f4d72ff8a2c6
  • SHA-256: af75c754649de2eec5122c381b4ccff583a29d8ab3d53fdaaa7a42085fe6ef39
  • File type: Win32 EXE


Persistence & Installation

Short summary

The malware is designed to remain under the user's radar: the user thinks they are executing a legitimate program because it is eventually executed, but only after the injected section has been downloaded and the malware has been executed. The malware then deletes the alternate data stream to hide the fact that a file has been downloaded from the Internet.

figure1.pngFigure 1: The downloaded file is deleted.

Then, it will apply persistence and spreading techniques, after which it will pause its activity for about 24 hours to avoid detection. Only then will the malware continue to download additional executables.

Next, the malware uses the computer as a proxy station to send blackmail emails to users, and uses the CPU for Monero mining. To maintain a low profile, the malware will use only 50% of the CPU's capability (most of the time). The specimen can also read clipboard data and replace Bitcoin wallet addresses with its own address.


Indicators of compromise

Created files

9be07.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\IQDX3EW0\e[1].exe

9be07.exe C:\Users\user\AppData\Local\Temp\409F.exe

9be07.exe C:\Users\user\AppData\Local\Temp\dd_9be07_decompression_log.txt

409F.exe C:\Windows\165630396\sysblks.exe

sysblks.exe C:\Users\user\AppData\Local\Temp\30131.exe

sysblks.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\S8MMEKF7\1[1]

sysblks.exe C:\Users\user\AppData\Local\Temp\17926.exe

sysblks.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\IQDX3EW0\5[1]

sysblks.exe C:\Users\user\AppData\Local\Temp\33947.exe

sysblks.exe C:\Users\user\AppData\Local\Temp\33947.exe

sysblks.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\S8MMEKF7\6[1]

svchost.exe C:\Windows\Prefetch\

17926.exe C:

17926.exe C:\Users\user\Desktop\chosen\procexp.exe

17926.exe C:\Users\user\Desktop\chosen\procexp.exe

17926.exe C:\Users\user\Desktop\chosen\strings.exe

17926.exe C:\Users\user\Downloads\7z1900-x64.exe

17926.exe C:\Users\user\Downloads\ChromeSetup.exe

17926.exe C:\Users\user\Downloads\Firefox Installer.exe

17926.exe C:\Users\user\Downloads\Firefox Installer.exe

sysblks.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\IQDX3EW0\7[1]

sysblks.exe C:\Users\user\AppData\Local\Temp\16945.exe

16945.exe C:\ProgramData\IlKTmhStyg\cfg

16945.exe C:\ProgramData\IlKTmhStyg\cfgi

16945.exe C:\ProgramData\IlKTmhStyg\sysdrv32

16945.exe C:\ProgramData\IlKTmhStyg\r.vbs

wscript.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KmJlZQXSMi.url

syshwbr.exe D:\__\chosen\Procmon.exe

syshwbr.exe D:\__\chosen\strings64.exe

10719.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\SL0QQXSC\715[1].txt

10719.exe C:\Users\user\AppData\Local\Temp\8191564810642097.jpg

23923.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\SL0QQXSC\n[1].txt

23923.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\SL0QQXSC\1338[1].txt

23923.exe C:\Users\user\AppData\Local\Temp\5706894215163142.jpg



Created files







And every file found on the remote drive


Modified registers


%WINDIR%\1233324385\sysgkvm.exe:*:Enabled:Microsoft Windows Driver

<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Driver%WINDIR%\1233324385\sysgkvm.exe

<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Windows Driver%WINDIR%\1233324385\sysgkvm.exe

<HKLM>\SOFTWARE\Microsoft\Security Center\AntiVirusOverride 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\UpdatesOverride 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\FirewallOverride 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify 0x00000001

<HKLM>\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify 0x00000001


Created processes











Network communication (TCP) (TCP)

Many smtp communications


Full execution flow

execution-flow.jpgFigure 2: Full execution flow.

fig3.jpgFigure 3: Execution flow of section .zero.

The malware changes the entry point to this section so that the malware code is the first code to be executed.

All infected samples contain an additional section header: '.zero'.

figure3.pngFigure 4: The .zero section header visible in Process Monitor.

The infected samples are downloaders: they are injected with the section that has the URL required to download the main malware.

Looking at this section in IDA, we can see that the section's functionality is to download additional files, disguise that they were downloaded from the Internet, and execute the downloaded binary.

The section with the URL creates a text file in the user's appdata\roaming\winsvc.txt. The text file will either be empty, or its content will have been deleted, or it will be used as an infection marker.

The URL section then dynamically calls the urlmon function, UrlDownloadToFile, with a predefined URL ( and downloads the function to the temp folder. Some samples turn into an e[1].exe or a.exe file. Next, the URL section loads user32.dll and deletes the alternate data stream 'zone.identifier' to hide the fact that it was downloaded from the Internet. After that, the downloaded file is executed. Finally, the section with the URL will also execute the original program that was infected (even if it didn't succeed in one of its steps).

The predefined URL is not written as one string; it is separated into ASCII characters that are 'moved' to the registry one by one (see Figure 5). Consequently, the sample looks legitimate while it's running (the company name and other characteristics remain the same, but the signature doesn't).

figure4.pngFigure 5: The ASCII characters that form the URL.



After the file is downloaded, it executes as 'sys****.exe' (using four random characters on each execution).

The file is located in a hidden folder that it creates on C:\Windows\310926922 (the number is randomly generated on each execution). Note: The attacker has made it more difficult to view all of the hidden items. It's not enough simply to tick 'view hidden items' in the folder view options. The system files option in the settings must also be ticked.

The malware then tries to resolve multiple addresses and queries '/t.php?new=1' on each of them.

As shown in Figure 6, all the requests result in a 502 error except the one that the hacker tries to reach via IP address, which results in response code 200, with '0' as the answer server:nginx/1.10.3 (ubuntu).

The malware is then able to create files in the user's appdata temp folder: C:\Users\user~1\AppData\Local\Temp.

In Figure 7 we can see that the process reads the password dump file and then sends the emails.

unnamed.pngFigure 6: Most HTTP queries result in 502 errors.

figure6.pngFigure 7: The password dump file is read and the emails are sent.


Monero miner

The miner communicates with the pool URL at port 7777.

c:\windows\notepad.exe -c "c:\programdata\IlKTmhStvg\cfg" (the 'IlKTmhStvg' part is randomly generated in every execution).

The program 'notepad.exe' might actually be the miner and not Notepad.

figure--8.jpgFigure 8: Strings in the memory of 'notepad.exe' that runs the miner.

figure8.pngFigure 9: Process tree of syszttz.exe running the process that runs the miner with command line to the configuration file.



The malware writes itself to the run key (both HKLM and HKCU) as 'Microsoft Windows Driver' (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Driver), so it will run after restart.

The executable is the one in the Windows hidden folder.

It then disables Windows Defender anti-virus: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverride.

The infected files look innocent in procexp because all of their characteristics are preserved: description, company name, icon.

After about 24 hours, the malware will have downloaded dozens of executables onto the victim's system. We noticed two main activities running on the system:

  • Miner
  • Blackmail emails

As for the first activity, the CPU usage was kept at 50% to avoid user suspicion, and the strings extracted from that process indicated that it was a Monero miner. The miner had placed a Base64-encoded configuration file in the folder. It also had a watchdog that revived the process that had been shut down. In addition, the miner was also communicating with the pool address in port 8888.

The second activity was noticed while analysing the network logs: multiple requests sent to addresses in port SMTP 25. In addition, there were multiple '.jpg' files in the temp folder. The files were not real pictures, but text files containing email addresses and passwords. The attacker uses the victim's computer to brute force as many accounts as it can. It also might be downloading different executables based on different parameters. For example, if the parameter is a domain, the attacker might download ransomware or spread targeted RATs.



The malware spreads as much as it can: it infects connected USB devices and network shares. In both cases it creates a hidden folder named '_' (underscore) and copies all of the drive content there. It then places a link in the main view that leads to the folder as well as executing a file called 'drivemgr.exe' that it placed there. In addition, the malware writes an '.ini' file for autoplay.

figure9.pngFigure 10: A hidden folder named '_' is created.

The .ini file is interesting because, in addition to the expected 'drivemgr.exe' execution, the malware also logs the first computer name and user name that opened the executable (and, in fact, infected the station).

figure10.pngFigure 11: The .ini file.

Another thing the malware does to make sure it will not disappear easily is to infect all executable files found on the machine. It infects the files by adding the '.zero' section that downloads the malware. So, besides copying a malicious executable that will surely be executed on the machine when clicking on the link or connecting it to a computer that will autoplay it, the malware also ensures that using any of the executables will infect the system as well.

The desired executable will then run as it should, so the user won't suspect that there's anything wrong. Nor will anything look suspicious when analysing the sample since, at first glance, it will look like known software (icon, signature, strings, functionality).

The malware also creates vbs c:\programdata\IlKTmhStvg\r.vbs and C:\users\martin\appdata\roaming\microsoft\windows\start menu\programs\startup\KmJIZQXSMi.url.



One way to identify an infected file is to look at the TimeDateStamp (found at Nt headers -> file header) where we'll see that its original value has been changed to '0000DEAD'.

figure11-a.pngfigure11b.pngFigure 12: The original value of the TimeDateStamp field was changed to '0000DEAD'.

The malware also changes the 'AddressOfEntryPoint' field (found at Nt Headers → optional header) from .text to .zero.

figure12.pngFigure 13: The AddressOfEntryPoint field is changed to .zero.

More changes can be found at Nt Headers → optional header → Data directories. For example, the original executable has the field 'Security Directory RVA' offset in the .rsrc section whilst the infected file changed it to .reloc at the other offset value.

The executable also moves 'TLS directory RVA' somewhere in .rdata and all the offset values change as a result.

Another change is that the infected file has a 'TLS directory' that didn't exist beforehand.


Analysing Wireshark

After analysing packets, we've seen that the malware sends emails to the previously mentioned addresses.

In the email, the hacker claims that he has full control of the recipient's computer, which is why he knows the user's password and has been able to record him in an awkward situation. The hacker also threatens to send the video recording to all of the user's contacts and social media accounts unless the user pays 1,600 in BTC, which is to be transferred to the hacker's Bitcoin wallet:

Wallet number: 194iizBy5K9AVDqTBvzDAWR6t9MrrqvseZ

While on the attacked machine, we tried to search for this wallet, so we copied the address from the threatening email. However, when we pasted the wallet's address, we found that it had changed because the attacker monitors clipboard data, and if he finds this address, he replaces it with a different one, making it harder to track him. (The attacker might also be listening for addresses and stealing passwords.)

Unfortunately for the attacker, the search for his address revealed that he hadn't received any money.

Also unfortunately for the attacker most, if not all, of his mails were blocked by companies' anti-spam engines (Google, Outlook, Yahoo!).

Of course, there are a lot of wallets and different messages, but the ones we checked were all empty with no transaction history.

figure13.PNGFigure 14: Empty Bitcoin wallet with no transaction history.


Short summary


Any anti-virus product should be able to remove this malware. In the case of Reason Antivirus, the instructions are as follows:

  • Download the Reason Antivirus software.
  • Double click on the installed executable and follow the prompts to complete the installation.
  • Once the installation is complete, click 'Finish'.
  • Definitions and security patches will automatically be updated.
  • Once the process is complete, select the 'Scan Now' button to start your scan.
  • When the scan is finished, select all the threats that were detected and then click on 'Remove selected threats'.
  • When prompted, restart your computer.



Example downloader hashes

  • d2693eed8d1ceab792c1673ccc5becf5cbe09a0889073a757280ac0ef33a8819
  • e3fa69c87bc015782a9429df6115a69bf621c5f725e704089f2a92ec9291e4fe
  • 0a744b7e413dc3b6359386b368f70aa0ce7a8b5a5483c4f14ba9cfa750e91952
  • 4d2e3676b17f01d7f218927852498af212577807f8967c5c697ff34687e98e2c
  • 39dbe24188dcfc567a81b2fd92c907df8e0f333dc29f4fc5ddcffbb2c81081b1
  • 4072d7b0f1d8589cb8e4da19ab2a4ab48260006f5b31a27977647d2e1bfc8d6a
  • 022181bb26aaba3d7fe345b0433bbb68e1207120a0a33fb0df92ab05c6a7f3f8
  • 53f13fc7aca9039614dfa5ddd03d2a8d390a7cad9952c3fcb5dd75dca6330136
  • 1db561eb0c28131087fc395efcb8612518e47ca0327cb89a9c48d5b927c92608
  • df5fdf07f6a62f6cc4d33d8cc5527bc7b4c84e09f96ae4b3da8e42a4e319f2f3


Example Dropper hashes

  • d0fcb364a1d37c93740edcb88695de72de8b53fcf29c6bb0fcbc792897fd9b8b
  • fb65d79de9dcb18e8d1384ced84fce5dbf56933ee5d64b80a273289139912054
  • dca8896d108c910d51c6115c31e954e1ea565ec80a9dd2ef5389388d55d64b3a
  • af75c754649de2eec5122c381b4ccff583a29d8ab3d53fdaaa7a42085fe6ef39
  • c155c1af9dcda56b8a636cd75534349449fbe89370e5932454473269db27aef6
  • a10f49890656980f4899ea7f6c0deb4780db2a7c6618a331f98a2de13004573d
  • f136e1ac6032d4255522a6418ed9a0cacdb54d74a1c112c4d5e395224fab011a
  • 1c9dcf5f37140e046cd0f7f92a70a8243c5728aa2152e83772093175ff2d124a
  • feb6673246d196ff9a4b59636825d110679d0c7931f11be399b4ffb78756cad8
  • cdd15c6650c046171cc83dec7aec1b8f19a30f3d4886b035aa195c0c5a630224
  • 6aea730a525a7e8999e05a77cf61010fd43dbde6ae1f4fe4110538b3202baf9e
  • 99b65d3ecbd87835847b50354594358b199cbb441b264dd938b08e37b359d280


Example hashes of infected files

  • 03ff61738e1f8fb9ef1dbbfcde30307594a300ece795b34aba7954e500f99cf3
  • e0e603a96bb3f72b197fff899757d2010b5c24658b68bd688422e8a28be5791d
  • b6637a632fc738a8b410006f3a5bc2c2942518e7638c7eb0d09aea4406e6941e
  • 638e1586d13933523c0ad33fa63aa7b3b71aabd72f81d97fb7debae941e1608d
  • 9bba769bbad289e934744e56b7e0810487862aa2a6373537a99610e6c423dcca
  • a1a6315743cab33b2b7f362aa01b79156279709fa122187e4ccbd91ee6e05e69
  • 9603363c5a2c453640cb31e813e862eca58309f5029050d75815c4aae5d8032a
  • 5a9c4561083d87bc159364be693ca4e3c3e897ab9352bb94d2b4e53ac8dca88f
  • fa2f459b22df8dc33544fcb145ed32991c284c6cde15591190309e46db01928e
  • 35d1805a3f6e768e53c79ac3182bbf81ee61954e622e72a7a9106ac9e7aa0b5d
  • 3ef323f5cfb9178c83c2406c308c1fa52ec2aee60fbde2e9bdab3c95f18ffe46
  • 13ed456d5f11c1134b250dc02827c04e36b13f7fdc0a9ebbb483aceafb50acbd
  • 8fc75d7383e9450a8a6d46d82927b3fbf1ba76240b1c4357d44c56666fb32e0a
  • b3b60633dcc82c030504e45bf8af059f6aec0376b083ac91d0f5f898047317cf
  • 4585e016c4a7227ac2de5798e86875bf2d9a971983c1f26d5adf89fde1fe2e94
  • d896de761ca06a016c8dc37b9aa53f06a13436bce53164ceaed1e3bdf8f48ffa
  • 1ed63cd034b8bfedc1653914e29672fe43f87a1914adf8c3e79e2cd5e203df20
  • 66bca8e8936d6fcbff88309daf6e8a4e302d5692d0a758d08292714f19b8810c
  • 88bbb810f84402e320c7efd32ac9b8a03895ebed09a4f37770322db1d97acf62
  • 158cd7b78dce398d1547476ea01039467c5cb7565b35d75ea2ad4e60b9c4812f
  • 78298d81e73f831456fde103ea46f62270e375594213d02c0de891a1de328a3d
  • 7f88d7455724e20620c210a1df6ab04e4d061a735fe7629f882aedc92f528b69
  • a1a6b077762d20a5a76a0aeb797cd76738d06022f3134dfb831322c603b7739d
  • 624b36b227ac61573cca78cc7f8c691ff93306d8391cdbbb4c84a29a4eaa8506
  • 0d89dabb51259c1896d2abb7a23e4aa47db405f7583415b5e05c3287b1ad5616
  • 79ef98e1ab669dc464ec9b34a6a4a65ccb258ccc7a34036dd4a58ce8f66a2e8









The following are a selection of screenshots taken during the analysis.

figure14.pngfigure15.pngfigure16.pngfigure17.pngfigure18.pngIn the blackmail message extracted from the network pcap, we can see that the file is being blocked by anti-spam engines.

figure19.pngfigure20.pngWe can see that the file is being blocked by anti-spam engines.

This is the address that is replaced by the copy-paste.


Download PDF



Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.