A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22489  by Cody Johnston
 Thu Mar 20, 2014 12:23 am
Hi All,

Thanks to Fabian, Grinler, and decrypterfixer (BleepingComputer.com) for the info and samples on this post.

There is a new crypto-ransomware going around called CryptoDefense. It uses RSA-2048 and seems to work similarly to CryptoLocker, aside form the fact that there is no actual UI. The elements of the UI that CryptoLocker would use are now shown to the user via a web service. It does not look like there is a feasible way to decrypt the files without payment at this point.

It drops a HTML, txt, and Internet Shortcut (points to hxxps://rj2bocejarqnpuhm.onion.to/)

HTML:

Image

From there we can go to the website on TOR:

Captcha Protection:

Image

Payment:

Image

FAQ:

Image

Screenshot (not always working but 80 - 90% of the time):

Image

Test Decryption:

Image

Calls home to:
Code: Select all
hxxp://machetesraka.com (185.10.56.103 at the time of writing)
Example requests:
Code: Select all
http://machetesraka.com/5li5hybsd1
http://machetesraka.com/0r24wp6yj05a8
http://machetesraka.com/6b3dpt13rqu8t
These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.

The dropper and decrypter are pretty heavily obfuscated.

Dropper (647f242.exe):

VirusTotal (13/50):
MD5 d43abef5a62b46a660a5128330070479
https://www.virustotal.com/en/file/0099 ... 395155742/

Decrypter (decrypter.exe):

VirusTotal (12/50):
MD5 cde1a96c7d1fc4fd04d4f076b936e9a0
https://www.virustotal.com/en/file/4913 ... 395270965/

Binary taken from dropper (this does the actual encryption - _003E000.exe):

VirusTotal (8/50):
MD5 f57d188c4667fab46208396af20badd2
https://www.virustotal.com/en/file/8783 ... 395274352/
Attachments
Password: infected
(8.24 MiB) Downloaded 231 times
 #22512  by Artilllerie
 Fri Mar 21, 2014 4:50 pm
Hello,

For information on my side I found this API calls from a svchost process on a first run :

Function : 000A3E20 :
CryptGenKey
CryptExportKey

Function : 000A36E0 :
HttpOpenRequestA

And on another run I've checked and It seem to have many threads still on svchost process :

Image

To be continued ;).
 #22619  by Fabian Wosar
 Fri Apr 04, 2014 2:52 am
The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has been patched to start right at the file encryption stage for easier debugging of the key generation/encryption.
Attachments
infected
(123.79 KiB) Downloaded 154 times
 #22701  by colbyiscute4e
 Sat Apr 19, 2014 10:45 pm
These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.

The dropper and decrypter are pretty heavily obfuscated.
When you say decrypter, do you mean it decrypts the files?
 #23094  by Artilllerie
 Wed Jun 11, 2014 1:05 pm
C&C is : newsbrontima.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Behavior found in newly svchost created process :

Image

PID 3E8,VOICE-864169741-28641.scr: New process.
PID 3E8,VOICE-864169741-28641.scr: Loaded module MSCTF.dll at 0x74690000
PID 3E8,VOICE-864169741-28641.scr: Loaded module ADVAPI32.dll at 0x77DA0000
PID 3E8,VOICE-864169741-28641.scr: Loaded module RPCRT4.dll at 0x77E50000
PID 3E8,VOICE-864169741-28641.scr: Loaded module COMCTL32.DLL at 0x77390000
PID 3E8,VOICE-864169741-28641.scr: Loaded module SHLWAPI.dll at 0x77F40000
PID 3E8,VOICE-864169741-28641.scr: Loaded module UxTheme.dll at 0x5B090000
PID 3E8,VOICE-864169741-28641.scr: Loaded module ole32.dll at 0x774A0000
PID 3E8,VOICE-864169741-28641.scr: Loaded module gdiplus.dll at 0x4EB80000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x401000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x950000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x4EB81000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x5B091000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x74691000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77391000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x774A1000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77DA1000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77E51000
PID 3E8,VOICE-864169741-28641.scr: New executable heap at 0x77F41000
PID 3E8,VOICE-864169741-28641.scr: Terminated.

PID 590,svchost.exe: New process.
PID 590,svchost.exe: Loaded module wsock32.dll at 0x71A10000
PID 590,svchost.exe: Loaded module RASAPI32.DLL at 0x76E90000
PID 590,svchost.exe: Loaded module rasman.dll at 0x76E40000
PID 590,svchost.exe: Loaded module NETAPI32.dll at 0x6FEE0000
PID 590,svchost.exe: Loaded module TAPI32.dll at 0x76E60000
PID 590,svchost.exe: Loaded module rtutils.dll at 0x76E30000
PID 590,svchost.exe: Loaded module sensapi.dll at 0x72220000
PID 590,svchost.exe: New executable heap at 0x6FEE1000
PID 590,svchost.exe: New executable heap at 0x71A11000
PID 590,svchost.exe: New executable heap at 0x72221000
PID 590,svchost.exe: New executable heap at 0x76E31000
PID 590,svchost.exe: New executable heap at 0x76E41000
PID 590,svchost.exe: New executable heap at 0x76E61000
PID 590,svchost.exe: New executable heap at 0x76E91000
PID 590,svchost.exe: Loaded module mswsock.dll at 0x71990000
PID 590,svchost.exe: Loaded module DNSAPI.dll at 0x76ED0000
PID 590,svchost.exe: Loaded module rasadhlp.dll at 0x76F70000
PID 590,svchost.exe: Loaded module hnetcfg.dll at 0x62E40000
PID 590,svchost.exe: Loaded module wshtcpip.dll at 0x719D0000
PID 590,svchost.exe: New executable heap at 0x62E41000
PID 590,svchost.exe: New executable heap at 0x71991000
PID 590,svchost.exe: New executable heap at 0x719D1000
PID 590,svchost.exe: New executable heap at 0x76ED1000
PID 590,svchost.exe: New executable heap at 0x76F71000
PID 590,svchost.exe: Loaded module rsaenh.dll at 0xFFD0000
PID 590,svchost.exe: New executable heap at 0xFFD1000
PID 31C,svchost.exe: Loaded module Apphelp.dll at 0x77B50000
PID 31C,svchost.exe: New executable heap at 0x77B51000
 #23313  by colbyiscute4e
 Tue Jul 08, 2014 12:50 pm
Fabian Wosar wrote:The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has been patched to start right at the file encryption stage for easier debugging of the key generation/encryption.
Does anyone know how to tell the old one from the new one? And Where is the private key on the system?
Cody Johnston wrote:These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.
If a business server got it and it had logs, could you decrypt the log file and find the key?
 #23315  by Cody Johnston
 Tue Jul 08, 2014 4:12 pm
colbyiscute4e wrote:When you say decrypter, do you mean it decrypts the files?
Yes, the same one that the author supplies to victims
colbyiscute4e wrote:Does anyone know how to tell the old one from the new one?
Download Fabian's uploaded sample, and my original uploaded sample and look for yourself ;)
colbyiscute4e wrote:And Where is the private key on the system?
http://technet.microsoft.com/en-us/libr ... 62112.aspx
colbyiscute4e wrote:If a business server got it and it had logs, could you decrypt the log file and find the key?
If you had a pcap maybe.