A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19327  by Fabian Wosar
 Sun May 19, 2013 7:33 pm
Quads wrote:Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.
Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.
 #19333  by Quads
 Mon May 20, 2013 12:27 am
Fabian Wosar wrote:
Quads wrote:Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.
Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.

Thanks

I will have to create a post on the forum with instructions on the Spamhaus thread after I upload the decrypt tool to a folder on my webspace as the forum does not allow direct downloads.

Quads
 #19696  by Fabian Wosar
 Wed Jun 19, 2013 10:33 am
It looks like there is a new variant going around at the moment. The encryption key or encryption method has changed. The HTML files also no longer redirect to a website but contain the entire ransom notice in form of a picture and a few carefully placed HTML elements:
Code: Select all
<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><title>index</title></head><body><table width='1000' height='750' border='0' align='center' cellpadding='0' cellspacing='0' background='file:///C:\Users\makmass\AppData\Roaming\Video\pic3.jpg'><tr><td height='86' valign='bottom'><table width='793' border='0' cellspacing='0' cellpadding='0'><tr><td width='509'>&nbsp;</td><td width='284' align='left' style='font-size:14px; color:#FFF; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td></tr></table></td></tr><tr><td height='316' align='right' valign='bottom'><table width='212' border='0' cellspacing='0' cellpadding='0'><tr><td width='149' align='left' style='font-size:12px; color:#D34E53; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td><td width='66'>&nbsp;</td></tr></table></td></tr><tr><td height='46' align='right' valign='bottom'><table width='364' border='0' cellspacing='0' cellpadding='0'><tr><td width='270'><input name='textfield' type='text' id='textfield'   style='height:22px; width:270px;'/></td><td width='99'>&nbsp;</td></tr></table></td></tr><tr><td>&nbsp;</td></tr></table></body>
The resulting ransom note looks something like this:
Image

Unfortunately I haven't found the actual malware sample yet as most victims I met so far already removed the infection. If someone comes across a sample though I would love to take a look at it :).
 #19701  by Fabian Wosar
 Wed Jun 19, 2013 9:28 pm
Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.
Attachments
infected
(144.43 KiB) Downloaded 99 times
 #19702  by Flamef
 Wed Jun 19, 2013 9:49 pm
Fabian Wosar wrote:Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.
Hi,
great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?
P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.
 #19705  by Fabian Wosar
 Thu Jun 20, 2013 9:15 am
Flamef wrote:great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?
It is quite lame, yeah. There might be a way to unlock the computer by supplying the correct unlock code. To be honest, I didn't bother to check as updating the decrypter was straight forward and I prefer to not use the decrypter supplied by the bad guys.
Flamef wrote:P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.
Well, the text reads similar. This malware however is more sophisticated than ACCDFISA is (yeah, those guys are still active). If this was done by the same people, you would see WinRAR being used for the actual encryption, as they wouldn't know how to do it themselves ;).
 #20052  by Cody Johnston
 Thu Jul 11, 2013 9:37 pm
Have a new sample of Harasom. I left my dropbox running on my VM and lost half my files.... *facepalm* (there is no option to recover via dropbox.com either)

The decrypter that Fabian provided cleaned the infection but I assume it just needs a different key to properly decrpyt the files.

Inside the archive is the dropper and one of the encrypted files (A JRT log :mrgreen: )

VT Low 2/41:

https://www.virustotal.com/en/file/50bc ... 373575418/

MD5: 149c4ac4ba0863607e033d6a5721fee7
Attachments
Password: infected
(124.04 KiB) Downloaded 81 times
 #20054  by Fabian Wosar
 Thu Jul 11, 2013 10:17 pm
Yeah, it's a new variant alright. Encryption key changed to "Yhk86jMwnnskKNYne73NnsqkwHVWkkqn". Decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

I attached the unpacked sample if anyone is curious.
Attachments
infected
(25.12 KiB) Downloaded 73 times