A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12780  by thisisu
 Wed Apr 18, 2012 8:31 am
https://www.virustotal.com/file/4137f8c ... /analysis/
Pic: http://img11.imageshack.us/img11/6878/crypting.jpg
This ransomware is somewhat similar to ACCDFISA but I think there may be a potential fix for this one.

Dr. Web has a decrypting tool here: http://majorgeeks.com/Dr._Web_Trojan.En ... d7716.html
You must run it with "-k 85" as a parameter (without the quotes).
I tried this and it said "0 files decrypted."

Is anyone able to figure it out and possibly explain in simple terms because this type of thing is way over my head.

Attached is a sample. Thank you for any help :)
Attachments
pass: infected
(30.45 KiB) Downloaded 155 times
 #12804  by thisisu
 Thu Apr 19, 2012 10:18 pm
nullptr wrote:This one will decrypt using te94decrypt -k 91
Hi nullptr,

Thanks for your response. :)

Can you explain how you determined that -k 91 would work?
Would any other number besides 91 work? Why or why not?

I want to learn :)
 #12807  by EP_X0FF
 Fri Apr 20, 2012 3:33 am
Author definitely has some sense of humor :)
pussylicker 0p3nSOurc3 X0r157, motherfucker!
Decrypted and unpacked (UPX) in attach. Encryption procedure @0040177A.
Attachments
pass: malware
(5.85 KiB) Downloaded 83 times
 #12809  by thisisu
 Fri Apr 20, 2012 3:58 am
EP_X0FF wrote:Decrypted and unpacked (UPX) in attach. Encryption procedure @0040177A.
Thank you, EP_X0FF :)
Code: Select all
0040177A  /$ 8BD8           MOV EBX,EAX
0040177C  |. C1EB 03        SHR EBX,3
0040177F  |. 85DB           TEST EBX,EBX
00401781  |. 74 13          JE SHORT unpacked.00401796
00401783  |. 8B35 59654000  MOV ESI,DWORD PTR DS:[406559]
00401789  |> 56             /PUSH ESI
0040178A  |. 56             |PUSH ESI
0040178B  |. E8 5C000000    |CALL unpacked.004017EC
00401790  |. 83C6 08        |ADD ESI,8
00401793  |. 4B             |DEC EBX
00401794  |.^75 F3          \JNZ SHORT unpacked.00401789
00401796  \> C3             RETN

I don't understand this. :(
Any tips on how I may start learning how to interpret code from ollydbg or whichever program you used here?

Thank you
 #12810  by EP_X0FF
 Fri Apr 20, 2012 4:48 am
This is Xorist created by vazonez. It is born by a constructor and encoder stub itself written on MASM. It is open source. I think all that they are changed - warning message text. What you quotes is
Code: Select all
TEABuf   proc
      mov     ebx, eax
      shr     ebx, 3
      test    ebx, ebx
      je      TooSmall
      mov     esi, hMem
crpt:
      invoke  TEAEncrypt, esi, esi
      add     esi, 8
      dec     ebx
      jnz     crpt
TooSmall:
      ret
TEABuf   endp
For encoding algo used see http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm IDK, probably he simple copy-pasted it from there (because it has ready to use C example).
Code: Select all
TEAEncrypt proc uses edi esi ebx pBlockIn:DWORD,pBlockOut:DWORD
	mov esi,pBlockIn
	mov eax,[esi+0*4];y
	mov edx,[esi+1*4];z
	xor ebx,ebx
	bswap eax
	bswap edx
	.repeat
		add ebx,TEA_DELTA ; 9E3779B9h
		TEAROUND eax,edx,0,1
		TEAROUND edx,eax,2,1
		add ebx,TEA_DELTA
		TEAROUND eax,edx,0,1
		TEAROUND edx,eax,2,1
		mov ecx, TEA_DELTA
		imul ecx, dword ptr [TEA_ROUNDS]
	.until ebx == ecx
	bswap eax
	bswap edx
	mov esi,pBlockOut
	mov [esi+0*4],eax
	mov [esi+1*4],edx
	ret
TEAEncrypt endp
 #12814  by nullptr
 Fri Apr 20, 2012 6:25 am
EP_X0FF wrote: For encoding algo used see http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm IDK, probably he simple copy-pasted it from there (because it has ready to use C example).
Seems quite likely considering some of the noob programming errors.
Code: Select all
if (filesize >= 8)
{
    //...
    SetFilePointer(hFile, 0x35, null, 0);  //0x8 = 0x35?
}
It encrypts only from offset 0x35 per TEA algo in blocks of 8, meaning some bytes at the end of the file may also be in tact.
You can also look where it loads the BMP resource and decrypts that. That'll give you the target file extensions + other junk.