A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17798  by thisisu
 Tue Jan 22, 2013 12:12 am
Sorry I'm not sure what this one is called. Another expert hinted that it probably a variant of Birele. I have asked another colleague to take a look. Will update when possible.
 #17799  by Quads
 Tue Jan 22, 2013 1:39 am
Found a thread where a user reported Met Police and can't open files .pdf...................

They had this in their posts Win32/Filecoder.AO.Gen (ESET??)

Quads
 #17800  by Belahzu
 Tue Jan 22, 2013 2:40 am
Cheers Quad, looks like that could be it after looking at other variants of the FileCoder family. Lets hope the encryption can be reversed.
 #17802  by Quads
 Tue Jan 22, 2013 3:31 am
Does anyone have 2 .jpg's exact same photo one encrypted on not??

As with docs or excel files the file size could easily change due to user adding data after the last backup copy was done, even say adding one more cell of data in the spreadsheet.
But usually a photo taken on holiday for instance from the digital camera stays the same size (example 1mb size) in my pictures and the backup copy. Or like the actual Windows OS, .jpg's also encrypted and the original is not.

Quads
 #17804  by Fabian Wosar
 Tue Jan 22, 2013 12:07 pm
More interesting than the encrypted files would be a sample of the malware. So if someone stumbles upon a live infection, make sure to get a sample of the malware file before removing it.

Other than that it seems the malware overwrites the first 0x4000 bytes of the file. The first 20 bytes seem to be some kind of file header. First 8 bytes of the file header seems to be an encryption marker and is always "CR_M0x04". Next 4 bytes seem to be the size of the encrypted blob minus the 20 bytes of the header (0x00003FEC in all files I looked at). The next 4 bytes are the size of data attached at the end of the file (0x00000414 or 1044 in the files I looked at). The last 4 bytes of the header seems to be the size of the overwritten blob at the beginning (0x00004000 in all files I looked at). My gut feeling tells me that the data at the end is most likely the encryption/decryption key as well as a backup of the first 20 bytes that were overwritten with the header.

Keep in mind that those information are just guesses on my end though. Without the actual malware it is impossible to say anything definitive.
 #17807  by Fabian Wosar
 Tue Jan 22, 2013 4:03 pm
I found the malware sample and attached it. Based on the used obfuscation and the way it communicates with the central server it looks suspiciously like a new Matsnu/Trustezeb variant. The C&C location of this particular variant is "http://397110121001i83455512377.com/una ... WEQOZ6.php". Unfortunately I can't connect to the server so I am assuming that is has been taken down already (according to VT the sample has been floating around for at least a week). Matsnu has the unfortunate property to use random keys for encryption that are submitted to the C&C server. So decryption is most likely not possible unless the user is using a proxy that logs all HTTP requests. I haven't looked into it too closely yet though. Sinusitis is kicking my ass right now. But I will give it a closer look as soon as I feel better.
Attachments
infected
(37.14 KiB) Downloaded 66 times
 #17808  by Crush
 Tue Jan 22, 2013 5:03 pm
One of the users I'm helping added this to the mix. Sample of a text file found after the machine was infected.

FYI - the infection is still active on this particular machine
Attachments
(727 Bytes) Downloaded 40 times
 #17809  by Fabian Wosar
 Tue Jan 22, 2013 5:11 pm
Can you get the malware sample from his system? It is usually located in either the Windows system directory or the user's temp directory (or both) and is referenced in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"/"Userinit" as well as "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/"Shell".
 #17810  by Belahzu
 Tue Jan 22, 2013 5:34 pm
Hi Fabian.
I know of 2 users with the file you want in tact/in quarantine.

Working on getting a copy, stand by.