A forum for reverse engineering, OS internals and malware analysis
Some more. (From: https://twitter.com/c_APT_ure/status/671981216661377024)
Attachments
(4.97 MiB) Downloaded 127 times
I'll just say one thing. If both Ross Ulbricht and Variety Jones were caught, the operators of these ransomwares are not safe either, they will be caught.
l0wlevel wrote:I'll just say one thing. If both Ross Ulbricht and Variety Jones were caught, the operators of these ransomwares are not safe either, they will be caught.Ulbricht had made quite a few OPSEC failures. Are you suggesting the use of BTC may lead to arrest?
version=3.0.0 is attached
.xxx extensions
C2 list:
HKCU\Software\xxxsys
"ID" which is the inst_id from the decrypted traffic
HKCU\software\<string of inst_id>
"data"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"meryHmas"
.xxx extensions
C2 list:
Code: Select all
Targetted file extensions:
hxxp://dawnlogistics.com/wp-content/themes/sketch/dbsys.php
hxxp://yavuzturk.com/wp-includes/dbsys.php
hxxp://thevictorianmotel.com/wp-content/themes/sketch/dbsys.php
hxxp://elle-ectric.com/wp-content/themes/sketch/dbsys.php
hxxp://nicasitios.com/dbsys.php
hxxp://f1autobody.com/wp-content/themes/sketch/dbsys.php Code: Select all
Hardcoded reg keys:.sql
.mp4
.7z
.rar
.m4a
.wma
.avi
.wmv
.csv
.d3dbsp
.upk
.das
.iwi
.litemod
.asset
.forge
.ltx
.bsa
.apk
.re4
.sav
.lbf
.slm
.bik
.epk
.rgss3a
.pak
.big
wallet
.wotreplay
.xxx
.desc
.py
.m3u
.flv
.js
.css
.rb
.png
.jpeg
.txt
.p7c
.p7b
.p12
.pfx
.wb2
.rtf
.wpd
.dxg
.xf
.dwg
.pst
.accdb
.mdb
.pptm
.pptx
.ppt
.xlk
.xlsb
.xlsm
.xlsx
.xls
.wps
.docm
.icxs
.hvpl
.hplg
.hkdb
.mdbackup
.syncdb
.gho
.cas
.svg
.sb
.wmo
.map
.itm
.wmo
.itm
.sb
.fos
.mov
.vdf
.ztmp
.sis
.sid
.ncf
.menu
.layout
.dmp
.blob
.esm
.vcf
.vtf
.dazip
.fpk
.mlx
.kf
.iwd
.vpk
.tor
.psk
.rim
.w3x
.zip
.sie
.sum
.ibank
.t13
.t12
.qdf
.gdb
.tax
.pkpass
.bc6
.bc7
.bkp
.qic
.bkf
.sidn
.sidd
.mddata
.itl
.itdb
.fsh
.ntl
.arch00
.lvl
.snx
.cfr
.ff
.vpp_pc
.lrf
.m2
.mcmeta
.vfs0
.mpqge
.kdb
.db0
.dba
.rofl
.raf
.hkx
.bar
.erf
.cdr
.indd
.ai
.dcr
.cr2
.crw
.bay
.sr2
.srf
.arw
.3fr
.dng
.jpe
.jpg
.eps
.pdf
.pdd
.psd
.dbf
.mdf
.rw2
.rwl
.raw
.orf
.nrw
.mrwref
.mef
.kdc
.docx
.doc
.odb
.odc
.odm
.odp
.ods
.odt
.pem
.crt
.cer
.der
.x3f
.srw
.pef
.ptx
.r3d
HKCU\Software\xxxsys
"ID" which is the inst_id from the decrypted traffic
HKCU\software\<string of inst_id>
"data"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"meryHmas"
Attachments
pw: infected
(187.54 KiB) Downloaded 83 times
(187.54 KiB) Downloaded 83 times
Last edited by sysopfb on Wed Jan 13, 2016 5:17 pm, edited 1 time in total.
More TeslaCrypt 3.0 samples attached. As a reference:
http://www.bleepingcomputer.com/news/se ... xtensions/
http://www.bleepingcomputer.com/news/se ... xtensions/
Attachments
(1.35 MiB) Downloaded 120 times
Previous versions for me would always check into the C2 first before encrypting the files. It appears they now encrypt the files before checking in with this new version.
Hello,
I am new to malware analysis, as I am studying reverse engineering this semester at my university. I was interested in choosing this as my malware sample for my project, but I am having issues with it. Is the attachments given contain encrypted versions of the malware? Its not an executable when I download it, which is what I need for my project. Thanks for any advice.
I am new to malware analysis, as I am studying reverse engineering this semester at my university. I was interested in choosing this as my malware sample for my project, but I am having issues with it. Is the attachments given contain encrypted versions of the malware? Its not an executable when I download it, which is what I need for my project. Thanks for any advice.
ccm290 wrote:Hello,They are encrypted executables, add *.exe extension and use.
I am new to malware analysis, as I am studying reverse engineering this semester at my university. I was interested in choosing this as my malware sample for my project, but I am having issues with it. Is the attachments given contain encrypted versions of the malware? Its not an executable when I download it, which is what I need for my project. Thanks for any advice.
Ring0 - the source of inspiration
ver=3.0.0a in attached
Came from piglyeleutqq.com/80.exe
unpack on rtldecompressbuffer
C2 encryption key changed to 0324532423723948572379453249857
Lots of recrypted versions of the same build and some old ones on there as well:
Came from piglyeleutqq.com/80.exe
unpack on rtldecompressbuffer
C2 encryption key changed to 0324532423723948572379453249857
Lots of recrypted versions of the same build and some old ones on there as well:
Code: Select all
# md5sum *.exe
5993e0215948ab25054cc87a7af7d411 23.exe
1cdb1cd3d4242d3e2a50ca87fcdc5638 24.exe
735c75f840ba2e20eae53fad6482e355 25.exe
9bf713e8a5e8884de865c461cf360a3d 26.exe
b70833aa66de4c27376f444f05408a76 29.exe
70c66ead40e95701bce2bb8e34806b4b 30.exe
6e1cae591e93164153741ec30f3d2ccb 33.exe
566a29fc5bd4c4efaa992a319a972343 51.exe
b8a65ca1b8f56aebb88e1e1f2874de08 53.exe
2a2710322dc401e65b809e808dd1fe2c 59.exe
48176dc6ce2447d74dae94445f4a38b2 65.exe
0e329f787ada49f66c93d05fe9d0e378 80.exe
88b486433546c6796a4f84edf030f0c8 85.exe
c48ad3dff9f7de9a1fca3eda356dd240 87.exe
c60a921527b7fcd06e6b0c092275bfa1 89.exe
89e4231d57f531fbaf9e396aa468deaa 90.exe
244d8ff62cb2e35983a88899c05d00d1 91.exe
1680835ab6998271127b9d172cf1c691 93.exe
23248f93533e61875c91fd6845b7869b 94.exe
f3585b95b8c1407435f8af0fdde7d7c2 97.exeAttachments
pw:infected
(390.65 KiB) Downloaded 78 times
(390.65 KiB) Downloaded 78 times