[Xylitol]

Got another sample simmilar, and guess what:

Code: Select all

004024CF   .  43 52 5F 4D 3>ASCII "CR_M0x0402.062",0
004024DE   .  0A            DB 0A
004024DF   .  68 74 74 70 3>ASCII "http://397"
004024E9   .  31 31 30 31 3>ASCII "110121001i834555"
004024F9   .  31 32 33 37 3>ASCII "12377.com/una2/S"
00402509   .  46 36 33 34 3>ASCII "F6344-GWXS-WEQOZ"
00402519   .  36 2E 70 68 7>ASCII "6.php
",0

Original: https://www.virustotal.com/file/2f32838 ... 358877964/ > 24/45
Unpck: https://www.virustotal.com/file/5d3be4e ... 358878144/ > 18/46
Compilation timedatestamp.....: 2013-01-14 14:09:46

[Belahzu]

xaoaznqm.exe attached below.

[Xylitol]

xaoaznqm.exe attached below.

Same dead domain and same timestamp when unpacked.
if actor(s) have not moved the db to the new domain guys infected by your file are fucked.

Code: Select all

004024CF   .  43 52 5F 4D 3>ASCII "CR_M0x0402.062",0
004024DE   .  0A            DB 0A
004024DF   .  68 74 74 70 3>ASCII "http://397"
004024E9   .  31 31 30 31 3>ASCII "110121001i834555"
004024F9   .  31 32 33 37 3>ASCII "12377.com/una2/S"
00402509   .  46 36 33 34 3>ASCII "F6344-GWXS-WEQOZ"
00402519   .  36 2E 70 68 7>ASCII "6.php
",0

[thisisu]

If this is Matsnu it is no longer using the same “locked-<original_name>.<4 random characters>” renaming method to the encrypted files like before (~6 months ago)

For reference:
DrWeb's decrypt tool (Matsnu) : ftp://ftp.drweb.com/pub/drweb/tools/matsnu1decrypt.exe
Kaspersky's decrypt tool (Rannoh) : http://support.kaspersky.com/downloads/ ... ryptor.zip
ESET's decrypt tool (Trustezeb.A): http://www.eset.com/de/download/utiliti ... amily/145/
Avira's decrypt tool (?) : http://www.avira.com/files/support/FAQ_ ... locker.zip

Sorry if I left out other vendors these are the only ones I know of.

I believe all the tools here require that the original file be the same size as the encrypted file which does not seem to be the case here with the Menu Wedding Dinner 1.xls files.

[Belahzu]

Yeah, those tools aren't going to work due to the 1044 size increase. I think the other samples I have are probably all the same with the same dead URL.

@Fabian - The quarantine from Hitman below.

[Fabian Wosar]

If this is Matsnu it is no longer using the same “locked-<original_name>.<4 random characters>” renaming method to the encrypted files like before (~6 months ago)

Correct. It no longer changes the file name. Primarily because it seems there no longer is a central database containing the encryption keys and original file names. The encryption key for each file is most likely stored within the encrypted file. The encryption key is likely encrypted with a second key that is randomly generated and send off to the server.

DrWeb's decrypt tool : ftp://ftp.drweb.com/pub/drweb/tools/matsnu1decrypt.exe
Kaspersky's decrypt tool (they call it Rannoh) : http://support.kaspersky.com/downloads/ ... ryptor.zip

Both tools haven't worked for a long time. Matsnu/Trustezeb/Rannoh switched to a new encryption scheme several months ago. It essentially uses a different key per file. So the old trick with recovering the encryption key by comparing a pair of files and then using it to decrypt all other files no longer works.

There is a pretty nice write up from H. Caron and P. Rascagneres going into all the details of newer Matsnu/Trustezeb/Rannoh variants:
http://malware.lu/Pro/RAP001_malware_ra ... nu_1.1.pdf

The communication protocols are largly unchanged based on some static analysis. It even uses the same RC4 password to encrypt the communication. My guess why they changed the encryption is that their old model was prone to users running CCleaner and similar tools. In those cases CCleaner removed the database because it thought it was just a temporary file and the user could no longer decrypt his files which is bad for their "business".

It's just speculation on my end though based on observations and quick static analysis. I could be totally wrong :).

[thisisu]

There is a pretty nice write up from H. Caron and P. Rascagneres going into all the details of newer Matsnu/Trustezeb/Rannoh variants:
http://malware.lu/Pro/RAP001_malware_ra ... nu_1.1.pdf

Quite possibly the best writeup I've ever read. Didn't understand the ASM stuff but really appreciated the efforts in translating it.

Once the ransomware is executed, files are encrypted and it is not possible to recover it without network traces.

With network trace, for example with a proxy, it is possible to recover the files. We provide two solutions in this report:
- A script to parse the hard drive of the infected machine and recover the files
- A fake command & control that gives the order to unlock and recover the files
But the 2 solutions need the id and the data variable sent by the client during the infection.

So since hXXp://397110121001i83455512377.com/una2/SF6344-GWXS-WEQOZ6.php is dead, not anything we can do here unless files were moved to another (online) domain with the master key information?

[Fabian Wosar]

So since hXXp://397110121001i83455512377.com/una2/SF6344-GWXS-WEQOZ6.php is dead, not anything we can do here unless files were moved to another (online) domain with the master key information?

Well it has nothing to do with whether or not the location is dead to be honest. Even if the location was alive, the only way the server would return the key would be by submitting a valid UKASH code. Unless of course the script had some injection issues. In all other cases you would require physical access to the server to get access to the master keys.

[thisisu]

I see, thanks for the clarification Fabian.

[Belahzu]

So since hXXp://397110121001i83455512377.com/una2/SF6344-GWXS-WEQOZ6.php is dead, not anything we can do here unless files were moved to another (online) domain with the master key information?

Well it has nothing to do with whether or not the location is dead to be honest. Even if the location was alive, the only way the server would return the key would be by submitting a valid UKASH code. Unless of course the script had some injection issues. In all other cases you would require physical access to the server to get access to the master keys.

Darn that sucks, guess I have some bad news to tell my users.