Hi All,
Thanks to Fabian, Grinler, and decrypterfixer (BleepingComputer.com) for the info and samples on this post.
There is a new crypto-ransomware going around called CryptoDefense. It uses RSA-2048 and seems to work similarly to CryptoLocker, aside form the fact that there is no actual UI. The elements of the UI that CryptoLocker would use are now shown to the user via a web service. It does not look like there is a feasible way to decrypt the files without payment at this point.
It drops a HTML, txt, and Internet Shortcut (points to hxxps://rj2bocejarqnpuhm.onion.to/)
HTML:
From there we can go to the website on TOR:
Captcha Protection:
Payment:
FAQ:
Screenshot (not always working but 80 - 90% of the time):
Test Decryption:
Calls home to:
The dropper and decrypter are pretty heavily obfuscated.
Dropper (647f242.exe):
VirusTotal (13/50):
MD5 d43abef5a62b46a660a5128330070479
https://www.virustotal.com/en/file/0099 ... 395155742/
Decrypter (decrypter.exe):
VirusTotal (12/50):
MD5 cde1a96c7d1fc4fd04d4f076b936e9a0
https://www.virustotal.com/en/file/4913 ... 395270965/
Binary taken from dropper (this does the actual encryption - _003E000.exe):
VirusTotal (8/50):
MD5 f57d188c4667fab46208396af20badd2
https://www.virustotal.com/en/file/8783 ... 395274352/
Thanks to Fabian, Grinler, and decrypterfixer (BleepingComputer.com) for the info and samples on this post.
There is a new crypto-ransomware going around called CryptoDefense. It uses RSA-2048 and seems to work similarly to CryptoLocker, aside form the fact that there is no actual UI. The elements of the UI that CryptoLocker would use are now shown to the user via a web service. It does not look like there is a feasible way to decrypt the files without payment at this point.
It drops a HTML, txt, and Internet Shortcut (points to hxxps://rj2bocejarqnpuhm.onion.to/)
HTML:
From there we can go to the website on TOR:
Captcha Protection:
Payment:
FAQ:
Screenshot (not always working but 80 - 90% of the time):
Test Decryption:
Calls home to:
Code: Select all
Example requests:hxxp://machetesraka.com (185.10.56.103 at the time of writing)
Code: Select all
These request contain the private key and a unique identifier for each PC, which is uploaded to the C2 before encryption.http://machetesraka.com/5li5hybsd1
http://machetesraka.com/0r24wp6yj05a8
http://machetesraka.com/6b3dpt13rqu8t
The dropper and decrypter are pretty heavily obfuscated.
Dropper (647f242.exe):
VirusTotal (13/50):
MD5 d43abef5a62b46a660a5128330070479
https://www.virustotal.com/en/file/0099 ... 395155742/
Decrypter (decrypter.exe):
VirusTotal (12/50):
MD5 cde1a96c7d1fc4fd04d4f076b936e9a0
https://www.virustotal.com/en/file/4913 ... 395270965/
Binary taken from dropper (this does the actual encryption - _003E000.exe):
VirusTotal (8/50):
MD5 f57d188c4667fab46208396af20badd2
https://www.virustotal.com/en/file/8783 ... 395274352/
Attachments
Password: infected
(8.24 MiB) Downloaded 231 times
(8.24 MiB) Downloaded 231 times