A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19232  by thisisu
 Wed May 08, 2013 9:45 pm
MD5: d09aa5b65d18cef896df894efa1f0ae2

https://www.virustotal.com/en/file/e791 ... 368049328/

Pulled from a customer machine today. mp3 was on the desktop. Ransomware file in %temp%.
The ransomware screen did not appear for me but I have not connected the computer to the internet yet (some of these trigger only if connection is established). This should be the correct file though as it was the one linked in Autoruns.
Attachments
pass: infected
(177.5 KiB) Downloaded 89 times
 #20224  by Mosh
 Fri Jul 26, 2013 9:22 pm
This is a short analysis of the sample on my previous post

Encrypt the files with extensions: *.jpeg, *.jpg, *.pdf, *.pptx, *.ppt, *.xlsx, *.xls, *.rtf, *.docx, *.doc, *test.txt

Take the ransom image from: _hxxp://jkijjjkkji.rapsodia-networks.ru/get.php?id=11

Encrypt each byte of the target files XOR each letter from the string Pr1v37*Fr0m*Be10Ru551a and write back the file begining with the string *AES* maybe to mislead some users.

Image

Finallly change the file extension to .ENCRYPTED_AND_LOCKED

See you