A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21237  by Cody Johnston
 Wed Oct 23, 2013 6:27 pm
SHA256: ed95b1a888710f3ca4acacb49250fb6c21722e2882e31784bd2049d15f97d4de
SHA1: 48146b81b85e41b67489f2c20a4e38cb10d1c778
MD5: bbb445901d3ec280951ac12132afd87c
Detection ratio: 29 / 47

https://www.virustotal.com/en/file/ed95 ... /analysis/

hxxp://194.28.174.119/0388.exe
Attachments
Password: infected
(516.13 KiB) Downloaded 226 times
 #21281  by Every1is=
 Wed Oct 30, 2013 8:40 am
Maybe a dumb question, but I assume it will: does it search for the mask system wide?

A lot of people will backup (ie: just make a copy) to a permanently attached USB drive or network drive. Be it via a network path or a windows mapped drive letter or IP/dirname etc.

Are those in danger as well?

Also, what does it do to the location on disk where the files were stored? As I understand it, it picks them up, encrypts them, puts them in an encrypted blob and it puts that blob on a new location on the drive. If the originals are gone, it must have deleted them. What does it do to that drivespace? Does it scrub it? If not, will recovery software work on the "deleted" files?

I could go and get myself infected and check it out, but I am to big of a n00b to try and do that. Better leave that to the guys that have the knowledge and time for it. I might get myself in trouble more than I can handle right now... ;)
 #21285  by Grinler
 Wed Oct 30, 2013 3:49 pm
Lot's of AV vendors are reporting that this is being spread via exploit kits as well. Anyone ever seen a sample from an exploit kit?

I have only seen it from Zbot spams.
Every1is= wrote:Maybe a dumb question, but I assume it will: does it search for the mask system wide?

A lot of people will backup (ie: just make a copy) to a permanently attached USB drive or network drive. Be it via a network path or a windows mapped drive letter or IP/dirname etc.

Are those in danger as well?
If the backup drive is mounted as a drive letter, then yes, CryptoLocker will scan it for files to encrypt. As for the encrypted files, I can tell you that people have tried to recover using a file recovery program and were unable to do so. Not sure if they are scrubbing or other method being used.
 #21286  by markusg
 Wed Oct 30, 2013 4:06 pm
i personaly see it as spam, not via exploits.
@decryption.
whats about shadow explorer (vista /win7 also not working?
i was not able to get an working copy of this ransom, but perhaps you will find also some usefull tools ther.
http://www.trojaner-board.de/116851-dat ... post851585
in the past we have problems in germany with ransomware encrypt files too, and collect there some tools.
 #21288  by Cody Johnston
 Wed Oct 30, 2013 7:27 pm
Grinler wrote:Lot's of AV vendors are reporting that this is being spread via exploit kits as well. Anyone ever seen a sample from an exploit kit?
0388.exe was recovered from a PC that was infected via Neutrino EK, it is only sometimes that I can recover the history though so it is hard to know for sure how often. Most of them that we find have ZeroAccess so I suspect sometimes PPI via ZeroAccess and sometimes through EK, though I could be wrong here.
 #21290  by Grinler
 Wed Oct 30, 2013 9:03 pm
Thanks Cody. If you run into anything definitive let me know. The only time I have seen the version executables are when people download directly from the C2 server. All the other times the Crilock executable has been randomly named.
 #21306  by noone
 Fri Nov 01, 2013 8:13 pm
Hmmm, this thing looks really nasty.
Also, It's funny, they don't have captchas on file upload...

Some nmap scans:

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:34
Nmap scan report for 93.189.44.187

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp

---

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:34
Nmap scan report for dedic.dc.besthosting.ua (194.28.174.119)

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
111/tcp open rpcbind
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp

---

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:33
Nmap scan report for li450-191.members.linode.com (50.116.8.191)

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 12