sorry, my crystal ball seem broken.
A forum for reverse engineering, OS internals and malware analysis
Sorry I'm not sure what this one is called. Another expert hinted that it probably a variant of Birele. I have asked another colleague to take a look. Will update when possible.
Found a thread where a user reported Met Police and can't open files .pdf...................
They had this in their posts Win32/Filecoder.AO.Gen (ESET??)
Quads
They had this in their posts Win32/Filecoder.AO.Gen (ESET??)
Quads
Cheers Quad, looks like that could be it after looking at other variants of the FileCoder family. Lets hope the encryption can be reversed.
Does anyone have 2 .jpg's exact same photo one encrypted on not??
As with docs or excel files the file size could easily change due to user adding data after the last backup copy was done, even say adding one more cell of data in the spreadsheet.
But usually a photo taken on holiday for instance from the digital camera stays the same size (example 1mb size) in my pictures and the backup copy. Or like the actual Windows OS, .jpg's also encrypted and the original is not.
Quads
As with docs or excel files the file size could easily change due to user adding data after the last backup copy was done, even say adding one more cell of data in the spreadsheet.
But usually a photo taken on holiday for instance from the digital camera stays the same size (example 1mb size) in my pictures and the backup copy. Or like the actual Windows OS, .jpg's also encrypted and the original is not.
Quads
More interesting than the encrypted files would be a sample of the malware. So if someone stumbles upon a live infection, make sure to get a sample of the malware file before removing it.
Other than that it seems the malware overwrites the first 0x4000 bytes of the file. The first 20 bytes seem to be some kind of file header. First 8 bytes of the file header seems to be an encryption marker and is always "CR_M0x04". Next 4 bytes seem to be the size of the encrypted blob minus the 20 bytes of the header (0x00003FEC in all files I looked at). The next 4 bytes are the size of data attached at the end of the file (0x00000414 or 1044 in the files I looked at). The last 4 bytes of the header seems to be the size of the overwritten blob at the beginning (0x00004000 in all files I looked at). My gut feeling tells me that the data at the end is most likely the encryption/decryption key as well as a backup of the first 20 bytes that were overwritten with the header.
Keep in mind that those information are just guesses on my end though. Without the actual malware it is impossible to say anything definitive.
Other than that it seems the malware overwrites the first 0x4000 bytes of the file. The first 20 bytes seem to be some kind of file header. First 8 bytes of the file header seems to be an encryption marker and is always "CR_M0x04". Next 4 bytes seem to be the size of the encrypted blob minus the 20 bytes of the header (0x00003FEC in all files I looked at). The next 4 bytes are the size of data attached at the end of the file (0x00000414 or 1044 in the files I looked at). The last 4 bytes of the header seems to be the size of the overwritten blob at the beginning (0x00004000 in all files I looked at). My gut feeling tells me that the data at the end is most likely the encryption/decryption key as well as a backup of the first 20 bytes that were overwritten with the header.
Keep in mind that those information are just guesses on my end though. Without the actual malware it is impossible to say anything definitive.
I found the malware sample and attached it. Based on the used obfuscation and the way it communicates with the central server it looks suspiciously like a new Matsnu/Trustezeb variant. The C&C location of this particular variant is "http://397110121001i83455512377.com/una ... WEQOZ6.php". Unfortunately I can't connect to the server so I am assuming that is has been taken down already (according to VT the sample has been floating around for at least a week). Matsnu has the unfortunate property to use random keys for encryption that are submitted to the C&C server. So decryption is most likely not possible unless the user is using a proxy that logs all HTTP requests. I haven't looked into it too closely yet though. Sinusitis is kicking my ass right now. But I will give it a closer look as soon as I feel better.
Attachments
infected
(37.14 KiB) Downloaded 65 times
(37.14 KiB) Downloaded 65 times
One of the users I'm helping added this to the mix. Sample of a text file found after the machine was infected.
FYI - the infection is still active on this particular machine
FYI - the infection is still active on this particular machine
Attachments
(727 Bytes) Downloaded 39 times
I am in fact, quite cool. My graphing calculator confirms this
Can you get the malware sample from his system? It is usually located in either the Windows system directory or the user's temp directory (or both) and is referenced in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"/"Userinit" as well as "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/"Shell".
Hi Fabian.
I know of 2 users with the file you want in tact/in quarantine.
Working on getting a copy, stand by.
I know of 2 users with the file you want in tact/in quarantine.
Working on getting a copy, stand by.