[Blaze]

Thanks for your feedback Artillerie! I was able to restore most of the files with PhotoRec, luckily :) . Cheers!

[patriq]

Was looking for a C&C panel.

A bit more on Win32/DirCrypt deobfuscated sample from EP_X0FF

http://anubis.iseclab.org/?action=resul ... bed8b2a1c4

https://malwr.com/analysis/Njc4NmZkYTA4 ... Q5ZGI3MzI/

Looks like some domain generating algorithm, still trying to phone home to sinkhole.

Some respond with a 200 OK and this:
X-Sinkhole: Malware sinkhole\r\n

I dont see any "normal" bot/C&C communication anymore.
.pcap attached

Anyone seen any panels for this strain?

pcap.tar.gz

no password
(17.94 KiB) Downloaded 68 times

[EP_X0FF]

Decrypthackers scam advertising has been removed. Use "Report" button next time so we can faster deal with such kind of posts.

[Fabian Wosar]

It looks like a new variant of this particular malware family is spreading at the moment. Infection scheme changed slightly. Instead of various different file formats, all files are encrypted into RTF documents with the *.enc.rtf extension now.

Please find the original as well as the unpacked sample attached.

[nitayart]

Hi,

Check Point has published a new report on how to (partially) restore files encrypted by this malware.

https://www.checkpoint.com/download/pub ... Hacker.pdf