Search found 87 matches

by Fabian Wosar
Sat Mar 26, 2016 5:25 pm
Forum: Malware
Topic: Petya malware
Replies: 16
Views: 41984

Re: Petya malware

Just some notes, that may or may not be helpful. Take all the information with a huge pinch of salt, as I have never done much boot loader reversing. Expect inaccuracies and some info may just be plain wrong. The malicious MBR will essentially read 32 sectors starting from sector 0x22 to address 0x8...
by Fabian Wosar
Tue Feb 23, 2016 12:47 pm
Forum: Malware
Topic: Ransomware ACCDFISA
Replies: 51
Views: 61471

Re: Ransomware ACCDFISA

There you go: rule AccdfisaDropper { strings: $a = "sfxrar.pdb" nocase $b = "nsf.exe" nocase $c = "NoSafeMode.dll" nocase condition: $a and $b and $c } rule AccdfisaCrypter { strings: $a = ".xml" nocase $b = ".txt" nocase $c = ".png" nocase $d = " -dh -ep2 -hp" nocase condition: $a and $b and $c and...
by Fabian Wosar
Thu Jan 28, 2016 11:27 am
Forum: Malware
Topic: Ransom.Radamant
Replies: 10
Views: 16755

Re: Ransom.Radamant

Kind of lol, but this malware with all symbol names inside, e.g. Yes, that gave me a chuckle, too. If you really want to laugh, take a look at the encryptFile function and look at the convoluted mess they introduced in an attempt to stop my decrypter. They still didn't fix the original issue. I can...
by Fabian Wosar
Fri Jan 09, 2015 12:46 pm
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 9292

Re: PClock ransomware

Okay, the algorithm used to encrypt the block appears to be standard RC4.
by Fabian Wosar
Fri Jan 09, 2015 10:33 am
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 9292

Re: PClock ransomware

Mohamed Shetta wrote:Nope, I thought everything is clear over there so I didn't check. is there something vague over there?
Don't know yet to be honest as I haven't had time to look into it yet :).
by Fabian Wosar
Thu Jan 08, 2015 7:10 pm
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 9292

Re: PClock ransomware

I doubt that the key gets deleted as the ransomware doesn't import the function rtcDeleteSetting. While it is not deleted, there at least exists code that will set it to an empty string again. Take a look around 0x0042F422. It calls the method that sets the value you mentioned with an empty string....
by Fabian Wosar
Wed Jan 07, 2015 2:30 pm
Forum: Malware
Topic: PClock ransomware
Replies: 7
Views: 9292

PClock ransomware

Attached are two variants of a new crypto malware that first showed up a few days ago. The encryption of the first variant is rather simplistic. It just does a simple XOR using a static key that is used on every system. The key used is 0x30353533316231396262383436623138633039663937396565623432396164...
by Fabian Wosar
Thu Apr 24, 2014 6:04 pm
Forum: Malware
Topic: Win32/Dircrypt (File Encrypting Ransomware)
Replies: 14
Views: 24764

Re: Win32/Dircrypt (File Encrypting Ransomware)

It looks like a new variant of this particular malware family is spreading at the moment. Infection scheme changed slightly. Instead of various different file formats, all files are encrypted into RTF documents with the *.enc.rtf extension now. Please find the original as well as the unpacked sample...
by Fabian Wosar
Fri Apr 04, 2014 2:52 am
Forum: Malware
Topic: CryptoDefense
Replies: 8
Views: 11422

Re: CryptoDefense

The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has be...
by Fabian Wosar
Mon Jan 13, 2014 11:01 am
Forum: Malware
Topic: CryptoLocker (Trojan:Win32/Crilock.A)
Replies: 118
Views: 201794

Re: CryptoLocker (Trojan:Win32/Crilock.A)

I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it? CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of doma...