Ransom Xorist

Forum for analysis and discussion about malware.

Ransom Xorist

Postby thisisu » Wed Apr 18, 2012 8:31 am

https://www.virustotal.com/file/4137f8c ... /analysis/
Pic: http://img11.imageshack.us/img11/6878/crypting.jpg
This ransomware is somewhat similar to ACCDFISA but I think there may be a potential fix for this one.

Dr. Web has a decrypting tool here: http://majorgeeks.com/Dr._Web_Trojan.En ... d7716.html

You must run it with "-k 85" as a parameter (without the quotes).


I tried this and it said "0 files decrypted."

Is anyone able to figure it out and possibly explain in simple terms because this type of thing is way over my head.

Attached is a sample. Thank you for any help :)
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan.Encoder.94 / Ransomware

Postby nullptr » Thu Apr 19, 2012 1:18 pm

This one will decrypt using te94decrypt -k 91
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Trojan.Encoder.94 / Ransomware

Postby thisisu » Thu Apr 19, 2012 10:18 pm

nullptr wrote:This one will decrypt using te94decrypt -k 91

Hi nullptr,

Thanks for your response. :)

Can you explain how you determined that -k 91 would work?
Would any other number besides 91 work? Why or why not?

I want to learn :)
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan.Encoder.94 / Ransomware

Postby EP_X0FF » Fri Apr 20, 2012 3:33 am

Author definitely has some sense of humor :)
pussylicker 0p3nSOurc3 X0r157, motherfucker!

Decrypted and unpacked (UPX) in attach. Encryption procedure @0040177A.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Encoder.94 / Ransomware

Postby thisisu » Fri Apr 20, 2012 3:58 am

EP_X0FF wrote:Decrypted and unpacked (UPX) in attach. Encryption procedure @0040177A.

Thank you, EP_X0FF :)

Code: Select all
0040177A  /$ 8BD8           MOV EBX,EAX
0040177C  |. C1EB 03        SHR EBX,3
0040177F  |. 85DB           TEST EBX,EBX
00401781  |. 74 13          JE SHORT unpacked.00401796
00401783  |. 8B35 59654000  MOV ESI,DWORD PTR DS:[406559]
00401789  |> 56             /PUSH ESI
0040178A  |. 56             |PUSH ESI
0040178B  |. E8 5C000000    |CALL unpacked.004017EC
00401790  |. 83C6 08        |ADD ESI,8
00401793  |. 4B             |DEC EBX
00401794  |.^75 F3          \JNZ SHORT unpacked.00401789
00401796  \> C3             RETN



I don't understand this. :(
Any tips on how I may start learning how to interpret code from ollydbg or whichever program you used here?

Thank you
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan.Encoder.94 / Ransomware

Postby EP_X0FF » Fri Apr 20, 2012 4:48 am

This is Xorist created by vazonez. It is born by a constructor and encoder stub itself written on MASM. It is open source. I think all that they are changed - warning message text. What you quotes is

Code: Select all
TEABuf   proc
      mov     ebx, eax
      shr     ebx, 3
      test    ebx, ebx
      je      TooSmall
      mov     esi, hMem
crpt:
      invoke  TEAEncrypt, esi, esi
      add     esi, 8
      dec     ebx
      jnz     crpt
TooSmall:
      ret
TEABuf   endp


For encoding algo used see http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm IDK, probably he simple copy-pasted it from there (because it has ready to use C example).

Code: Select all
TEAEncrypt proc uses edi esi ebx pBlockIn:DWORD,pBlockOut:DWORD
   mov esi,pBlockIn
   mov eax,[esi+0*4];y
   mov edx,[esi+1*4];z
   xor ebx,ebx
   bswap eax
   bswap edx
   .repeat
      add ebx,TEA_DELTA ; 9E3779B9h
      TEAROUND eax,edx,0,1
      TEAROUND edx,eax,2,1
      add ebx,TEA_DELTA
      TEAROUND eax,edx,0,1
      TEAROUND edx,eax,2,1
      mov ecx, TEA_DELTA
      imul ecx, dword ptr [TEA_ROUNDS]
   .until ebx == ecx
   bswap eax
   bswap edx
   mov esi,pBlockOut
   mov [esi+0*4],eax
   mov [esi+1*4],edx
   ret
TEAEncrypt endp
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Encoder.94 / Ransomware

Postby nullptr » Fri Apr 20, 2012 6:25 am

EP_X0FF wrote:For encoding algo used see http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm IDK, probably he simple copy-pasted it from there (because it has ready to use C example).
Seems quite likely considering some of the noob programming errors.

Code: Select all
if (filesize >= 8)
{
    //...
    SetFilePointer(hFile, 0x35, null, 0);  //0x8 = 0x35?
}

It encrypts only from offset 0x35 per TEA algo in blocks of 8, meaning some bytes at the end of the file may also be in tact.
You can also look where it loads the BMP resource and decrypts that. That'll give you the target file extensions + other junk.
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Trojan.Encoder.94 / Ransomware

Postby mrbelyash » Sat Apr 21, 2012 5:59 am

mrbelyash
 
Posts: 26
Joined: Thu Apr 15, 2010 4:52 am
Reputation point: 1

Re: Trojan.Encoder.94 / Ransomware

Postby thisisu » Sat Apr 21, 2012 11:47 pm

Thank you all for your responses.

Here is another tool created by Kaspersky that is intended to work versus Xorist: http://www.majorgeeks.com/Kaspersky_Xor ... d7732.html :)
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan.Encoder.94 / Ransomware

Postby Blitskrieg » Tue Apr 24, 2012 9:27 am

thisisu wrote:Thank you all for your responses.

Here is another tool created by Kaspersky that is intended to work versus Xorist: http://www.majorgeeks.com/Kaspersky_Xor ... d7732.html :)

The direct link to this tool - http://support.kaspersky.com/downloads/ ... ryptor.exe
Kaspersky Lab
Blitskrieg
 
Posts: 20
Joined: Sun Mar 14, 2010 7:22 am
Reputation point: 4

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests