Win32/Harasom (File Encrypting Ransomware)

Forum for analysis and discussion about malware.

Win32/Harasom (File Encrypting Ransomware)

Postby Cody Johnston » Thu May 16, 2013 1:37 am

Hello,

Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.

It directs to the following site:

hxxp://mdlblock.in

Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.

I do not have a sample of the dropper yet, I'll post one as soon as I find it.

Here is a screenshot of what the user sees when attempting to open a file:

Image

Code: Select all
Domain ID:D7317677-AFIN
Domain Name:MBLBLOCK.IN
Created On:08-May-2013 17:06:06 UTC
Last Updated On:08-May-2013 17:06:07 UTC
Expiration Date:08-May-2014 17:06:06 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:WIQ_27797905
Registrant Name:Gerald Minhelm
Registrant Organization:N/A
Registrant Street1:176 reroad
Registrant City:Vegas
Registrant State/Province:LA
Registrant Postal Code:15781
Registrant Country:US
Registrant Phone:+1.1005520281
Registrant Email:g.minhelmmm@gmail.com


VT for the URL: https://www.virustotal.com/en/url/87132d9b6bc2e53ba52c8c9a2f515ab7d727aa54b1c7dde6af5ec6b645905ce3/analysis/
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: File Encrypting Ransomware

Postby Xylitol » Thu May 16, 2013 9:33 am

awkward
Image
Code: Select all
hxtp://mblblock.in/files/
hxtp://mblblock.in/pic/
hxtp://mblblock.in/style/
hxtp://mblblock.in/webstat/
hxtp://mblblock.in/modal/
hxtp://mblblock.in/i.php?uid={C22AEF4D-9122-8825-42A7-E0BFA1DD7EC5}
hxtp://mblblock.in/i.php?uid={D4D05D49-6B2D-881A-3082-D4DED9344AAB}
hxtp://mblblock.in/i.php?uid={1E475F6C-BD09-881A-8396-473D4CB1D947}
hxtp://mblblock.in/i.php?uid={CEF4D8C3-4285-881A-ABAB-D1F060964F8A}
hxtp://mblblock.in/core.php
hxtp://mblblock.in/time.php
hxtp://mblblock.in/func.php
hxtp://mblblock.in/step2.php
hxtp://mblblock.in/lang/en.php
hxtp://mblblock.in/lang/de.php
hxtp://mblblock.in/lang/es.php
hxtp://mblblock.in/lang/ca.php
hxtp://mblblock.in/lang/au.php
hxtp://mblblock.in/lang/gb.php
hxtp://mblblock.in/lang/at.php
hxtp://mblblock.in/lang/be.php
hxtp://mblblock.in/lang/ag.php
hxtp://mblblock.in/lang/mx.php
hxtp://mblblock.in/gate/soft.php
hxtp://mblblock.in/gate/core.php
hxtp://mblblock.in/gate/gate.php

https://www.virustotal.com/en/ip-addres ... formation/

Edit 17 may 2013: Gotcha !
sample in attach.
http://www.virustotal.com/file/e7818de3 ... 368756414/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: File Encrypting Ransomware

Postby Dany3j » Fri May 17, 2013 2:06 pm

Some way to decrypt the files?
User avatar
Dany3j
 
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Reputation point: 3

Re: File Encrypting Ransomware

Postby reverser » Sat May 18, 2013 12:36 am

For the sample posted by Xylitol, encryption seems to be RC6 and the key is:

Code: Select all
yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn


(64 bytes including the trailing 0)

Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually.

EDIT: ah, it seems there's an additional scrambling applied to the file. If you upload one of the encrypted files, I can check if it can be decrypted.
reverser
 
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am
Reputation point: 19

Re: File Encrypting Ransomware

Postby Dany3j » Sat May 18, 2013 3:38 am

@reverser Is the key different for every client?


I am attaching a sample files, original and encrypted. I used he sample posted by Xylitol.
You do not have the required permissions to view the files attached to this post.
User avatar
Dany3j
 
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Reputation point: 3

Re: File Encrypting Ransomware

Postby reverser » Sat May 18, 2013 6:33 pm

Here's the decryptor, source and precompiled. Works on the posted files.
You do not have the required permissions to view the files attached to this post.
reverser
 
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am
Reputation point: 19

Re: File Encrypting Ransomware

Postby Fabian Wosar » Sat May 18, 2013 10:32 pm

A more user friendly decrypter is available here as well:

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe

It will automatically detect the encrypted malware files and tries to recover the file names as well. My thanks go to both Xylitol for the actual malware sample and reverser for noticing the file size limitation that I completely missed and wondered why it didn't work properly for some files ;).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: File Encrypting Ransomware

Postby Dany3j » Sun May 19, 2013 3:08 am

Thank you, very good job.
User avatar
Dany3j
 
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Reputation point: 3

Re: File Encrypting Ransomware

Postby ElPiedra » Sun May 19, 2013 9:09 am

Nice work Favian !!!

Guide for using Decrypt_MBLblock in Spanish:
http://www.forospyware.com/t460439.html



Salu2
User avatar
ElPiedra
 
Posts: 1
Joined: Thu Mar 17, 2011 10:11 am
Reputation point: 0

Re: File Encrypting Ransomware

Postby Quads » Sun May 19, 2013 7:19 pm

Hmmmmm

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Quads
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests