Win32/Harasom (File Encrypting Ransomware)

Forum for analysis and discussion about malware.
Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Win32/Harasom (File Encrypting Ransomware)

Post by Cody Johnston » Thu May 16, 2013 1:37 am

Hello,

Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.

It directs to the following site:

hxxp://mdlblock.in

Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.

I do not have a sample of the dropper yet, I'll post one as soon as I find it.

Here is a screenshot of what the user sees when attempting to open a file:

Image

Code: Select all

Domain ID:D7317677-AFIN
Domain Name:MBLBLOCK.IN
Created On:08-May-2013 17:06:06 UTC
Last Updated On:08-May-2013 17:06:07 UTC
Expiration Date:08-May-2014 17:06:06 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:WIQ_27797905
Registrant Name:Gerald Minhelm
Registrant Organization:N/A
Registrant Street1:176 reroad
Registrant City:Vegas
Registrant State/Province:LA
Registrant Postal Code:15781
Registrant Country:US
Registrant Phone:+1.1005520281
Registrant Email:g.minhelmmm@gmail.com
VT for the URL: https://www.virustotal.com/en/url/87132 ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1665
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: File Encrypting Ransomware

Post by Xylitol » Thu May 16, 2013 9:33 am

awkward
Image

Code: Select all

hxtp://mblblock.in/files/
hxtp://mblblock.in/pic/
hxtp://mblblock.in/style/
hxtp://mblblock.in/webstat/
hxtp://mblblock.in/modal/
hxtp://mblblock.in/i.php?uid={C22AEF4D-9122-8825-42A7-E0BFA1DD7EC5}
hxtp://mblblock.in/i.php?uid={D4D05D49-6B2D-881A-3082-D4DED9344AAB}
hxtp://mblblock.in/i.php?uid={1E475F6C-BD09-881A-8396-473D4CB1D947}
hxtp://mblblock.in/i.php?uid={CEF4D8C3-4285-881A-ABAB-D1F060964F8A}
hxtp://mblblock.in/core.php
hxtp://mblblock.in/time.php
hxtp://mblblock.in/func.php
hxtp://mblblock.in/step2.php
hxtp://mblblock.in/lang/en.php
hxtp://mblblock.in/lang/de.php
hxtp://mblblock.in/lang/es.php
hxtp://mblblock.in/lang/ca.php
hxtp://mblblock.in/lang/au.php
hxtp://mblblock.in/lang/gb.php
hxtp://mblblock.in/lang/at.php
hxtp://mblblock.in/lang/be.php
hxtp://mblblock.in/lang/ag.php
hxtp://mblblock.in/lang/mx.php
hxtp://mblblock.in/gate/soft.php
hxtp://mblblock.in/gate/core.php
hxtp://mblblock.in/gate/gate.php
https://www.virustotal.com/en/ip-addres ... formation/

Edit 17 may 2013: Gotcha !
sample in attach.
http://www.virustotal.com/file/e7818de3 ... 368756414/
You do not have the required permissions to view the files attached to this post.

User avatar
Dany3j
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Contact:

Re: File Encrypting Ransomware

Post by Dany3j » Fri May 17, 2013 2:06 pm

Some way to decrypt the files?

reverser
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am

Re: File Encrypting Ransomware

Post by reverser » Sat May 18, 2013 12:36 am

For the sample posted by Xylitol, encryption seems to be RC6 and the key is:

Code: Select all

yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn
(64 bytes including the trailing 0)

Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually.

EDIT: ah, it seems there's an additional scrambling applied to the file. If you upload one of the encrypted files, I can check if it can be decrypted.

User avatar
Dany3j
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Contact:

Re: File Encrypting Ransomware

Post by Dany3j » Sat May 18, 2013 3:38 am

@reverser Is the key different for every client?


I am attaching a sample files, original and encrypted. I used he sample posted by Xylitol.
You do not have the required permissions to view the files attached to this post.

reverser
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am

Re: File Encrypting Ransomware

Post by reverser » Sat May 18, 2013 6:33 pm

Here's the decryptor, source and precompiled. Works on the posted files.
You do not have the required permissions to view the files attached to this post.

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Sat May 18, 2013 10:32 pm

A more user friendly decrypter is available here as well:

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe

It will automatically detect the encrypted malware files and tries to recover the file names as well. My thanks go to both Xylitol for the actual malware sample and reverser for noticing the file size limitation that I completely missed and wondered why it didn't work properly for some files ;).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

User avatar
Dany3j
Posts: 4
Joined: Sun Dec 16, 2012 11:12 pm
Location: Venezuela
Contact:

Re: File Encrypting Ransomware

Post by Dany3j » Sun May 19, 2013 3:08 am

Thank you, very good job.

User avatar
ElPiedra
Posts: 1
Joined: Thu Mar 17, 2011 10:11 am
Contact:

Re: File Encrypting Ransomware

Post by ElPiedra » Sun May 19, 2013 9:09 am

Nice work Favian !!!

Guide for using Decrypt_MBLblock in Spanish:
http://www.forospyware.com/t460439.html



Salu2

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: File Encrypting Ransomware

Post by Quads » Sun May 19, 2013 7:19 pm

Hmmmmm

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Quads

Post Reply