Win32/Harasom (File Encrypting Ransomware)

Forum for analysis and discussion about malware.
Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Sun May 19, 2013 7:33 pm

Quads wrote:Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.
Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: File Encrypting Ransomware

Post by Quads » Mon May 20, 2013 12:27 am

Fabian Wosar wrote:
Quads wrote:Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.
Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.

Thanks

I will have to create a post on the forum with instructions on the Spamhaus thread after I upload the decrypt tool to a folder on my webspace as the forum does not allow direct downloads.

Quads

jokotole
Posts: 1
Joined: Fri Dec 02, 2011 5:10 am

Trojan:Win32/Harasom.A

Post by jokotole » Mon Jun 17, 2013 10:37 pm

Hello, i need the following sample

https://www.virustotal.com/en/file/146f ... /analysis/

Md5 : fee25602dd44c753af9790aa9bea3b47

SHA1 : 13b065309d87412132b59210a44c3edafe496341

Thank You and i'm sorry if this malware already been posted here :)

User avatar
Xylitol
Global Moderator
Posts: 1667
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan:Win32/Harasom.A

Post by Xylitol » Mon Jun 17, 2013 11:16 pm

in attach
You do not have the required permissions to view the files attached to this post.

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Wed Jun 19, 2013 10:33 am

It looks like there is a new variant going around at the moment. The encryption key or encryption method has changed. The HTML files also no longer redirect to a website but contain the entire ransom notice in form of a picture and a few carefully placed HTML elements:

Code: Select all

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><title>index</title></head><body><table width='1000' height='750' border='0' align='center' cellpadding='0' cellspacing='0' background='file:///C:\Users\makmass\AppData\Roaming\Video\pic3.jpg'><tr><td height='86' valign='bottom'><table width='793' border='0' cellspacing='0' cellpadding='0'><tr><td width='509'>&nbsp;</td><td width='284' align='left' style='font-size:14px; color:#FFF; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td></tr></table></td></tr><tr><td height='316' align='right' valign='bottom'><table width='212' border='0' cellspacing='0' cellpadding='0'><tr><td width='149' align='left' style='font-size:12px; color:#D34E53; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td><td width='66'>&nbsp;</td></tr></table></td></tr><tr><td height='46' align='right' valign='bottom'><table width='364' border='0' cellspacing='0' cellpadding='0'><tr><td width='270'><input name='textfield' type='text' id='textfield'   style='height:22px; width:270px;'/></td><td width='99'>&nbsp;</td></tr></table></td></tr><tr><td>&nbsp;</td></tr></table></body>
The resulting ransom note looks something like this:
Image

Unfortunately I haven't found the actual malware sample yet as most victims I met so far already removed the infection. If someone comes across a sample though I would love to take a look at it :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Wed Jun 19, 2013 9:28 pm

Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Flamef
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm

Re: File Encrypting Ransomware

Post by Flamef » Wed Jun 19, 2013 9:49 pm

Fabian Wosar wrote:Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.
Hi,
great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?
P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Thu Jun 20, 2013 9:15 am

Flamef wrote:great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?
It is quite lame, yeah. There might be a way to unlock the computer by supplying the correct unlock code. To be honest, I didn't bother to check as updating the decrypter was straight forward and I prefer to not use the decrypter supplied by the bad guys.
Flamef wrote:P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.
Well, the text reads similar. This malware however is more sophisticated than ACCDFISA is (yeah, those guys are still active). If this was done by the same people, you would see WinRAR being used for the actual encryption, as they wouldn't know how to do it themselves ;).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Cody Johnston
Posts: 158
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: File Encrypting Ransomware

Post by Cody Johnston » Thu Jul 11, 2013 9:37 pm

Have a new sample of Harasom. I left my dropbox running on my VM and lost half my files.... *facepalm* (there is no option to recover via dropbox.com either)

The decrypter that Fabian provided cleaned the infection but I assume it just needs a different key to properly decrpyt the files.

Inside the archive is the dropper and one of the encrypted files (A JRT log :mrgreen: )

VT Low 2/41:

https://www.virustotal.com/en/file/50bc ... 373575418/

MD5: 149c4ac4ba0863607e033d6a5721fee7
You do not have the required permissions to view the files attached to this post.

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Thu Jul 11, 2013 10:17 pm

Yeah, it's a new variant alright. Encryption key changed to "Yhk86jMwnnskKNYne73NnsqkwHVWkkqn". Decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

I attached the unpacked sample if anyone is curious.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Post Reply