Win32/Harasom (File Encrypting Ransomware)

Forum for analysis and discussion about malware.
Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: File Encrypting Ransomware

Post by Fabian Wosar » Fri Jul 12, 2013 12:36 am

Since someone asked before if the malware has some kind of unlock code. That appears to be the case. The unlock code of this variant is "783MN02KA6N1B37M90NUY7JHV". Once you put it in, the screen locker will decrypt the files and remove itself from the system. The code block at 0x0040423D handles the password processing. The unlock code is stored in an obfuscated format within the executable. Take a look at the string deobfuscation function at 0x004011A0 for more details which deobfuscates both the encryption key as well as the unlock code.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: File Encrypting Ransomware

Post by Cody Johnston » Fri Jul 12, 2013 12:55 am

Fabian Wosar wrote:Since someone asked before if the malware has some kind of unlock code. That appears to be the case. The unlock code of this variant is "783MN02KA6N1B37M90NUY7JHV". Once you put it in, the screen locker will decrypt the files and remove itself from the system. The code block at 0x0040423D handles the password processing. The unlock code is stored in an obfuscated format within the executable. Take a look at the string deobfuscation function at 0x004011A0 for more details which deobfuscates both the encryption key as well as the unlock code.
Specifically when using the unlock code, a flag is set on the PC which the dropper checks for, and does not reinfect the system.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Unknown Ransomware

Post by Win32:Virut » Wed Jul 17, 2013 5:16 pm

You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Unknown Ransomware

Post by Cody Johnston » Wed Jul 17, 2013 5:59 pm

This is Harasom. You can find the working decrypter in this thread:

http://www.kernelmode.info/forum/viewto ... =10#p19696

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: Win32/Harasom (File Encrypting Ransomware)

Post by Fabian Wosar » Mon Jul 29, 2013 5:57 pm

New Harasom variant with a Russian (?) lock screen this time. Encryption key is "4dKne87BNjeqlOmdkJHCDVlwir46983I". Decrypter has already been updated. The original sample as well as an unpacked version are attached.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Post Reply