JobCrypter Ransomware

Forum for analysis and discussion about malware.

JobCrypter Ransomware

Postby Mosh » Sat Feb 13, 2016 5:09 pm

Malware targeting French people

FileLocker.exe (465.5 KB)

deobfuscated.exe (294.5 KB)


- obfuscated with .NET Reactor 4.5+
- Password stored on HKEY_CURRENT_USER\\Software
- Encrypt: TripleDES
- Send client data via EMail
- Blog info:
You do not have the required permissions to view the files attached to this post.
Twitter: @nyxbone
User avatar
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia
Reputation point: 8

Re: JobCrypter Ransomware

Postby Xylitol » Sun Feb 14, 2016 1:38 am

From malekal ... 54381.html
Code: Select all
This sample has SMTP functionality here is the recipient:
→ from: CumpterName%% <>
→ to: ☠
→ to: New Client VolumeSerialNumber%%

The attacker uses the email account of the company SOTHIS Toulouse SAS to send the information on the victims BAL probably compromised herself. On the gmail account, a filter is applied to the address of the sender
User avatar
Global Moderator
Posts: 1650
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 508

Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests