JobCrypter Ransomware

Forum for analysis and discussion about malware.

JobCrypter Ransomware

Postby Mosh » Sat Feb 13, 2016 5:09 pm

Malware targeting French people

FileLocker.exe (465.5 KB)
a02aff753dffb13ad034ca67aed985d8
f53cb550bc4d6193a42f8aa2ec348e8cc89728e9
b47f15d1093fd6466e040d3ee786a18e25f8980d3db33465d2acbafe8b0f6850

deobfuscated.exe (294.5 KB)
2ee9b110cd784d6bcdf663c9249ebee4
3d84dfd0f7dd95f26a9a47dd16149602bf8cfb56
459a487b0ad80fc56c06fca73eb80b3268bd423eaf6da5a1b400a7b5c19fb957

Image

- obfuscated with .NET Reactor 4.5+
- Password stored on HKEY_CURRENT_USER\\Software
- Encrypt: TripleDES
- Send client data via EMail
- Blog info: http://nyxbone.com/malware/jobcrypter.html
You do not have the required permissions to view the files attached to this post.
nyxbone.com
Twitter: @nyxbone
User avatar
Mosh
 
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia
Reputation point: 8

Re: JobCrypter Ransomware

Postby Xylitol » Sun Feb 14, 2016 1:38 am

From malekal http://forum.malekal.com/job-crypter-ge ... 54381.html
Code: Select all
This sample has SMTP functionality here is the recipient:
→ from: CumpterName%% <bordeaux@sothis.fr>
→ to: brangiersimonalain@gmail.com ☠
→ to: New Client VolumeSerialNumber%%

The attacker uses the email account of the company SOTHIS Toulouse SAS to send the information on the victims BAL brangiersimonalain@gmail.com probably compromised herself. On the gmail account, a filter is applied to the address of the sender bordeaux@sothis.fr
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504


Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests