Ransom/Shade (alias Troldesh, BetterCallSaul)

Forum for analysis and discussion about malware.

Ransom/Shade (alias Troldesh, BetterCallSaul)

Postby EP_X0FF » Thu Mar 17, 2016 9:58 am

Ransomware encoder from Breaking Bad fan. Pretty much generic for these days.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
%INFO%
to e-mail address post77999@gmail.com or post7799@yahoo.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptorzimsbfbkx.onion/
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/


Uses MS Office exploit to penetrate the system (CVE-2015-1641).

Payload downloaded from 194.109.206.212 encrypted, decrypted, dropped to %temp% and executed. Run from usual HKCU\Run key. Stored inside ProgramData\Windows as csrss.exe

Does usuall bullshit
Code: Select all
wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb|xltm|xlt|xlam|xla|mdb
|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|
opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|
docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|
sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|
as|asr|xsl|xsd|dtd|xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|vda|icb|wbm|
wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|
hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|vbk|vib|vhd|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|
mft|efd|md|dmp|fdb|lst|fbk


Contains message to Kaspersky Lab.

Kaspersky analysts, we know about your illegal methods like breaing into our servers. Be careful, this information can become public.


They must be pissing in their pants with scare now.

Site in Tor as usual.
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/


File is under usual shitty crypter and UPX. Inside code mess from multiple open-source crypto.

VT
https://www.virustotal.com/en/file/d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e/analysis/1458206518/

I miss the time when Ransomwares were much more creative with all these annoying top most windows with ridiculous messages and pictures.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Ransom/BetterCallSaul

Postby TwinHeadedEagle » Thu Mar 17, 2016 11:26 am

TwinHeadedEagle
 
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Reputation point: 5

Re: Ransom/BetterCallSaul

Postby EP_X0FF » Thu Mar 17, 2016 1:27 pm

TwinHeadedEagle wrote:Is it this one?

https://twitter.com/siri_urz/status/702859539868164096

Likely.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Ransom/BetterCallSaul

Postby keflek » Fri Mar 18, 2016 12:38 pm

It seems like a newer version of this one (2015-02-23):

https://www.virustotal.com/en/file/b8660031e2ad82f3fc3670f291742f5ee3068ecb278ee451d598d62a7bf2927e/analysis/

It's author really likes hiding messages in his crap code:
screen.png
You do not have the required permissions to view the files attached to this post.
keflek
 
Posts: 1
Joined: Mon Oct 12, 2015 8:43 pm
Reputation point: 0

Re: Ransom/BetterCallSaul

Postby Xylitol » Thu Mar 24, 2016 11:40 am

User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Ransom/Shade (alias Troldesh, BetterCallSaul)

Postby EP_X0FF » Thu Jan 26, 2017 5:56 am

Newest Troldesh/Shade, delivered in email attachment.

JS downloader

MD5 a3d8e080af837ca9f6d0fd8948b4b27d
SHA1 defea0e4496da3fc6514a331e4f99ce01e58d526
SHA256 c559963ac9bac905aa3462df2ddd2ad1486d596026d08d208d1747225e1795be
https://www.virustotal.com/en/file/c559 ... /analysis/

NSIS installer (malware inside in encrypted blob), itself then packed with UPX.

MD5 f18f2e6a984a8a7e8e787f4f052c8bd9
SHA1 72dc0821b7f510a55d8010a22161e21bbac92c96
SHA256 7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e
https://www.virustotal.com/en/file/7d93 ... /analysis/

Kaspersky analysis
https://securelist.com/analysis/publica ... le-threat/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562


Return to Malware

Who is online

Users browsing this forum: nadia and 6 guests