Zippy ransomeware

Forum for analysis and discussion about malware.
Post Reply
User avatar
maddog4012
Posts: 69
Joined: Mon Aug 04, 2014 6:53 pm

Zippy ransomeware

Post by maddog4012 » Mon Apr 18, 2016 4:35 pm

came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 229
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Wed Apr 20, 2016 2:40 pm


parviz
Posts: 2
Joined: Sun Mar 17, 2013 6:18 am

Re: Zippy ransomeware

Post by parviz » Mon Apr 25, 2016 5:39 am

maddog4012 wrote:came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
can't find password

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: Zippy ransomeware

Post by TETYYSs » Mon Apr 25, 2016 11:47 am

parviz wrote: can't find password
protip: it's on current page you're viewing

Antelox
Posts: 229
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Fri Apr 29, 2016 1:06 pm

New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox

User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Re: Zippy ransomeware

Post by Intimacygel » Fri Apr 29, 2016 3:28 pm

Antelox wrote:New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox
Where do we download those variants from your link?

Antelox
Posts: 229
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Sun May 01, 2016 8:40 pm

In attachment the archive which contain the original email's attachment.

I wrote simple python scripts to extract the key and recover the files infected by this last Nemucod variant:

https://github.com/Antelox/NemucodFR

BR,

Antelox
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 229
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Sun May 22, 2016 1:31 pm

NemucodFR v. 0.2 is out. Now it handles 2 Nemucod variant.

https://github.com/Antelox/NemucodFR

BR,

Antelox

Post Reply