Ransom/Satana

Forum for analysis and discussion about malware.

Ransom/Satana

Postby heart888 » Fri Jul 01, 2016 1:52 am

You do not have the required permissions to view the files attached to this post.
heart888
 
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm
Reputation point: 15

Re: Ransom/Satana

Postby xors » Sat Jul 02, 2016 11:24 am

Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Malware collection

Postby xors » Sat Jul 02, 2016 11:59 am

https://malwr.com/analysis/Njk0OWRkMTRh ... JlYzI5MWE/

The email that is in your zip file has been used by satana ransomware
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Ransom/Satana

Postby heart888 » Wed Jul 06, 2016 4:38 am

xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer


did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA
heart888
 
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm
Reputation point: 15

Re: Ransom/Satana

Postby ea56f45e66e2c » Thu Jul 07, 2016 11:58 am

heart888 wrote:
xors wrote:Unpacked in the attachment ( For those who don't have an account on malwr.com)

The unpacking process is easy. Just put a breakpoint on RtlDecompressBuffer


did hbp on it..
but mine crashed, with error msg

Debugged application message: on_tls_callback3
Debugged application message: EntryPoint-4
40281A: The instruction at 0x40281A referenced memory at 0x0. The memory could not be read -> 0 (exc.code c0000005, tid 3168)

Any thoughts? TIA


There are some common anti-debug tricks, try using ScyllaHide or equivalent. Also you can refer to this : http://adelmas.com/blog/satana.php
Hope this helps
ea56f45e66e2c
 
Posts: 3
Joined: Fri Apr 15, 2016 11:56 am
Location: France
Reputation point: 0


Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests