A forum for reverse engineering, OS internals and malware analysis 

Search found 21 matches

 Go to advanced search

Re: Locky ransomware

 by tim ¦  Wed Sep 07, 2016 11:31 am ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203419

Anyone got a copy of the decrypter you get if you pay the ransom ?

Re: Win32/Cerber

 by tim ¦  Tue Sep 06, 2016 8:30 am ¦  Forum: Malware ¦  Topic: Win32/Cerber ¦  Replies: 76 ¦  Views: 164658

Cerber contains a JSON config that is encrypted in the unpacked binary. Full config here - http://pastebin.com/VdtR9kaE { "blacklist": { "files": [ "bootsect.bak", "iconcache.db", "ntuser.dat", "thumbs.db" ], "folders": [ ":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\boot\\", ":\\documents and setti...

Re: Locky ransomware

 by tim ¦  Mon Sep 05, 2016 2:06 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203419

Latest Locky update, appears to be completely offline now. There is no longer a DGA seed value, URI path or IP addresses in the configuration. There is however an RSA key and help files in html and txt format.

Re: Locky ransomware

 by tim ¦  Fri Aug 12, 2016 2:28 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203419

Its actually a binary blob in the unpacked stub. the format is mentioned somewhere on the internet. If you unpack your memory, you can upload it here and my tool will unpack it. http://configextractor.azurewebsites.net/

Re: Necurs - another x64 rootkit

 by tim ¦  Mon Aug 08, 2016 3:14 pm ¦  Forum: Malware ¦  Topic: Necurs - another x64 rootkit ¦  Replies: 70 ¦  Views: 96877

Extracted config from above sample { "filepath": "syshost32", "url": "/locator.php", "version": 24, "convertIP": 1, "vmCheck": 1, "seed": 5, "event": "NitrGB" "filename": "syshost.exe", "domains": [ "jfbbrj3bbbd.bit" ], "dnsServers": [ "178.32.31.41", "94.231.81.244", "91.213.8.35", "151.236.6.6", "...

Re: Malware collection

 by tim ¦  Thu Aug 04, 2016 11:20 am ¦  Forum: Malware ¦  Topic: Win32/Cerber ¦  Replies: 76 ¦  Views: 164658

cerber

Re: Locky ransomware

 by tim ¦  Tue Aug 02, 2016 12:56 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203419

Found this config from a recent spam campaign, first time i have seen a campaign id of 13 and also a DGA seed value this high. { "campaignId": 13, "seed": 29033, "delay": 0, "fakeSvchost": false, "persist": false, "ignoreRuLang": true, "ips": [ "91.230.211.139", "37.139.30.95", "91.219.29.48" ], "ur...

Re: Necurs - another x64 rootkit

 by tim ¦  Fri Jul 15, 2016 9:16 am ¦  Forum: Malware ¦  Topic: Necurs - another x64 rootkit ¦  Replies: 70 ¦  Views: 96877

Uploaded P2P botnet that is being called Necurs. See the following for more information on this malware: https://www.johannesbader.ch/2015/02/the-dgas-of-necurs/ http://www.malwaretech.com/2016/02/necursp2p-hybrid-peer-to-peer-necurs.html http://blog.anubisnetworks.com/blog/monitoring-necurs-the-tip...

Re: Locky ransomware

 by tim ¦  Thu Jul 07, 2016 1:12 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203419

This uses the ".zepto" extension instead of ".locky". Im not saying this isnt locky as bindiff shows it has a significant amount of similarities. Looking back over my data i havent seen the .locky version since the 27th of June. Anyway here is the config which is stored exactly the same way: { "dela...

Re: WinNT/Cridex (alias Dridex, Drixed)

 by tim ¦  Wed Jul 06, 2016 4:14 pm ¦  Forum: Malware ¦  Topic: WinNT/Cridex (alias Dridex, Drixed) ¦  Replies: 149 ¦  Views: 244589

Anyone got a recent sample?