[Grinler]

To be fair, without backups and without getting into the fact that they should have them, some people are just desperate. Definitely sucks to lose years of work, pictures, and documents.

[forty-six]

Standard Pass.

[donnyharps]

Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!

[Fabian Wosar]

Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!

If the timer is up, you can't. The malware will instantly uninstall itself as soon as the server signals the timer has expired.

[donnyharps]

If I download the virus to another one of my workstations on my network, do you guys think I will be able to pay the ransom and it would decrypt my shared files that got encrypted the first time?

[Fabian Wosar]

No, it won't. The new installation will use a different key.

[Cody Johnston]

Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163 ... /analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjcz ... JiMzYwYzI/

[rough_spear]

Hi All,

Here is the download link.

hxxp://feyrckkwwjymeo.org/1002.exe

Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163 ... /analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjcz ... JiMzYwYzI/

Regards,

rough_spear.

[krazylary]

Here is a list of all domains that the virus calls out to untill it finds a live one.

Code: Select all

Object URL	# Requests	
wqvnkgtquoixx.com/home/	
jbkoqywkqjpjji.net/home/	
keqrmonphudew.net/home/	
miuongoruxtuhy.biz/home/	
qipixdjsccnyc.biz/home/	
pfasmsxcpsfkle.biz/home/	
evkmaldroiifk.ru/home/	
saallnwetwuac.org/home/	
ygvnalgjbukky.info/home/	
aiqyntcdnvfyy.com/home/	
bxgqnvtusprlg.net/home/	
cabcbepofqmaw.biz/home/	
upalbsjwadwmy.ru/home/	
qtnwayrgotgvf.info/home/	
trusflrovxooa.ru/home/	
vruwobfqmerby.org/home/	
nqjfxvpobfgss.net/home/	
otauuhgyfkeyx.info/home/	
xjfaclsceyycp.info/home/	
rjydbnflxdqfo.com/home/	
fyafqsphgcwpn.net/home/	
sejfjeaeybkcf.biz/home/	
suiqcimovbpqnc.info/home/	
gtkhyjkahaqmn.ru/home/	
pyduriwnnvmyh.org/home/	
hjivfvfffwnskq.net/home/	
ejoypeccwsmgn.com/home/	
aejmsdjdnlxpo.net/home/	
ligpryhpqpdwne.com/home/	
bikasivqvqovf.biz/home/	
bytobtevojrmf.ru/home/	
uycjwfvptmknld.com/home/	
cducbyqjwoisf.org/home/	
yxorjdnsljkpj.info/home/	
yoxgrovxecngq.com/home/	
ottxtmpqbfivg.biz/home/	
vvopcjmnxbhbwc.ru/home/	
asytrtilmhemq.net/home/	
gctqpdxpmfmir.biz/home/	
juuquupfwkohs.biz/home/	
bryjvxpmikgjtg.ru/home/	
itetdtsollwar.org/home/	
rspqurslksuqf.info/home/	
kdfwnedtksawjy.biz/home/	
etrwsvkcdukdlg.ru/home/	
erxigxprcxick.info/home/	
rhykvgjqlqkis.com/home/	
gjiltokqbestr.net/home/	
tyjnjwepkwuaq.biz/home/	
oweahscscnpoo.ru/home/	
taesdijrndsatw.org/home/	
pbfnhbxmlmkyo.org/home/	
mmirxnturglis.com/home/	
oesuleotqmvaa.biz/home/	
pitilmknalqkq.ru/home/	
iigcbmauiqvfba.ru/home/	
fuoxdmpthwgih.org/home/	
gpyalwdsbfdvf.info/home/	
tfacbcnojejgn.com/home/	
besvehfusgclh.net/home/	
cydxmrstmoyyx.ru/home/	
poeacwdpunfjg.org/home/	
qydbouvxduubsr.ru/home/	
okjjdmhkqnkgf.com/home/	
pokwdrtxysbmf.net/home/	
yeiviemnuxabpv.com/home/	
ooltxrisjwradh.org/home/	
jydfvwjmiojvs.biz/home/	
kdesvcvaqtacj.ru/home/	
ktnhehwlcwgjj.org/home/	
tnjlrciuvwfam.info/home/	
hdknhkctfphgu.com/home/	
vftofmvgnrmbt.net/home/	
pwnjswxvhgbdm.ru/home/	
lyooqnqqhotjju.biz/home/	
lohwjyiyqkwfqi.info/home/	
mclqdpsghdjqje.ru/home/	
dmolifruqydju.org/home/	
feyovpfgitkkl.info/home/	
citujrmxlfigj.com/home/	
dmuijairuedqj.net/home/	
eaexwcajdaphq.biz/home/	
feflwkvdmykrh.ru/home/	
xrxskmcywoeju.org/home/	
ajivxwpkojlku.info/home/	
odfkpkipydkslh.net/home/	
bnjjxflexigul.com/home/	
ryyyyfgfvtsnct.info/home/	
mnfdfpdotefros.net/home/	
uwdykbjtyjnkje.biz/home/	
vvbfgrejcdvwje.org/home/	
ggltstdpfixlmg.com/home/	
ttgwxyheyuxdud.net/home/	
laqigkmwntydsb.biz/home/	
xarbteoehyyaik.net/home/	
myoocbhmqnhpjy.org/home/	
opalnungbnmmot.org/home/	
jxvaxrprklbjlm.info/home/	
kaqiuwvbeulwci.com/home/	
yvbswhukhiskve.net/home/	
kwtgtikhnfjvjl.net/home/	
nkbxareutxbqjc.ru/home/	
bxvbfarpkqqerj.org/home/	
dttreqmrlsedie.info/home/	
neegqpcrrrqvut.biz/home/	
tspwdnloqrybym.com/home/	
rbjkbglbcucwua.org/home/	
ksxfginiuiagub.info/home/	
twhbawgddwpvuw.info/home/	
fkccpkpsimeybd.com/home/	
pyocsnovymedni.net/home/	
qbjkpveipcyunx.biz/home/	
kmwxovbjqgjmad.com/home/	
rumsrejxaorcum.ru/home/	
ffbxddujmmpsxl.biz/home/	
swhbomykqemtll.org/home/	
sxwfupthcyeqjh.net/home/	
cpgpwafuancriy.org/home/	
adjkrhdkuxysov.biz/home/	
nqenwmhyokyknc.ru/home/	
bxjlbrafmvaobr.ru/home/	
bchqnrqmbdkvfl.org/home/	
icmiuojikeeglw.info/home/	
jehqrtprenotca.com/home/	
fvmfpbqlweuqcc.org/home/	
lwfhkayvijlhld.info/home/	
guklllendjgtct.info/home/	
avprsocmlqjigs.ru/home/	
gecmmdcdjwpjlp.org/home/	
iaadlnplnoarlk.info/home/	
rpayeuhoyexfpe.net/home/	
vnugqvdgehpfkw.com/home/	
rbxjldlktkpsjx.org/home/	
mqipmcwrvlbxlw.com/home/	
nsdxjkmembvpcv.net/home/	
gkdtedfdjppeuj.ru/home/	
nqcfresqxteaxk.biz/home/	
bgdeqjwfchhvwq.ru/home/	
tvelvheabunfpq.biz/home/	
adgceuhdxrinww.biz/home/	
vukflsvgxbgvui.ru/home/	
wylroxcpcqgjle.org/home/	
xxjxkowffkovlp.info/home/	
uwqjgsrxuhyopp.net/home/	
jdtwkyaduxkmve.com/home/	
erbxffpmhwjmwq.com/home/	
urndyegetlhnwl.biz/home/	
truhmarggnfawj.org/home/	
vnsxlqmihpsywr.info/home/	
tlxpdlcqaglewt.ru/home/	
hbyoctplnodrvn.org/home/	
daetjwkwtfhjwj.info/home/	
fvckinfyuhuinp.net/home/	
atiyxjksylosbu.biz/home/	
xiyefnrwyvdcth.com/home/	
lrvlcsbkbnljsx.net/home/	
yhwkbxfyfbofbu.biz/home/	
uycyyswttiedtd.info/home/	
swgfawqxupccrf.com/home/	
tbhrdcwhyfcpib.net/home/	
uafxymkjfknspa.ru/home/	
pnjatcvupcddtl.info/home/	
qrkmwhcetrdqtc.com/home/	
qtqhbembdaeyrl.net/home/	

[Cody Johnston]

Moved to here for now:

hxxp://odxrjkgnahebp.biz/1002.exe (194.28.174.119)

same MD5 as above sample