A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19289  by Cody Johnston
 Thu May 16, 2013 1:37 am
Hello,

Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.

It directs to the following site:

hxxp://mdlblock.in

Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.

I do not have a sample of the dropper yet, I'll post one as soon as I find it.

Here is a screenshot of what the user sees when attempting to open a file:

Image
Code: Select all
Domain ID:D7317677-AFIN
Domain Name:MBLBLOCK.IN
Created On:08-May-2013 17:06:06 UTC
Last Updated On:08-May-2013 17:06:07 UTC
Expiration Date:08-May-2014 17:06:06 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:WIQ_27797905
Registrant Name:Gerald Minhelm
Registrant Organization:N/A
Registrant Street1:176 reroad
Registrant City:Vegas
Registrant State/Province:LA
Registrant Postal Code:15781
Registrant Country:US
Registrant Phone:+1.1005520281
Registrant Email:g.minhelmmm@gmail.com
VT for the URL: https://www.virustotal.com/en/url/87132 ... /analysis/
Attachments
Password: ransom
(51.99 KiB) Downloaded 173 times
 #19296  by Xylitol
 Thu May 16, 2013 9:33 am
awkward
Image
Code: Select all
hxtp://mblblock.in/files/
hxtp://mblblock.in/pic/
hxtp://mblblock.in/style/
hxtp://mblblock.in/webstat/
hxtp://mblblock.in/modal/
hxtp://mblblock.in/i.php?uid={C22AEF4D-9122-8825-42A7-E0BFA1DD7EC5}
hxtp://mblblock.in/i.php?uid={D4D05D49-6B2D-881A-3082-D4DED9344AAB}
hxtp://mblblock.in/i.php?uid={1E475F6C-BD09-881A-8396-473D4CB1D947}
hxtp://mblblock.in/i.php?uid={CEF4D8C3-4285-881A-ABAB-D1F060964F8A}
hxtp://mblblock.in/core.php
hxtp://mblblock.in/time.php
hxtp://mblblock.in/func.php
hxtp://mblblock.in/step2.php
hxtp://mblblock.in/lang/en.php
hxtp://mblblock.in/lang/de.php
hxtp://mblblock.in/lang/es.php
hxtp://mblblock.in/lang/ca.php
hxtp://mblblock.in/lang/au.php
hxtp://mblblock.in/lang/gb.php
hxtp://mblblock.in/lang/at.php
hxtp://mblblock.in/lang/be.php
hxtp://mblblock.in/lang/ag.php
hxtp://mblblock.in/lang/mx.php
hxtp://mblblock.in/gate/soft.php
hxtp://mblblock.in/gate/core.php
hxtp://mblblock.in/gate/gate.php
https://www.virustotal.com/en/ip-addres ... formation/

Edit 17 may 2013: Gotcha !
sample in attach.
http://www.virustotal.com/file/e7818de3 ... 368756414/
Attachments
infected
(103.54 KiB) Downloaded 156 times
 #19314  by reverser
 Sat May 18, 2013 12:36 am
For the sample posted by Xylitol, encryption seems to be RC6 and the key is:
Code: Select all
yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn
(64 bytes including the trailing 0)

Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually.

EDIT: ah, it seems there's an additional scrambling applied to the file. If you upload one of the encrypted files, I can check if it can be decrypted.
 #19315  by Dany3j
 Sat May 18, 2013 3:38 am
@reverser Is the key different for every client?


I am attaching a sample files, original and encrypted. I used he sample posted by Xylitol.
Attachments
No Pass.
(1.67 MiB) Downloaded 107 times
 #19317  by Fabian Wosar
 Sat May 18, 2013 10:32 pm
A more user friendly decrypter is available here as well:

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe

It will automatically detect the encrypted malware files and tries to recover the file names as well. My thanks go to both Xylitol for the actual malware sample and reverser for noticing the file size limitation that I completely missed and wondered why it didn't work properly for some files ;).
 #19326  by Quads
 Sun May 19, 2013 7:19 pm
Hmmmmm

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Quads