A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24335  by Grinler
 Wed Nov 12, 2014 10:07 pm
New CoinVault ransomware from the same family as CryptoGraphic Locker. Encryption and decryption performed by same executable. Appears to use AES for encryption.

Image

Files associated with CoinVault:
Code: Select all
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
Registry entries associated with CoinVault:
Code: Select all
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault	"%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%Temp%\wallpaper.jpg"
Attachments
Infected
(400.96 KiB) Downloaded 863 times
 #25800  by likeamirror
 Tue May 05, 2015 4:54 pm
Hey, I'm new. Couple of questions regarding this specimen.
Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?
 #25806  by EP_X0FF
 Wed May 06, 2015 4:23 am
likeamirror wrote:Is it normal practice for things that get semi-big to be written in a .NET language, like this sample?
Is it normal practice to have all of your functions stored as bytes, and then decrypt that at runtime?
Yes/Yes.