Attached are two variants of a new crypto malware that first showed up a few days ago.
The encryption of the first variant is rather simplistic. It just does a simple XOR using a static key that is used on every system. The key used is 0x3035353331623139626238343662313863303966393739656562343239616433.
The second variant changed the encryption scheme. It now generates a new per-infection key on each system. This per-infection key appears to be the SHA256 of something. I didn't look into of what exactly yet because the malware author failed at securing his server and left all generated keys open to be downloaded by anyone. If someone wants a dump of all keys, please let me know.
The per-infection key is then used to derive a new encryption key for every 0x4000 byte block of a file that is being encrypted. The key for the block is essentially the SHA256 of the per-infection key plus the file name including path plus the index of the block being encrypted starting with 1. So if the per-infection key is d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581 for example and the file being encrypted is located in C:\file.ext the first 0x4000 bytes would be encrypted using SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext1"), the second 0x4000 bytes would be encrypted with SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext2") and so on.
I didn't look into how the malware derives the key stream it uses to XOR the original bytes with from the SHA256 yet due to lack of time. I hope to get to it later today but I am not that familiar with VB6 and the disassembled code looks horrible. So if one of you with more experience in reversing VB6 code wants to give it a shot, the function that encrypts a block using the SHA256 derived as the key for the block is located at 0x0042FF80 in the variant 2 sample.
The encryption of the first variant is rather simplistic. It just does a simple XOR using a static key that is used on every system. The key used is 0x3035353331623139626238343662313863303966393739656562343239616433.
The second variant changed the encryption scheme. It now generates a new per-infection key on each system. This per-infection key appears to be the SHA256 of something. I didn't look into of what exactly yet because the malware author failed at securing his server and left all generated keys open to be downloaded by anyone. If someone wants a dump of all keys, please let me know.
The per-infection key is then used to derive a new encryption key for every 0x4000 byte block of a file that is being encrypted. The key for the block is essentially the SHA256 of the per-infection key plus the file name including path plus the index of the block being encrypted starting with 1. So if the per-infection key is d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581 for example and the file being encrypted is located in C:\file.ext the first 0x4000 bytes would be encrypted using SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext1"), the second 0x4000 bytes would be encrypted with SHA256("d9ae3f2910a4de28315216bd1152746db1b539fa3b545ac7d24401f3d39ec581C:\file.ext2") and so on.
I didn't look into how the malware derives the key stream it uses to XOR the original bytes with from the SHA256 yet due to lack of time. I hope to get to it later today but I am not that familiar with VB6 and the disassembled code looks horrible. So if one of you with more experience in reversing VB6 code wants to give it a shot, the function that encrypts a block using the SHA256 derived as the key for the block is located at 0x0042FF80 in the variant 2 sample.
Attachments
infected
(149.06 KiB) Downloaded 216 times
(149.06 KiB) Downloaded 216 times
