A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23427  by EP_X0FF
 Tue Jul 22, 2014 3:38 pm
You can catch it decrypted data when in the second stage in copy of dropper process it calls NtFreeVirtualMemory. Nothing really impressive, actual malware data is about ~600 Kb, where ~500 Kb are BMP images and ransomware text to display and TOR linked object files -> https://doxygen.torproject.org/files.html, seems used for communication mechanisms, zlib 1.2.8 library etc
Code: Select all
Your personal files are encrypted.%f0%%c0%

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files.

1. Type the address %c1%http://torproject.org%c0% in your Internet browser. It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.

3. Now you have Tor Browser. In the Tor Browser open the %c1%http://%onion%/%c0%
   Note that this server is available via Tor Browser only
   Retry in 1 hour if site is not reachable.

4. Write in the following public key in the input form on server. Avoid missprints.

5. Follow the instructions on the server.

These instructions are also saved to file named DecryptAllFiles.txt in Documents folder. You can open it and use copy-paste for address and key.
Malware BMP's in attach.
malware images
(79.04 KiB) Downloaded 152 times
 #23745  by Cody Johnston
 Tue Sep 02, 2014 4:51 pm
Recent sample from a few days ago. Marks files now as .ctb2

Interesting that the original packed exe is written using pcode (http://en.wikipedia.org/wiki/P-code_machine)


https://www.virustotal.com/en/file/554b ... 409227700/


https://www.virustotal.com/en/file/ab31 ... 409368968/

Also dumped memory from after unpacked.exe last allocation. (CBTv2.mem)

Seems it uses the same communication mechanism as before.

Thanks to decrypterfixer from BleepingComputer for the sample.
Password: infected
(2.8 MiB) Downloaded 171 times
 #23759  by EP_X0FF
 Wed Sep 03, 2014 11:50 am
Cody Johnston wrote:Recent sample from a few days ago. Marks files now as .ctb2

Interesting that the original packed exe is written using pcode (http://en.wikipedia.org/wiki/P-code_machine)
Probably you mean PIC, position-independent code.
 #23770  by DecrypterFixer
 Wed Sep 03, 2014 6:36 pm
Yep, VB6 Pcode at that. Its quite rare to see at all. As i was telling Cody in the past, i had to bust out a debugger from 2001 to figure out what was going on in it because IDA and olly are about useless with pcode. Of course you can still dump the unpacked exe from processhacker, But its torn all apart that way. The old debugger i used was able to dump it without any type of rebuilding, it was nice for a change.
 #23775  by DecrypterFixer
 Thu Sep 04, 2014 1:54 am
My apologizes for the double post, But i also wanted to point out that this infection has the capability to Encrypt, and do its Test 5 file Decrypt Offline with no network adapter in my VM. Just thought it was rather interesting