A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25007  by Blaze
 Tue Jan 20, 2015 1:56 pm
Newest variant of this locker, seems to use Elliptic Curve Diffie-Hellman as encryption algorithm.

Message (Dutch):
Image

Some samples attached.
Attachments
(55.65 KiB) Downloaded 131 times
 #25012  by Grinler
 Tue Jan 20, 2015 7:45 pm
Thanks Blaze!

Attached are the main installers harvested from your droppers and the RTF displayed by the dropper.
Attachments
infected
(669.78 KiB) Downloaded 111 times
 #25098  by r3shl4k1sh
 Wed Jan 28, 2015 10:31 pm
I didn't understand the subject you gave to the post. It should be informative.

This one is downloader for CTB-Locker.
The sample it downloads has very low detection on VT 1/56:
https://www.virustotal.com/en/file/5855 ... /analysis/

MD5: dc8bc1f88c3da5aa04fea4933d74f3b6

CTB-Locker thread:
http://www.kernelmode.info/forum/viewto ... ctb+locker

In attach downloaded sample + memory dump of:
0x17a0000.bin the in memory unpacked code (start address is 0x017D329D)
0x1885000.bin the data section (which include the CTB-Locker template).
address.txt the resolved address API
Attachments
pass: infected
(1.39 MiB) Downloaded 104 times
 #25099  by chimung1994
 Wed Jan 28, 2015 11:59 pm
I think that is the main installer. It have .data section contains text and bmp image. It will copy himself to %temp% folder and encrypt your file. I dump and rebuild it from image. Can you give me some advise to go analysis this ransomware. Thanks!
Attachments
pass: infected
(745.41 KiB) Downloaded 98 times