A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28052  by EP_X0FF
 Thu Mar 17, 2016 9:58 am
Ransomware encoder from Breaking Bad fan. Pretty much generic for these days.
All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
%INFO%
to e-mail address post77999@gmail.com or post7799@yahoo.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptorzimsbfbkx.onion/
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/
Uses MS Office exploit to penetrate the system (CVE-2015-1641).

Payload downloaded from 194.109.206.212 encrypted, decrypted, dropped to %temp% and executed. Run from usual HKCU\Run key. Stored inside ProgramData\Windows as csrss.exe

Does usuall bullshit
Code: Select all
wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb|xltm|xlt|xlam|xla|mdb
|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|
opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|
docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|
sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|
as|asr|xsl|xsd|dtd|xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|vda|icb|wbm|
wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|
hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|vbk|vib|vhd|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|
mft|efd|md|dmp|fdb|lst|fbk
Contains message to Kaspersky Lab.
Kaspersky analysts, we know about your illegal methods like breaing into our servers. Be careful, this information can become public.


They must be pissing in their pants with scare now.

Site in Tor as usual.
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/
File is under usual shitty crypter and UPX. Inside code mess from multiple open-source crypto.

VT
https://www.virustotal.com/en/file/d460 ... 458206518/

I miss the time when Ransomwares were much more creative with all these annoying top most windows with ridiculous messages and pictures.
Attachments
pass: malware
(1.73 MiB) Downloaded 227 times
 #29543  by xors
 Fri Nov 11, 2016 8:10 pm
Ransomware. Encrypts files with 'da_vinci_code' extension

Edit: Troldesh or Shade ransomware
Attachments
password:infected
(1018.24 KiB) Downloaded 154 times
 #29878  by EP_X0FF
 Thu Jan 26, 2017 5:56 am
Newest Troldesh/Shade, delivered in email attachment.

JS downloader

MD5 a3d8e080af837ca9f6d0fd8948b4b27d
SHA1 defea0e4496da3fc6514a331e4f99ce01e58d526
SHA256 c559963ac9bac905aa3462df2ddd2ad1486d596026d08d208d1747225e1795be
https://www.virustotal.com/en/file/c559 ... /analysis/

NSIS installer (malware inside in encrypted blob), itself then packed with UPX.

MD5 f18f2e6a984a8a7e8e787f4f052c8bd9
SHA1 72dc0821b7f510a55d8010a22161e21bbac92c96
SHA256 7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e
https://www.virustotal.com/en/file/7d93 ... /analysis/

Kaspersky analysis
https://securelist.com/analysis/publica ... le-threat/
Attachments
pass: infected
(891.98 KiB) Downloaded 90 times