mercoledì 16 gennaio 2019

Free decryptor tool: Unpacking, Analysis and solution for the JobCrypter ransomware

Hello everybody!

sha256: 37e28559fba615aee1204eebf551dc588f7dc5b8a7e11893a1602da40b03f4fb
sample url - be carefully! - http://axens[-]archi[.]com/5.exe

Today I saw a Tweet from MalwareHunterTeam talking about a JobCrypter ransomware, everything was set up to have fun :)

Once I got the sample, I've started the analysis by using dnSpy... yet another eazfuscator exe

I did not want to spent time trying to deobfuscate and devirtualize the malware, so....the easiest was to infect myself with it :)
A couple of exe has been created in %Appdata% and no obfuscation at all....(LOL)

Digging inside the "nlo.exe" in %Appdata% I found something very very very funny:

His email credentials in plaintex. Username and password. I couldn't resist to login.....

Lovely <3 ....but go back work.
(I do not change the password, is not up to me.)

If you have no Avast (Avastsvc process), notepad opened (yes...notepad.exe.... dont ask me why! :) ) and/or the email can't be sent correctly, the ransomware wont start his job.

Oh, I forgot to say: into the email, the owner will get also a nice screenshot of your pc (stored in %Temp% path) and the key to decrypt your data with the "VolumeSerialNumber" of C: and other stuffs.

Well, is pretty easy to guess what the Password variable is and what does it contain.... ;)

Here we are in the encryption core where the string_1 parameter is our RegKey data named "MOI" stored in "Computer\HKEY_CURRENT_USER\Software"
Such ransomware provide also another class which is named as "DecodeFiles"...and do what it say...!!!
After a check with the awesome CryptoTester tool made by @demonslay335 I've made a very quick "copy and past" and here is the decryptor POC (no proper args[] checks, and drive it yourself if needed):

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace FranceRansomwareDecryptor
 class Program
  public static void Main(string[] args)
   Console.WriteLine("Hello World!");
   // Computer\HKEY_CURRENT_USER\Software
   //MOI 6914262016XXXXXXX8153754XXXXXXX01007XX69574184XXXXXXX34846XX0245058
   //1 1
   Decode_File(args[0], args[1]);
   Console.Write("Press any key to continue . . . ");
  public static void Decode_File(string string_0, string password)
    string string_ = File.ReadAllText(string_0);
    string s = tdsDecode(GetStrings(string_), password, false);
    byte[] array = Convert.FromBase64String(s);
    string path = string_0.Replace(".css", "");
    FileStream fileStream = new FileStream(path, FileMode.Create);
    fileStream.Write(array, 0, array.Length);
   catch (Exception ex)
   public static string tdsDecode(string string_0, string string_1, bool bool_0 = false)
 TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
 MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
 tripleDESCryptoServiceProvider.Key = md5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(string_1));
 tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
 ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
 byte[] array = Convert.FromBase64String(string_0);
 return Encoding.ASCII.GetString(cryptoTransform.TransformFinalBlock(array, 0, array.Length));
   public static string GetStrings(string string_0)
 int num = 0;
 string result = "";
 string[] array = string_0.Split(new char[]
  int num2 = array.Length - 1;
  for (int i = 0; i <= num2; i++)
   if (num == 0)
    num = 1;
   else if (num == 1)
    result = array[i];
  return result;

Do it works? Let's test :)

Victory! :)

You can compile the decryptor by your own or download it from here (zip password: 123 ):

RE Solver

Nessun commento:

Posta un commento