sha256: 37e28559fba615aee1204eebf551dc588f7dc5b8a7e11893a1602da40b03f4fb
https://www.virustotal.com/en/file/37e28559fba615aee1204eebf551dc588f7dc5b8a7e11893a1602da40b03f4fb/analysis/1547612281/
sample url - be carefully! - http://axens[-]archi[.]com/5.exe
Today I saw a Tweet from MalwareHunterTeam talking about a JobCrypter ransomware, everything was set up to have fun :)
Once I got the sample, I've started the analysis by using dnSpy... yet another eazfuscator exe
A couple of exe has been created in %Appdata% and no obfuscation at all....(LOL)
Digging inside the "nlo.exe" in %Appdata% I found something very very very funny:
His email credentials in plaintex. Username and password. I couldn't resist to login.....
(I do not change the password, is not up to me.)
Oh, I forgot to say: into the email, the owner will get also a nice screenshot of your pc (stored in %Temp% path) and the key to decrypt your data with the "VolumeSerialNumber" of C: and other stuffs.
Here we are in the encryption core where the string_1 parameter is our RegKey data named "MOI" stored in "Computer\HKEY_CURRENT_USER\Software"
After a check with the awesome CryptoTester tool made by @demonslay335 I've made a very quick "copy and past" and here is the decryptor POC (no proper args[] checks, and drive scan...do it yourself if needed):
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace FranceRansomwareDecryptor
{
class Program
{
public static void Main(string[] args)
{
Console.WriteLine("Hello World!");
// Computer\HKEY_CURRENT_USER\Software
//MOI 6914262016XXXXXXX8153754XXXXXXX01007XX69574184XXXXXXX34846XX0245058
//1 1
Decode_File(args[0], args[1]);
Console.Write("Press any key to continue . . . ");
Console.ReadKey(true);
}
public static void Decode_File(string string_0, string password)
{
try
{
string string_ = File.ReadAllText(string_0);
string s = tdsDecode(GetStrings(string_), password, false);
byte[] array = Convert.FromBase64String(s);
string path = string_0.Replace(".css", "");
FileStream fileStream = new FileStream(path, FileMode.Create);
fileStream.Write(array, 0, array.Length);
fileStream.Close();
//File.Delete(string_0);
}
catch (Exception ex)
{
}
}
public static string tdsDecode(string string_0, string string_1, bool bool_0 = false)
{
TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
tripleDESCryptoServiceProvider.Key = md5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(string_1));
tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
byte[] array = Convert.FromBase64String(string_0);
return Encoding.ASCII.GetString(cryptoTransform.TransformFinalBlock(array, 0, array.Length));
}
public static string GetStrings(string string_0)
{
int num = 0;
string result = "";
string[] array = string_0.Split(new char[]
{
';'
});
checked
{
int num2 = array.Length - 1;
for (int i = 0; i <= num2; i++)
{
if (num == 0)
{
num = 1;
}
else if (num == 1)
{
result = array[i];
}
}
return result;
}
}
}
}
Do it works? Let's test :)
Victory! :)
You can compile the decryptor by your own or download it from here (zip password: 123 ): https://ufile.io/als52
Cheers!
RE Solver
Nessun commento:
Posta un commento