nRansom
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html
A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).
PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.
Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html
Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html
A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).
 |
| Load into Exeinfo PE |
Now, let's run it in Sandboxie.
 |
| Files in sandbox |
 |
| Critical function |
Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html
Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)
Comments
Post a Comment