nRansom

nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html

A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).

Load into Exeinfo PE
PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Files in sandbox
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Critical function
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.

Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html

Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)

Comments

Post a Comment

Popular posts from this blog

Behavior-based Signature Changelog

About a week ago, I started to deploy Cuckoo Sandbox on my old laptop(I would like to use it as Cloud Analysis for X-Sec Antivirus in the future) and I finished deployment on 31th Mar. 2018.

After a overview of Cuckoo Community signature, I found that the signatures can't meet my need, so it's time to create extra signatures to enhance malware detection.

Due to the lack of official document, create a signature usually costs me 3~4 hours, but it doesn't matter, the time will be reduced after I'm proficient in doing it.

Here is the signature changelog.

+ -> add
↑ -> improve/bugfix
- -> remove
× -> try to add signature but failed/unnecessary to add signature

Already Covered Malware Families:

RevCode
Quasar
Pony(Fareit)
AZORult
Backdoor(Generic Detection)
Injector(Generic Detection)
Nitol
DotnetCrypter
DelfCrypter
Tinba
NsisInject
Ransomware(Generic Detection)
Adware.Downloader
Hancitor
Panda(Banker)
Betabot
Trickbot
InfoStealer(Generic Detection)
Neshta
Expiro
Read more

满血满魔,原地复活!

好了,满血满魔,原地复活!
帝都某处的一场大火,再加上人口控制的压力,让整个帝都的外来人员都陷入了恐慌之中。
当然,我也属于这群人中的一个,虽然情况相比起来算是好很多的,但是仍然是有概率“中奖”的。
实际上我并没有“中奖”,但是在某一刻,我感觉我自己和“大奖”擦肩而过。
与其等着概率性被拆,不如主动行动起来去寻找新的住处。现在一切恢复正常,我换了一间非隔断的房间,今天一下午把所有东西搬了过去。
明天还有一天的缓冲时间,还有一些事情需要处理,剩下的时间可以好好休息下,准备周三恢复正常工作,还有正常的生活。
===============================
与“大奖”擦肩而过的那一刻:
我在第n轮搬东西的时候,下电梯正好碰到几个人,戴着什么工作证之类的,当时就感觉情况有些不妙。走出大厅后听见几个常住居民在外面议论那堆人进去干嘛,有几个人就说应该是来检查群租房的...
Read more

X-Sec Antivirus开发者日志 - 放几张新界面截图

Image
这段时间其实工作还是挺忙的,再加上自己和队友都有比较严重的拖更问题(其实他那边也有不少事情),所以新界面的进度一直都很慢,也很少有机会发点狠推进一波。
只不过上个礼拜我和他还是抓住了机会推进了一波,不然你们也不会看到卡饭论坛那边的更新帖上的开发进度跳了一下。
下面放两张主界面的截图出来:



Product License?没错,将来会有收费功能你可以看到防护和工具箱的按钮被禁用了(将来这两个坑肯定要填上的)实际真正的扫描窗口与主界面是分离的多语言肯定会有的设置里面我又给自己挖了一些坑,将来也要填上
Read more