nRansom v2 Analysis:
nRansom v3 Analysis:

A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).

Load into Exeinfo PE
PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Files in sandbox
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Critical function
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.

Malware Sample URL:

Related MD5:
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)


Popular posts from this blog

Behavior-based Signature Changelog