nRansom

nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html

A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).

Load into Exeinfo PE
PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Files in sandbox
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Critical function
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.

Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html

Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)

Comments

Popular posts from this blog

Behavior-based Signature Changelog

满血满魔,原地复活!