nRansom v3

nRansom Analysis: http://xywcloud.blogspot.com/2017/09/nransom.html
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/

Recently I got a sample, it claimed to be "nRansom3".
The sample I got is written in C#.NET, not packed or obfuscated.
So let's loaded into decompiler.
Loaded into decompiler
We can easily find the unlock code, and nothing about file encryption found, it also didn't contain music play module.
But, when I ran it in Sandboxie, I found something different.
Run it in Sandboxie
The author asks user to buy $150 worth of bitcoin(cancer cells...) and send them to a specific bitcoin address first, seems like an additional requirement than nRansom v1 & v2.
In my laptop, the email address has been covered by an input-box, maybe author didn't think about how to fit the screen. But we can find the original text from file's resource.
Original text
It uses the same email address of nRansom v2.
Well, I think it's another "LockScreen", not a "Ransomware".

Related MD5:
6851D5EEF0C103649F02DF57A4D2648E
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen

Comments

Post a Comment

Popular posts from this blog

满血满魔,原地复活!

好了,满血满魔,原地复活!
帝都某处的一场大火,再加上人口控制的压力,让整个帝都的外来人员都陷入了恐慌之中。
当然,我也属于这群人中的一个,虽然情况相比起来算是好很多的,但是仍然是有概率“中奖”的。
实际上我并没有“中奖”,但是在某一刻,我感觉我自己和“大奖”擦肩而过。
与其等着概率性被拆,不如主动行动起来去寻找新的住处。现在一切恢复正常,我换了一间非隔断的房间,今天一下午把所有东西搬了过去。
明天还有一天的缓冲时间,还有一些事情需要处理,剩下的时间可以好好休息下,准备周三恢复正常工作,还有正常的生活。
===============================
与“大奖”擦肩而过的那一刻:
我在第n轮搬东西的时候,下电梯正好碰到几个人,戴着什么工作证之类的,当时就感觉情况有些不妙。走出大厅后听见几个常住居民在外面议论那堆人进去干嘛,有几个人就说应该是来检查群租房的...
Read more

Behavior-based Signature Changelog

About a week ago, I started to deploy Cuckoo Sandbox on my old laptop(I would like to use it as Cloud Analysis for X-Sec Antivirus in the future) and I finished deployment on 31th Mar. 2018.

After a overview of Cuckoo Community signature, I found that the signatures can't meet my need, so it's time to create extra signatures to enhance malware detection.

Due to the lack of official document, create a signature usually costs me 3~4 hours, but it doesn't matter, the time will be reduced after I'm proficient in doing it.

Here is the signature changelog.

+ -> add
↑ -> improve/bugfix
- -> remove
× -> try to add signature but failed/unnecessary to add signature

2018.04.21
+ dyncompile[Behavior]
↑ suspicious_url[Behavior]

2018.04.20
↑ suspicious_domain[Behavior]

2018.04.19
+ suspicious_domain[Behavior]
+ suspicious_url[Behavior]

2018.04.18
+ Sality
↑ Orcus

2018.04.17
+ antidebug_detectapi[Behavior]

2018.04.16
+ findwindow[Behavior]
× Formbook

2018.04.15
+ modify_t…
Read more

nRansom

Image
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html

A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).

PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.

Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html

Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)
Read more