Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Decrypting (Ransom:Win32/Haperlock.A)


  • Please log in to reply
1 reply to this topic

#1 eeeeh

eeeeh

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 04 December 2015 - 11:08 PM

Hello,
 
I got this ransom trojan in 2013 and found a decrypter tool from Sophos that could decrypt the first 4096 bytes of a file. I have no clue if this is a bug or if it was meant as a generic decrypter and it's not quite working right or whatever. I played around with this again today and found you could remove the first 4096 bytes of a file and it would decrypt the first 4096 bytes of the new file, and with this method a whole file can be decrypted. This is pretty tedious though without a script, as the decrypter need an original file and an encrypted file, and those files also need the same number of bytes removed at the beginning to decrypt an encrypted file properly.
 
If someone is interested in looking at this, here's a zip file (hxxps://drive.google.com/file/d/0ByfHqmpzNs8fS0YzQ3UwazQ0dEk/view?usp=sharing) with the ransom trojan (e8bcae53cdbb84c4.exe), a second trojan downloader (vistrvfd.exe[/size]) which may be related, decrypter, original files, untouched encrypted files as the trojan created them, and prepared files. The prepared files are named so the decrypter will accept them, and they have the first 8 bytes removed which was added during encryption. The decrypter wouldn't work otherwise.
 
Here's a screenshot of the lockscreen.
 
Fresh scans of ransom trojan and trojan downloader.
 
If there's already a better decrypter for this, or if someone wanna find a better way to decrypt the files based on this, that would be great.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:46 PM

Posted 05 December 2015 - 08:33 AM


Yes that appears to be a older infection and several removal guides were created to assist.

Remove the FBI MoneyPak Ransomware or the Reveton Trojan
How to remove FBI Ransomware infection

Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer created the following guide for dealing with some types of ransomware infections using HitmanPro to create a HitmanPro kickstart USB drive: Your computer has been locked Ransomware Removal Guide using HitmanPro.KickstartNote: HitmanPro.Kickstart will not work on Windows 8 because it's boot method is different...see here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users