Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mobef Ransomware Support and Help Topic (.KEYZ, .KEYH0LES) - -INFECTION.TXT


  • Please log in to reply
41 replies to this topic

#1 sastrebetxi

sastrebetxi

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 20 April 2016 - 10:45 AM

Need help with case SHA1: b75a8e75a7ec63f84b6720fd5c9a1860
 
I have a pc infection with a new ransomware.
 
no extension change on files, and apprears 2 files in all encrypted directories:
 
date-INFECTIONE.txt
date000.KEY
 
 date-INFECTION.txt contains this text:
 
YourID: 2886098
PC: HOME
USER: user
*********
Hey
Your files are now encrypted. I have the key to decrypt them back. I will give you a decrypter if you pay me. Email me at: momsbestfriend@protonmail.com or torrenttracker@india.com
If you dont get a reply or if both emails die, then contact me using a guaranteed, foolproof
Bitmessage: download it form here https://github.com/mailchuck/PyBitmessage/releases/download/v0.5.8/Bitmessage-
0.5.8.exe
Run it, click New Identity and then send me a message at BM-NBvzKEY8raDBKb9Gp1xZMRQpeU5svwg2
Cheers
 
Anybody to help me???
Thanks.

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 20 April 2016 - 12:07 PM

I saw this come through earlier and it is under investigation currently. It is a new one called Mobef. Still gathering information on it.

 

Can you provide any samples of the malware? If so, please upload them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 sastrebetxi

sastrebetxi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 20 April 2016 - 03:02 PM

Ok.

Yes. I provide you samples tomorrow when i come back to work.

Thanks for reply.

#4 sastrebetxi

sastrebetxi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 April 2016 - 09:36 AM

Hi.

 

I provide you samples of .docx and .pdf files encripted.

 

Thanks.



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 21 April 2016 - 09:42 AM

I see a similar pattern in the hex that I believe I've seen with other ransomwares that are based on a sold underground kit. I don't know enough about it to really guide you any further though at this point.

 

We'll need the actual malware itself to analyse. You'll need to search the computer for what encrypted the data, or if you know how you got the infection (email attachment/link, downloaded program, website, etc.). You can search common locations such as %APPDATA% and %TEMP%. You can also scan using HitmanPro and MalwareBytes to try finding anything malicious.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 haystack

haystack

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 April 2016 - 06:28 PM

Samples of this ransomware can be found here:

 

 


#7 BrunoMoniz

BrunoMoniz

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 22 April 2016 - 10:04 AM

hi,

Got the same ransom note here. Avira detected a file named 33.tmp and i send it to virustotal.

 

https://www.virustotal.com/en/file/4e52bc50ee616bae73ceb29e4044e37bab8acf836cd427818d8eb4d26d8dd78c/analysis/1461336269/

 

I'v files with  .KEYH0LES extension.

20AFD37B799BECCD84BE74B2ED8A0A747391CCB34934F86C075A3E1DA3B29DC59220D74DFBE7E07312F0441B70F6D2F3DA87CDF4180B00296C71C38972D2178AE8EDE351C2B3E30068443AB49684973D6FCDCA23912A5B95F88B21579054930F920FD90A71967FAFA7486A677EDF050E104B00DF010A4AFF2B0929D8898646E6C706520F50789B29AA3957F5C90F06806B1840C78CACA23FF7E122541ABF5662E8314CEA579E50927EE2A4068A8E4484AB9B4164C81F67CB11329803CFF7A765ABFAAC216FA8526C76403F05054EE7E52FB7B6A81841549ACF2B0951BC6F5D275AFD189AE1945EE19B8019C807D9A235378EE0675397D8E7B7FCED4581260076BFC8267ECD7FC7408BDA8F5AA696A737C54A6F1F4CE2F503F67905A3CC6D1FF2382B4B257D7675E61D97C928373B8D85F22495E6ED32EFCC77706FC37C8282839395688BDC6EE27886B0F64062AC5686819D97A8E76DEF5A2CC97A69A34F828E769EF1048DD8A7319947D63BC512F171219546D7C4CC6DC471BEFA02293BD86D8445BDDA2BFEBCAE38A2D878C89CC8031F1F68409E021B9193E0B3914BF36B7F36C1B5A66E6CF56DC72584F552FE00301B56D7B0373A371C9A77AD4D8CB8F1932BC441A290ABB453756F79D2D29B13D2E2C3DF1483149C11FCE26517440039ABCC911AE71408AE190CAF84D0074CB0F3B5B47063CAD78B21496E8BBAFF4DDFB8

 

 

4212016ATTACI.txt

"

YourID: 427047
PC: POSTO25
USER: ealemao
*********
Hi there

Your files are now encrypted. I have the key to decrypt them back.
I will give you a decrypter if you pay me. Email me at:
momsbestfriend@protonmail.com or torrenttracker@india.com

If you don't get a reply or if both emails die, then contact me using a guaranteed, foolproof Bitmessage:
download it form here https://github.com/mailchuck/PyBitmessage/releases/download/v0.5.8/Bitmessage-0.5.8.exe
Run it, click New Identity and then send me a message at BM-NBvzKEY8raDBKb9Gp1xZMRQpeU5svwg2
Just remember that Bitmessage is slow, it takes 5 minutes to send a message and 15 to get a reply.

Cheers

P.S. WARNING!!!!! Don't delete this file: C:\Documents and Settings\ealemao\Os meus documentos\427047.txt

"

 

Someone have the same problem?

 

Thanks

 



#8 ruibranco

ruibranco

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 29 April 2016 - 05:47 PM

hy guys 

i'm having the same issue here reported are there any good news about this crypto variant?

i've uploaded one encrypted txt file to the above link fyi

 

ty best regards


Edited by ruibranco, 29 April 2016 - 05:57 PM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 29 April 2016 - 06:11 PM

I haven't heard of any good news so far, still under analysis. I'm working on getting a sample for myself to see if I have a shot at looking at it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 ruibranco

ruibranco

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 29 April 2016 - 06:18 PM

Do you want me to send you some files ? 

i've the log file and the crypted files if you want i can send it to you



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 29 April 2016 - 06:31 PM

Do you want me to send you some files ? 

i've the log file and the crypted files if you want i can send it to you

 

If you have a file that you also have a clean copy of (e.g. Sample Pictures are good), that may help.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 PM

Posted 29 April 2016 - 06:32 PM


Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 ruibranco

ruibranco

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 29 April 2016 - 06:44 PM

quietman i've already uploaded the encrypted file

i've upload now the original file

i also have INSTRUCTIONS.MSG and ENCRYPTION.KEY231 in all subfolders

 

ty

best regards



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 29 April 2016 - 07:08 PM

quietman i've already uploaded the encrypted file

i've upload now the original file

i also have INSTRUCTIONS.MSG and ENCRYPTION.KEY231 in all subfolders

 

ty

best regards

 

You can submit those as well. It does sound like Mobef possibly still, with yet another ransom note pattern <_< . Did your files have an extension added to them? I'm seeing all but the last 6 bytes were encrypted in the file you submitted (first 448 bytes encrypted).

 

This one is a bit above me to try analyzing on my own yet (requires a debugger, etc.), but it does look unsophisticated (title of window is "Hello World"). If the key file is one number, and is related to the encryption, it's a 4096-bit number; I don't think this is RSA-4096 (or atleast not a proper implementation), as it does have smaller factors (I can factor 6 numbers out of it in just a few ECM curves, proper RSA-4096 would be only two semi-primes that would take centuries to find). Just going off some assumptions.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 ruibranco

ruibranco

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 30 April 2016 - 06:33 AM

Demonsaly335 thank you for your help 

i will upload the other 2 files i have (in all folders and subdirectories)

i havent got any change in file extensions just cant open files

i noticed that jpgs didnt corrupt just the txt docs xlx pdfs files

thank you once more for your help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users