Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA v2.0 Ransomware Support Topic - filename(!! to get password email id *id* to *email* !!).exe/.rar


  • Please log in to reply
224 replies to this topic

#16 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 AM

Posted 07 June 2016 - 03:42 PM

I have a system with this ransomware, looking in the internet seems that it's very similar to this: https://blog.cylance.com/cracking-ransomware#. I've spotted a few differences with my client's case, the random values in \ProgramData\svcfnmainstvestvs\stppthmainfv.dll are all numbers, and they don't look random.

 

Let me know if you need more information.

 

Yes, I noticed the fake DLL while debugging. I'm not sure what the numbers mean yet.

 

Thanks for the link to that article. I remember reading it before... this is starting to look a lot like a resurgence of that same ransomware perhaps. I saw almost everything the same when I was looking at it - I just am not experienced enough to have put the pieces together the same as they did.


Edited by Demonslay335, 07 June 2016 - 03:47 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#17 H0unter

H0unter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 03:56 PM

I have a system with this ransomware, looking in the internet seems that it's very similar to this: https://blog.cylance.com/cracking-ransomware#. I've spotted a few differences with my client's case, the random values in \ProgramData\svcfnmainstvestvs\stppthmainfv.dll are all numbers, and they don't look random.

 

Let me know if you need more information.

 

This is the solution! but It is very painful make all this code and steps :(



#18 NWehrli

NWehrli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 07 June 2016 - 05:08 PM

Thanks very much, i m not sure but i tried. Thanks



#19 alex_strange

alex_strange

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 07 June 2016 - 09:49 PM

I think it is using a 27-character password on the archives, so there is no chance at brute-forcing it. Still looking into how the key is generated and used.

 

How do you know that: "allhelp16@gmail.com" "ransomwhere"  variant have 27 char password? (18 provided by the criminal and 9 with the ID on the rescue text)


Edited by alex_strange, 07 June 2016 - 09:51 PM.


#20 alex_strange

alex_strange

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 07 June 2016 - 10:11 PM

I have installed the allhelp variant with digits for password generation, 18 really on bruteforce around 3 billion of combinations, but, i suspect this variant is a bad version (no awesome and brilliant creation) , but is still no password reversion with anyone of the elements the attacker left behind, can anyone of the posters here upload his virus files? (dlls, sfx generators and malware himself)

 

I need to recognize a pattern here, and i suspect the solution made very simple like other ones...

 

 

cheers



#21 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 AM

Posted 07 June 2016 - 10:40 PM

 

I think it is using a 27-character password on the archives, so there is no chance at brute-forcing it. Still looking into how the key is generated and used.

 
How do you know that: "allhelp16@gmail.com" "ransomwhere"  variant have 27 char password? (18 provided by the criminal and 9 with the ID on the rescue text)

 

 
I saw that number in memory or something during key generation at one point while debugging can't quite remember. I'm really new to behavioral analysis, so there's a good chance I misinterpreted that. I haven't had a chance to study it more to confirm the findings of the older variant in that article. I need to learn more ASM before I try taking another look. :blush:


Edited by Demonslay335, 07 June 2016 - 10:41 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#22 alex_strange

alex_strange

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 07 June 2016 - 10:50 PM

i see this number before also, one example of the random digits of this variant is:

 

17141418250
27141418250
37141418250
47141418250
57141418250
67141418250
77141418250
87141418250
97141418250
017141418250
117141418250
217141418250
317141418250
417141418250
517141418250
617141418250
717141418250
817141418250
917141418250
027141418250
127141418250
 
My question is directed to find a pattern here, if have the malware svchost.exe or stppthmainfv.dll works for me, yesterday i modify john the ripper for take learn about these numbers lile chr digits file, but the difference of taking that numbers like seeds on final password, taking a look about SFX directly i find the files inside correspond to a simple and crude SFX only, no one else crypted, is only a sfx and result little more easy because we will to find only one password.
 
I appreciate if you have more about this variant.
 
cheers


#23 Joa0011

Joa0011

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 08 June 2016 - 02:19 PM

I don't know if this is useful or not but I've found that the first number is the reversed name of the folder in the root drive where the main malware is installed, the next four numbers are the (reversed) names of folders in ProgramData where the rar utility (with name svchost.exe) and the sdelete utility (also with svchost.exe) are located, the other two have files that I still don't know what they are.

 

In one of those two unknown folders there are a lot of files which seems to contain the path to the original files. Apparently the malware creates a list of all the files to encrypt and then starts the process.

 

@alex_strange, well the numbers are clearly not random, look at them like this:

1    7141418250
2    7141418250
3    7141418250
4    7141418250
5    7141418250
6    7141418250
7    7141418250
8    7141418250
9    7141418250
01   7141418250
11   7141418250
21   7141418250
31   7141418250
41   7141418250
51   7141418250
61   7141418250
71   7141418250
81   7141418250
91   7141418250
02   7141418250
12   7141418250

I've splitted the numbers and you can see how the first column it's a count from 1 to 21 but the numbers are reversed (21 -> 12). That's one difference with the one in the blog post I put before, we don't have random letters to check our seed.



#24 NWehrli

NWehrli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 08 June 2016 - 02:32 PM

Hello, this is the pattern of my dll

 

12243403020

22243403020

32243403020

42243403020

52243403020

62243403020

72243403020

82243403020

92243403020

012243403020

112243403020

212243403020

312243403020

412243403020

512243403020

612243403020

712243403020

812243403020

912243403020

022243403020

122243403020



#25 ransomware_victim

ransomware_victim

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 13 June 2016 - 11:20 PM

Hello, I think got this same ransomware (files rar'ed with password and files renamed with email id xxxxxxxxxx to allhelp16@gmail.com).

 

Searching the web I found some research that appears to replicate my folder structure post encryption.

 

It's here:

 

http://www.ccrepairservices.com/blog/virus-and-malware-threats/rise-in-anti-child-porn-spam-protection-ransomware-infections/

 

Hope this help to found how to revert it.


Edited by ransomware_victim, 13 June 2016 - 11:21 PM.


#26 elyogui

elyogui

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 04 July 2016 - 07:08 PM

Information about ACCDFISA v2.0
 
Good afternoon, the aprecer there is a new variant encrypts files like .rar and shows the following in each file (!! to get email id password 131,779,368 to auinfo16@gmail.com !!).
They know how to recover files?
 
Thank you very much

Edited by xXToffeeXx, 23 July 2016 - 11:40 AM.


#27 michelmau5

michelmau5

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 05 July 2016 - 02:22 AM

So it puts the files in a rar archive with a password??? 

Must be easy to crack...



#28 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:26 AM

Posted 05 July 2016 - 06:13 AM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#29 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 AM

Posted 05 July 2016 - 08:31 AM

So it puts the files in a rar archive with a password??? 

Must be easy to crack...

 

Not always the case. Most ransomware I've seen that use something like WinRAR use a CRNG to produce a 40-75 character password with high entropy. I've yet to actually crack a hash from one of them.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#30 elyogui

elyogui

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 05 July 2016 - 11:12 AM

Good morning Demonslay335, added the sha1 reference, thank you very much
 
 
 this case SHA1: cdcd928e2ef12f52a0e285e029b0d03b16f22b14





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users