Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help to identify ransomware


  • Please log in to reply
16 replies to this topic

#1 fredrik_johansson

fredrik_johansson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 05:11 AM

Hi all and first of all; many thanks for a great support forum! I have a ransomware but I am unable to ID it and to be honest it seems like as if it has been encrypted twice sort of.

 

The original file names and extensions have not been changed but before the extension there are random letters and numbers (8 or 9).

 

If the original file name is for example: "summertime.jpg" the enrypted file name is for example: summertime7YerhU89.jpg.

 

I could try to output it like: <originalfilename><8-9 randomcharacters>.<originalfileextension>

 

Each encrypted folder has a .txt and .html file with the name: "Why files renamed" containing instructions.

 

I aslo have some other encrypted files I believe is CrySIS with the name of, for example:

summertime.jpg.id-E09ED101.Vegclass@aol.com.xtbl

 

Many thanks for your help and best regards,

Fredrik Johansson



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:21 AM

Posted 06 September 2016 - 05:42 AM

Any files that are encrypted with CrySiS Ransomware will have an .<id-number>.<email>.CrySiS or .<id-number>.<email>.xtbl extension appended to the end of the encrypted data filename (i.e. mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl) and leave files (ransom notes) named How to decrypt your data.txt, How to decrypt your files.txt, How to get data back.txt. The Vegclass@aol.com.xtbl variant was one of the first to be reported.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification and possible decrypting solutions. If you are provided any information it would be helpful to post it here for Demonslay335 to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 05:47 AM

Many thanks for your feedback! I don't have any doubts concerning the CrySIS infection but the principal encryption described above in my first post is difficult to ID. I tried the malwarehunterteam tool but it was unable to ID the virus. I will follow your advice and post case SHA1 data to see if Demonslay335 can assist in identification.

 

Many thanks again and best regards!

Fredrik



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:21 AM

Posted 06 September 2016 - 05:55 AM

Not a problem. From what you describe, it appears you may be dealing with a dual ransomware infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 06:04 AM

ID Ransomware Case ID:

 

Please reference this case SHA1: a280c09964c30af9c04d257bac9fdeff61ebbb33

Unable to determine ransomware.

 

The ransome note is as follows (pretty generic);

I followed the link via Torbrowser and they are currently asking for 1.5 BitCoin (more or less 900.00 €)

 

Your Files were encrypted
Decrypting files is only possible with the help of the private key and decrypt program which is on our secret server:
 1.  Open your browser and type https://www.torproject.org/download/download-easy.html.en . Download "tor browser" for windows.
     If you can't open page above then go to https://www.torproject.org and click button Download.
     You will be redirected you to page where you see 'Tor Browser for Windows'.  Download "Tor Browser" for Windows.
 2.  Install it and run it. Seldom people can't install tor browser from links above. If you can't install it then download and unpack already installed tor browser:
         http://www.fileconvoy.com/dfl.php?id=g77e6305490b242e7999870966eb038d97affc4766

 3.  Type in the address bar www.zkfykr6ipkegpgyv.onion/start.php and open our secret tor website.
 4.  Secret tor website will ask to input your public key.
 5.  Input your public key. Follow the instructions.

Your public key

24REccmYMIDZr0rkZy7bxJHvrPfjiqiSbbVbAfZxc0HkyeziY3
RbyqzgUs0Miigi53dUmEPG2r2eTPmsWB7rRGCYrPr8HxAT2f3v
epjjnGcwT31tPHJIBlUZ1WXeu2ZjYwE2pGYzbUjxGeVpDHrTie
ex49b1afrBHfwsRcfzie8Ti

We advice to rewrite this public key and tor hidden address to other relible place because in the
future your antivirus software possible can delete all created messages on your computer that
contains your public key and this tor hidden address.

If you have problems while installing or downloading tor browser or opening our hidden onion site then remove or disable
your antivirus (it can prohibit actions with tor browser) or try do it on other computer.
Remember that you can browse www.youtube.com and search video where you can find how to install 'tor browser'.
If you still can't open our secret hidden tor site then you should
1. Open https://mail.google.com (use your usual browser: (GoogleChrome, Opera, Firefox, ...)
2. If you don't have .....@gmail account then you need sign up. You will have google (.....@gmail) account.
3. Compose letter and send it to torsig@sigaint.org . In letter you need type us your public key (see this key above).
4. Soon we will send you information what you need to do to decrypt your files.

Remark for you:
You can compose and send letter using other mail provider (.....@aol.com .....@yahoo.com or other),  but we
don't advice you use them because we are not confident that we will receive your message.

- - -

 

Thanks again and best regards from sunny Portugal!



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 AM

Posted 06 September 2016 - 06:33 AM

I'm on mobile, but if you open a few encrypted files in Notepad, do you see "bcbdbe", or "n1n1n1"? The ransom note looks like a new variant I've been hunting. If you can find the malware that caused the encryption, it would really help analysis.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 06:47 AM

@Demonslay335, Many thanks for your reply!

Yes, I confirm that it starts with bcbdbe2. The infection was injected via a trojan via a RDP session and ESET sucessfully blocked several attempts as the system was trying to execute several .exe files sent from the remote PC to the host PC (that is currently infected). After several attempts the virus successfully managed to execute a payload.exe (hidden under a svchost.exe process and then added registry entries etc) and it encrypted some 300GB during more or less 48H. I can probably access the infected system remotely and try to access the malware or check in the ESET quarantine or ask access to the remote PC (where the trojan was sent from) but only later tonight. I also suggested to image the HDD but I am not yet sure of if that was done or not, later I will confirm and check all files I can obtain as samples for investigation.

 

Many thanks again for your help!

Fredrik



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:21 AM

Posted 06 September 2016 - 06:51 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 AM

Posted 06 September 2016 - 09:24 AM

I've added a rule to ID Ransomware that will point victims to this topic based on the hex patterns, and email addresses in the ransom notes. Just calling it "n1n1n1" for now until we have a sample to find a more suitable name. There's been a few submissions for both variants. They have all had random characters appended just before the extension as well, I was never quite sure if that was from the malware renaming, or just the way people name their files from other countries, lol.

 

Let us know if you secure that sample from the quarantine. If it was delete for some reason, ESET's log may have a hash we can still use for hunting it down.

 

That is very interesting to know it was pushed over RDP, that gives us an attack vector to expect. We would be interested in seeing some RDP access and ESET logs if you don't mind, you can zip them up and submit them with the malware to the link quietman7 provided so they aren't public.


Edited by Demonslay335, 06 September 2016 - 09:27 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 09:33 AM

Unfortunately at this moment (until later today) I can only provide you with the log where ESET successfully blocked some attempts and the text encoding is incorrect but I will get the entire log later and encode it correctly (I'm in Portugal). I don't have issues concerning privacy and I am grateful for all your help!

 

Hora;Scanner;Tipo de objeto;Objeto;Amea‡a;A‡Æo;Usu rio;Informa‡äes;Hash
04-09-2016 20:18:34;Scanner na inicializa‡Æo;arquivo;C:\Users\vpedrosa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe;uma variante de Win32/Filecoder.Crysis.H cavalo de Tr¢ia;limpo por exclusÆo;;;16CDCF679962453F5690491760E5165425DF3EA0;04-09-2016 16:33:49
04-09-2016 16:36:22;Scanner na inicializa‡Æo;arquivo;Mem¢ria operacional = C:\Users\vpedrosa\Desktop\Payload.exe;uma variante de Win32/Filecoder.Crysis.H cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\vpedrosa;;16CDCF679962453F5690491760E5165425DF3EA0;04-09-2016 16:33:44
01-09-2016 18:18:05;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\303002jssMPVhIg5SaBMz.exe;uma variante de Win32/Kryptik.FFNM cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7A5E43A507E52EF9A91FCA786D4AE4BBB14E3F7F;01-09-2016 18:18:02
01-09-2016 12:09:43;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\Payload.exe;uma variante de Win32/Filecoder.Crysis.D cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;9326D6E4EB3D9407470B7FC98CCAB2F183F00308;01-09-2016 12:09:38
30-08-2016 03:00:18;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\Payload.exe;uma variante de Win32/Filecoder.Crysis.E cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;16CDCF679962453F5690491760E5165425DF3EA0;30-08-2016 03:00:16
19-08-2016 06:59:35;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:59:35;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:59:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:59:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;;
19-08-2016 06:59:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:59:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;;
19-08-2016 06:59:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:56:42;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:48:24;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;
19-08-2016 06:39:13;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\Prolite.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;7690C933978B665727B5DF87F044BC6511F8C996;19-08-2016 06:39:07
19-08-2016 06:10:12;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:10:07;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:10:00;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:09:56;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:08:28;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:08:23;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:07:45;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 06:07:31;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
19-08-2016 05:50:06;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:49:57;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:49:34;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:47:31;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:47:17;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:46:14;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;
19-08-2016 05:28:51;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\Cprotect.exe;uma variante de MSIL/Injector.IGC cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B2589AF912DE211A450DC13B10D11EDA67613361;19-08-2016 05:28:40
19-08-2016 04:41:46;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante a tentativa de execu‡Æo do arquivo:;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:41:13;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante a tentativa de execu‡Æo do arquivo:;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:40:38;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante a tentativa de execu‡Æo do arquivo:;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:37:23;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);;Evento ocorrido durante a tentativa de execu‡Æo do arquivo:;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:36:32;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:36:32;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:33:28;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:33:28;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\I\Draw.exe;uma variante de Win32/Injector.BFKF cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;0CA2C39F85A9C4B4F32FFA0D5288A9506ADACFCC;
19-08-2016 04:28:36;Rastreamento de mem¢ria avan‡ado;arquivo;Mem¢ria operacional = \\tsclient\I\Draw.exe;uma variante de Win32/Gpcode.NAI cavalo de Tr¢ia;limpo (ap¢s a pr¢xima reinicializa‡Æo);;;6FC1F00E78BA392C164E82C46E06EB24DB820155;
19-08-2016 04:02:52;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;erro durante limpeza;WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:14:32;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:14:32;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:14:32;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:14:31;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:13:25;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:13:08;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
18-08-2016 22:11:55;Prote‡Æo em tempo real do sistema de arquivos;arquivo;\\tsclient\E\Skanda.exe;uma variante de Win32/Filecoder.Crysis.G cavalo de Tr¢ia;limpo por exclusÆo (ap¢s a pr¢xima reinicializa‡Æo);WORKSTATION\hsantos;Evento ocorrido durante tentativa de execu‡Æo do arquivo por um aplicativo: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;C0385E235C3BAD3372FCF0EE3D1B59951EC17429;
 



#11 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 09:36 AM

By the way, please ignore all logs concerning CrySIS since I assume the system was infected twice and that the CrySIS infection is well known and documented. This unless it's a new variant of the same infection which I doubt since the CrySIS infected files are very few and have no importance in this case.



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 AM

Posted 06 September 2016 - 11:01 AM

This line is of the most interest. Just about everything else there is a CrySiS variant, they tried to push at least 2 or three different campaigns with different email addresses.

01-09-2016 18:18:05;Prote‡Æo em tempo real do sistema de arquivos;arquivo;C:\Users\hsantos\Desktop\303002jssMPVhIg5SaBMz.exe;uma variante de Win32/Kryptik.FFNM cavalo de Tr¢ia;limpo por exclusÆo;WORKSTATION\hsantos;Evento ocorrido no novo arquivo criado pelo aplicativo: 

We cannot find that hash anywhere, so it's very likely to be what we are looking for, if you can restore that file from quarantine.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 11:20 AM

I will try and I can also confirm that the disk was imaged yesterday which will give me a live system to work on. I am no longer administrating the system and in reality I just made the initial installation of the system and nowdays I'm more of a "problem resolver" sort of but I am quite sure I can give you a total access to the system when it's up and running live (in the same state as of yesterday afternoon). It's a virtual Citrix Xenserver based system running a Windows 7 system so it's easy to export and import anywhere. I can probably get the image of the system and mount it at home in an isolated environment and give you total access. Perhaps that's actually easier since I cannot find the time I wish I had for those issues.. I need to run this idea with someone responsible (I know I said I don't have issues with privacy but I will still need to ask permission before granting full access to a company workstation) but I will be able to confirm this later today. I can also confirm that the system is programmed to create restore points every two hours and even though the snapshots were deleted I can try to recover data from the system restore points and extract the actual file (303002jssMPVhIg5SaBMz.exe) and see if we get lucky. Before that let me check the quarantine, sometimes we're just lucky.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:21 AM

Posted 06 September 2016 - 03:17 PM

In addition to what is in the quarantine, did you by chance submit a sample to ESET?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 fredrik_johansson

fredrik_johansson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 September 2016 - 03:30 PM

Yes I did. I ran their inspector and system log and forwarded the log to their server together with encrypted files. I was given a support ticket but until now I don't have any news. I also submitted samples to other companies asking for help to identify the infection; Kaspersky, Symantec, Sophos and Panda but until this hour nothing. Sorry for miss spellings, I'm on my cellphone. FYI I'm working for a governmental organization (law enforcement) with dedicated cyber criminality units but internally no-one has yet identified the infection.. You are the only ones who has provided assistance in a very proactive way and it's very appreciated!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users