Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROSHALOCK 2.00 (All_Your_Documents Ransomware) Suppport & Help Topic


  • Please log in to reply
57 replies to this topic

#1 Yenzy

Yenzy

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 18 February 2017 - 10:32 PM

HELP ME! If somebody out there is also infected with this ransomware, please voice out!
 
I'll describe my experience and own research with this malware as accurately as possible. This is a relatively new ransomware, I think, because there is little to no articles or discussions about this ransomware, and the earliest forums I can find dates back to February 11-13, 2017. GOT INFECTED on February 17, 2017, at 9:11 pm (I knew this through the Windows Event Viewer), presumably through browsing the web. The first symptoms I got, which I didn't really pay much attention just until now, is the fact that the ransomware is deleting all my VSS files (Volume Shadow Copy Service) silently (not exactly, because I was prompted with popups that ask for administrator privilages regarding this VSS deletion, then after that, my computer got severely buggy, causing me to restart it in 9:23 pm.
 
After that, when my computer finished booting up, everything is fine, until I saw that all my files (.jpg, .mp3, .mp4, .avi, .doc, .docx, .png, .img, etc.) are locked behind a password-protected archive (two archives in fact, one in Drive C and one in Drive D)  which I still can't crack open until now, the archives are named "All_Your_Documents" (I already tried brute-force recovery softwares and the like).
 
The ransomware also left behind .txt files that read as follows:
 
################################################################################
 
         ATTENTION! AUFMERKSAMKEIT! ATTENTION! ATENCION! ATTENZIONE!
 
                  TO GET BACK YOUR FILES READ CAREFULLY!
              UM IHRE DATEIEN ZURUCK, BITTE SORGFALTIG LESEN!
        POUR RECUPERER VOS FICHIERS, S'IL VOUS PLAIT LIRE ATTENTIVEMENT!
        PARA OBTENER LOS ARCHIVOS DE NUEVO, POR FAVOR, LEA CON CUIDADO!!
    PER OTTENERE IL VOSTRO FILES INDIETRO, SI PREGA DI LEGGERE ATTENTAMENTE!!
 
#################################################################################
 
Where did all your files?
 
Your documents on all drives (photos, videos, docs, etc.)
have been moved to password - protected WinRAR archives.
 
This archives is located in the root of each disk, in folder
"All_Your_Documents" and file name is "All_Your_Documents.rar".
 
Full path on all drives:
 
Drive:\\All_Your_Documents\All_Your_Documents.rar
 
Note: all the .rar archives located on different drives, have the same password. 
All text notes "All Your Files in Archive! .txt" contain the same <rsa2048> code.
 
---------------------------------------------------------------------------------
 
To open .rar archive, you need to install WinRAR.
To open .rar archive, CAREFULLY follow these steps:
 
1) If you do not have WinRAR archiver - download and install it:
 
Link: http://www.rarlab.com/rar/wrar540.exe
 
Note: you will need WinRAR version 5.00 or higher.
Now you can view the contents of the .rar archive,
but to extract the files you will need the password.
 
2) To get the password of RAR archive, download and install TOR browser:
 
Link: https://www.torproject.org/download/download-easy.html.en
 
3) Open TOR browser, and put this address in browser address bar:
 
Link: http://klbibglrxtdpmr7i.onion/user/
 
Note: link can only be opened in a TOR browser. Opening page can
take a long time. Please try again in a few minutes in case of error,
close and open your TOR browser and try again.
 
4) Copy and paste text located below into text-box on this page and click button.
 
 
<RSA2048>
Mnw3/Dm1wQrVK8rnYB9K+lrPQB172myj+oGfvX1iQ7qtXo75b7eQuk94Q3pvO1LxW7VTFP8N
djIbQxHuk1gprwhPnOLOqFcS/PYge7zMLyDjLfiTfA9hWc91ANVv51UgVYwvS/BKA0GVXBtT
6jzPNbwZeaKlgtTQHxWNYq0mMz3IGeH5zRc9pxB/rsc1jODzsoCNoTz1TpQq2IaHM1zZLemH
eU3FJ6oKWtrqKutLS5+dYi/fJgTrXFzT0MEvFND6FDc/rMDGammT8lhyikQ7JBYEAcZVEprs
+ujygMSq2hIvsZSoNzOZ4tbCtGyJTaxGhtbNMz6lBPoh9ZV1Pe6tqQ==
</RSA2048>
 
 
#################################################################################
 
----------------------------------------------------------------------------------------------------------------------------------------------------------
 
The .txt files confirms that this is indeed a ransomware. 
 
The .txt files also says that the password is encrypted using "RSA2048" encryption (I think the hash, the jumble of letters and numbers in the last part of the .txt file, is what this RSA2048 refers to), which I'm not exactly sure if it tells the truth, I'm also currently researching this RSA2048, but from my current data, I can conceive that the latter is not true and that it just used basic WinRar coding to create a password. By the way, the archive is in RAR5 Format, meaning to say it was archived using WinRar 5.00.
 
No deadlines or "amount-to-be-paid" was provided, but it tells me that I must use Bitcoins to pay, just like other ransomwares. The .txt file kind of reveal the address of the perpetrator:
 
http://klbibglrxtdpmr7i.onion/user/
 
That the file says I can only contact through the TOR browser, which I still haven't tried and I have no plans of trying it.
 
Some forums indicate that the "All_Your_Documents" ransomware mimics the way another ransomware, "Rarvault", that appeared last year works.
 
I HAVE NO PLANS OF PAYING RANSOM. IT JUST FUNDS THE CRIMINALS. IT JUST CONFIRMS THAT THIS THING WORKS. I already reported to the FBI (IC3 Division), even though I'm a Filipino (lives in the Philippines), because the authorities here are kind of slow.
 
I'm gonna upload the .txt file and put a link of it on this forum, hoping that someone will find a solution to this thing. I'm still doing my best (going to the registries, checking the Event Viewer, expelling the virus itself) but right now I think I can't fix this all by myself.
 
So please, I repeat: If someone is also having this kind of problem, please reveal yourself now and help me and (presumably) many others in combating this growing threat.
 
I'm running Windows 7 Professional x64 Service Pack 1 . Here's my system details:
Processor: Pentium® Dual-Core CPU E5200 @ 2.50GHz 2.50 GHz
RAM: 2.00 GB
 
By the way, the files that got archived (50 GB in total) haven't got compressed and remains exactly that way (or size) within the archive (also 50 GB in size). The files themselves also remain as they were, I hope so, before they got archived, because browsing the locked archive, the files (photos, videos, documents, songs) is still safe and sound, no file extension were changed, no file was renamed, they're just inaccessible (I can't extract them because I don't know the password). I'm sure I already cleaned my system of any remaining malwares, I'm just left with a mess of archived files.
 
I hope the details I provided will help others that are also trying to find anything about this "All_Your_Documents" virus, I hope that it will also help the experts find a solution to this, meanwhile I'm gonna go back to tweaking stuff regarding this archive and ransomware. Once again: HELP ME!
 
PS: I'm gonna be online everyday, precisely every late afternoon, to acknowledge other users that encountered this problem and to especially acknowledge any tips and advice for me. Thank You in Advance.



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 18 February 2017 - 10:58 PM

We've seen this same ransom note come through ID Ransomware a few times, but we cannot do anything without the malware to analyze. When hit by ransomware, deleting all traces of the malware is the last thing you want to do until it has been identified or analyzed by someone. Quarantine it or something, but do not delete it. We don't know how this one generates it's keys or anything, so we don't know whether it is decryptable or not. The WinRAR format is pretty secure unless they generate a key under 10 characters, otherwise we'd have to rely on them making a mistake in their key generation.

 

Do you know how you got the infection? Email attachment, downloaded something from a website, RDP hack?

 

I have pointed ID Ransomware to this topic for victims who upload that ransom note. It has been dubbed "All_Your_Documents" for now for lack of a better name.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 18 February 2017 - 11:11 PM

Thank God for the quick reply and the referral to ID Ransomware.

I'm not entirely sure about this, but after the mumbo-jumbo that happened to me (the silent archiving and the restart I have done), there is this executable, named "NDP40-KB2736428-x64.msp" (I'm not sure about the name), that appeared in a folder in Drive D with a jumble of numbers as its name, and in that folder is the executable and other folders named as 1001, 1002, 1003, and so on, along with another "Graphics" folder, I deleted every single trace of it by tweaking with the "ownership" of the file, because it has some sort of security measure in it, and I feel sorry about my action.

Right now I'm gonna go through my antivirus' (Malwarebytes Free Trial) quarantine log to see if I can find the names of the PUPs and Malwares that I deleted. Thank you again.


Edited by Yenzy, 19 February 2017 - 09:09 AM.


#4 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 18 February 2017 - 11:49 PM

 

We've seen this same ransom note come through ID Ransomware a few times, but we cannot do anything without the malware to analyze. When hit by ransomware, deleting all traces of the malware is the last thing you want to do until it has been identified or analyzed by someone. Quarantine it or something, but do not delete it. We don't know how this one generates it's keys or anything, so we don't know whether it is decryptable or not. The WinRAR format is pretty secure unless they generate a key under 10 characters, otherwise we'd have to rely on them making a mistake in their key generation.

 

Do you know how you got the infection? Email attachment, downloaded something from a website, RDP hack?

 

I have pointed ID Ransomware to this topic for victims who upload that ransom note. It has been dubbed "All_Your_Documents" for now for lack of a better name.

 

 

FOUND IT! Log from Malwarebytes Premium Trial. Here's a list of the "threats" potentially associated with the "All_Your_Documents" ransomware:

 

1) Trojan.Miuref.THC, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ITKSOFT\PZSPIDHR.DLL

 

2) Trojan.Boaxxe, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ASWORKS\TMPDFBA.EXE, Quarantined, [81], [357022],1.0.1064

 

3) Trojan.Miuref.THC, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ITKSOFT\NTCVIDGP.DLL, Quarantined, [7600], [65255],1.0.1064

 

4) Trojan.Miuref, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ASWORKS\MRPGAVNR.DLL, Quarantined, [301], [65311],1.0.1064

 

5) Trojan.Miuref, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ITKSOFT\VKTPECDD.DLL, Quarantined, [301], [65311],1.0.1064

 

6) Trojan.Miuref, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ITKSOFT\KJTXOHCW.DLL, Quarantined, [301], [65311],1.0.1064

 

7) Trojan.Fileless.MTGen, HKU\S-1-5-21-471565784-3936403322-1591365284-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^UCFNDG, Quarantined, [452], [339967],1.0.1288

 

8)Backdoor.Bot.E, C:\USERS\XAMYENZAE\APPDATA\LOCAL\MICROSOFT\PERFORMANCE\MONITOR\PERFORMANCEMONITOR.DLL, Quarantined, [2018], [369262],1.0.1288

 

* The Logs above are from the dates Feb. 17-18, 2017.

** XamYenZae is the name of my computer's account.

*** The numbers (eg. 81,7600, 452, etc.) is the ID of the threat, I think.

 

By the way, regarding the report with the Volume Shadow Copy Service error, here is it as described by the event viewer:

 

-ERROR 2/17/2017 9:11:33 PM   Source: VSS     Event ID: 22      Task Category: None

  Details: A critical component required by the VSS is not registered.

 

And the Restart I did is reported as follows:

 

-CRITICAL 2/17/2017 9:23:04 PM     Source: Kernel-Power     Event ID:41      Task Category: (63)

 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Here's some more elaboration: With regards to the VSS error, before the restart occured minutes later, my desktop was spammed with VSS Administrative popups, and I "no'ed" on each popup, until my computer got buggy, and then the "explorer.exe stopped responding" error appeared, leaving me with only the desktop background, and after some time, I restarted the computer. And with some web browsing, I found out that this was what the virus was doing at that time:

 

It was USING the "vssadmin.exe Delete /Shadows /All /Quiet" command line to "silently" delete all Shadow Copies of my files, or in other words, the local backups of my files, preventing me to use the "Restore Previous Versions" option to recover my archived files. One again, thank you.


Edited by Yenzy, 19 February 2017 - 09:26 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 19 February 2017 - 04:52 AM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 19 February 2017 - 09:08 AM

Samples of suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

 

Thank you for another response.

 

I finally submitted the file, named "NDP40-KB2736428.msp" contained within a folder with a name of "1bcbf09ef1ac9dafe505eb49", which I thankfully still haven't permanently deleted. There is also this weirdly named file: "worms.dll",  that I'm afraid to restore to upload (I manually deleted it), which could also be involved with this ransomware we're dealing with.

 

Please Note! I want to clear up some confusion: My files got archived not encrypted (or perhaps it was still encrypted in another sense, whatever) and were relocated to a password-protected archive which I am not paying the ransom for the password whatsoever, what I meant to say was that where was file extensions that got changed, no files were mangled, the files were just locked up in this WinRar v.500 archive, I'm trying to imply that I cannot submit or provide any kind of infected or damaged files.

 

Also an update: Using the currently only working tool for version 5 RARs, RAR Password CrackerI learned that, presumably, the length of the password will never be 8-characters below. Right now, my foreseeable temporary solution is to backup this "All_Your_Documents.rar" archives into a hard disk, flash drive, or any other removable storage devices, and wait for a solution to come in the near-future for my preserved files, but I will still continuously and actively find a more rapid response to this password and ransomware problem we're dealing with, take note that I've already reported this criminal activity to overseas authorities (the FBI in the US).

 

Another related question: Does anyone have a more knowledgeable idea about RAR passwords, RSA2048 encryptions (can someone tell me if RAR passwords actually use this kind of algorithm), and a way to bypass this passwords either through unorthodox (cmd, etc.) or legitable means? Still can't contact WinRar support right now, I'm actually using the trial version of their product.

 

PS: Right now I'm working really "hard" (kind of) to kickstart an apprehension campaign against cybercrime perpetrators and their operations (ransomwares and stuff) here in our country, the Philippines, either through Social Media or advocacy means, since our country (located in SE Asia) is kind of slow when it comes to cybercrime. I believe this is a national and international threat because not only it causes inconvenience, unnecessary and unguaranteed spending, it's starting to hit people here around me, either through CryptoLocker and the like, so if you want to join me (there's actually "nothing" to join right now) and many others, you can always contact me using this Yahoo! account: lolohebron@yahoo.com.ph, and help "us" fight this criminals and their criminal medium.


Edited by Yenzy, 19 February 2017 - 09:14 AM.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 19 February 2017 - 12:32 PM

WinRAR uses AES256 if I recall correctly. When you password-protect an archive (with any archiving program, 7-zip, etc.), it actually encrypts the archive. No real way to crack that. I don't know what the mention of RSA-2048 would be until we see the malware. Authors of these things usually throw crypto terminology around when they don't fully understand it themselves. My guess is if it actually uses RSA-2048, it is to encrypt to key, as that the usual use of it. That text blob in your ransom note could be the WinRAR password encrypted by a public RSA key that only the hackers can decrypt with their corresponding private key.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:59 AM

Posted 19 February 2017 - 01:36 PM

 
WinRAR
Compress, Encrypt, Package and Backup with only one utility:
Full RAR and ZIP support
Safe 256-bit AES Encryption
Most Translated Software 
Integrated Back-Up Features

 

Yes. 

In particular it is written in the WinRar FAQ (par. 9)

http://www.win-rar.com/faq.html?&L=0 


Edited by Amigo-A, 19 February 2017 - 01:38 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#9 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 19 February 2017 - 05:41 PM

WinRAR uses AES256 if I recall correctly. When you password-protect an archive (with any archiving program, 7-zip, etc.), it actually encrypts the archive. No real way to crack that. I don't know what the mention of RSA-2048 would be until we see the malware. Authors of these things usually throw crypto terminology around when they don't fully understand it themselves. My guess is if it actually uses RSA-2048, it is to encrypt to key, as that the usual use of it. That text blob in your ransom note could be the WinRAR password encrypted by a public RSA key that only the hackers can decrypt with their corresponding private key.

 

 

 
WinRAR
Compress, Encrypt, Package and Backup with only one utility:
Full RAR and ZIP support
Safe 256-bit AES Encryption
Most Translated Software 
Integrated Back-Up Features

 

Yes. 

In particular it is written in the WinRar FAQ (par. 9)

http://www.win-rar.com/faq.html?&L=0 

 

 

So can they be bypassed? If so, how? I'm currently doing some reading with this AES256 thingy, perhaps there is a bug or something like that in that cryptographic algorithm. If nothing else proves to be feasible, what else do you think I can try to restore my files from this "All_Your_Documents" attack, but first, I gotta go to school, final exam is coming, so please expect more update later in the afternoon.

 

One more thing, I think that I didn't got infected through email attachments, or spams, I think browsing the web is sufficient enough to let the ransomware into the system (I didn't have an antivirus installed at that time, and I regret that), maybe through exploiting a bug in Google Chrome or even Adobe Flash Player, however, I'm not sure if this kind of incidents is even possible.


Edited by Yenzy, 19 February 2017 - 05:41 PM.


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 19 February 2017 - 06:02 PM

No, AES256 is impossible to crack in our lifetime. The only times AES has been "compromised" is by stupid mistakes with how the key is created or stored by the malware author, not the algorithm itself.

 

The "I have forgotten my password, how can I recover it?" section of the FAQ @Amigo-A linked very clearly states they can't help you.

 

 

I have forgotten my password, how can I recover it?

 

RAR encryption does not contain backdoors, so the only possible way to find a password is to test all possible character combinations.

Remember that if you lose your password, you will be unable to retrieve the encrypted files, not even the WinRAR author is able to extract encrypted files.

 

Exploits in browsers, and more-so plugins, are very possible if you do not keep your computer up to date. However, I highly doubt this ransomware would have come through an exploit kit (a paid-for service that distributes malware by using a "shotgun" approach to attempting hundreds of known exploits against your system). My reasoning behind this is that ransomware that use exploit kits usually have a MUCH more successful campaign, and we'd typically see an explosion of victims (e.g. Locky, Cerber, CryptoMix, previously TeslaCrypt, etc.); we've seen very few cases of this particular one.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 20 February 2017 - 06:40 AM

No, AES256 is impossible to crack in our lifetime. The only times AES has been "compromised" is by stupid mistakes with how the key is created or stored by the malware author, not the algorithm itself.

 

The "I have forgotten my password, how can I recover it?" section of the FAQ @Amigo-A linked very clearly states they can't help you.

 

 

I have forgotten my password, how can I recover it?

 

RAR encryption does not contain backdoors, so the only possible way to find a password is to test all possible character combinations.

Remember that if you lose your password, you will be unable to retrieve the encrypted files, not even the WinRAR author is able to extract encrypted files.

 

Exploits in browsers, and more-so plugins, are very possible if you do not keep your computer up to date. However, I highly doubt this ransomware would have come through an exploit kit (a paid-for service that distributes malware by using a "shotgun" approach to attempting hundreds of known exploits against your system). My reasoning behind this is that ransomware that use exploit kits usually have a MUCH more successful campaign, and we'd typically see an explosion of victims (e.g. Locky, Cerber, CryptoMix, previously TeslaCrypt, etc.); we've seen very few cases of this particular one.

 

Perhaps in the non-foreseeable future (a century or more in the future), someone can find a way to beat this AES256 encryption to the ground, or perhaps in that far-far date, authorities can finally crack down on the perpetrators and beat the password out of them, which makes my plan to preserve the files a little bit more sane... but, now that I have little to no hope of decrypting the file (this kind of stuff is starting to inspire to become an IT student or even a lawyer so I could find a way to, ARGHH), could you please take a look at this WEIRD looking files (I already deleted them, sadly), and can you please provide a summarized description for each, I'm gonna work myself to try and find out what this files are doing (or have done) on my system, (I'm gonna try to find a way to restore them so that I can upload them to this forum) :

1) Backdoor.Bot.E, C:\USERS\XAMYENZAE\APPDATA\LOCAL\MICROSOFT\PERFORMANCE\MONITOR\PERFORMANCEMONITOR.DLL, Quarantined, [2018], [369262],1.0.1288

 

2) Trojan.Fileless.MTGen, HKU\S-1-5-21-471565784-3936403322-1591365284-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^UCFNDG, Quarantined, [452], [339967],1.0.1288

 

3) PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{705E816D-7B70-4A8B-A7C3-9CA63588ED53}, Quarantined, [1676], [332366],1.0.1288

 

4) Trojan.Miuref.THC, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ITKSOFT\NTCVIDGP.DLL, Quarantined, [7600], [65255],1.0.1064

 

5) Trojan.Boaxxe, C:\USERS\XAMYENZAE\APPDATA\LOCAL\ASWORKS\TMPDFBA.EXE, Quarantined, [81], [357022],1.0.1064

 

I'm gonna give some more update once I finished researching this files. Thank you for the support I'm getting, but again, I cannot stress this more clearly:

 

If ever someone out there is also having troubles with the "All_Your_Documents" ransomware, please... try creating a account to voice out on this forum, try contacting me through this email (lolohebron@yahoo.com.ph), or something. This situation kind of makes me feel like the first and last person (unfortunately fortunate) to get hit with this ransomware.

 

Right now, I'm gonna try to find a means to contact Mr. Michael Gillepsie, the security researcher that first discovered the ransomware-type virus 7 days ago, so that I can perhaps get a sample of the malicious file that I can send to you guys. After much more browsing, many articles (that date back at least 4 days ago) is pointing out that this is a medium-risk dangerous ransomware virus, and that didn't really help a lot.

 

And, I'm not exactly if asking this is alright: Community of the Bleeping Computer, you've been helpful, but can you please refer to me to some more forums or websites where I can report this ransomware we're dealing with, cause' I want to maximize the exposure of this ransomware as much as possible in the public and expert eyes. Thank you in advance again.



#12 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 20 February 2017 - 09:24 AM

Just a heads up!

 

I just noticed that "Demonslay 335" is Mr. Michael Gillepsie, so that's something. Anyways, I found out that the "All_Your_Documents" ransomware is a Trojan, presumably the ones stored in the folders with a name of a jumble of letters and numbers is the Trojan, so right now I can theorize what could have happened to me: I opened this website, wherein a malicious Java Script is contained, it got activated, it created a folder containing the malicious file in it in "...XamYenZae\Appdata\Local..." (XamYenZae's our computer name), the malicious file is a DLL file: "Backdoor.Bot.E", "PerformanceMonitor.dll", "worms.dll" or something like those. It caused my computer to connect to a remote server from where it downloaded the MAIN Trojan that started all this (I'm currently trying to identify it).

 

So in short, here is as it follows:

1) Unauthorized Drive-by Download and Installation from a *website.

2) (Unknown) DLL file creation.

3) Connection to perpetrator servers.

4) Download of the main Trojan file.

5) .dll file attack proceeds: Trojan file (presumably a .dll file), got initialized.

6) Archiving begins using WinRar 5.00 as its medium, encryption presumably through AES256, not RSA-2048.

7) Deletion of Volume Shadow Copy Service (VSS) files, administrator permission request prompted. (Silent deletion       through "vssadmin.exe Delete /Shadows /All /Quiet" command line)

8) Files archived, password generated possibly through random (public key) RSA-2048 algorithm (please check the last line of the .txt file on the my first post). once again connected to perpetrator servers (possibly C2 remote servers) to store the private key of the RSA-2048 algorithm.

9) Password implemented.

10) Me recovering from what just happened.

 

Please correct me since I am certain the step-by-step theory I written above is presumably wrong, especially with the #8 part. I don't want to sit down and just play the waiting game by preserving the locked .rar file. *The website was probably a torrenting website, since I was browsing for torrents at that time, which I know is wrong, and I kind of feel the pain or karma right now, I feel bad.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 20 February 2017 - 09:40 AM

There's seriously nothing we can do without the malware itself. We can sit here spinning wheels on theorizing what it does all day, but that won't get us anywhere until we have the sample itself.

 

Those detection names are not always the most useful. It does confirm there was a backdoor involved (possibly multiple), which you are correct in presuming could be related to downloading the ransomware itself, or it could just be packaged with it for other actors to gain access to your system. The "Trojan.Fileless.MTGen" is usually Poweliks, which is just a trojan that runs from the registry and sucks up your CPU doing nothing pretty much. The other trojans listed there are old backdoor trojans according to Symantec and a few other sources. They are not the encrypting malware. And well, SpyHunter... is SpyHunter. Wouldn't recommend it, but it isn't necessarily malicious.

 

P.S. Yep, I'm Michael. :) That's why I talked about seeing it on ID Ransomware before, and I was the one who tweeted the hunt for it. I only saw an upload of the ransom note, no malware found that drops it yet.


Edited by Demonslay335, 20 February 2017 - 09:42 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:59 AM

Posted 21 February 2017 - 05:26 AM

Yenzy

Remove the files C:\Users\Xamyenzae\Appdata\Local\Microsoft\Performance\Monitor\Performancemonitor.Dll and others 

from quarantine.

And send it to the research, if you have not already done so.


Edited by Amigo-A, 21 February 2017 - 05:28 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#15 Yenzy

Yenzy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  

Posted 21 February 2017 - 08:34 AM

Yenzy

Remove the files C:\Users\Xamyenzae\Appdata\Local\Microsoft\Performance\Monitor\Performancemonitor.Dll and others 

from quarantine.

And send it to the research, if you have not already done so.

GOOD GOD! I Think I Finally Found the Main Trojan File(s):

 

In "C:\Users\XamYenZae\AppData\Local\Microsoft\Performance\Monitor\temp", I found this files (temporary files, executables, applications, patches etc.) that I hope is linked to the ransomware, here is a list of their file names and a summary of their descriptions (from properties) (Note: this files are those I found to have been last modified on Feb. 9-17, 2017, the time I presume the Ransomware has been launched and a campaign is active:

 

1) NAME: tmp55D53.exe

    SIZE: 365 KB

    CREATED AND MODIFIED: Friday, February 17, 2017, 5:50:11 PM

    FILE DESCP: SumatraPDF

    FILE VERSION: 3.1.0.9811

    NOTE: Accompanied by a tmp5D53.tmp file

 

2) NAME: tmpAACA.exe

    SIZE: 338 KB

    CREATED AND MODIFIED: Friday, February 17, 2017, 7:41:54 PM

    FILE DESCP: SFX RAR archive (Version to extract: 2.9) (Dict. Size: 256 KB)

    NOTE: In its properties, it has a comment that read:

 

    ;The comment below contains SFX script commands

 
     Setup=out.wsf
     TempMode
     Silent=1
 
     NOTE CONTINUATION: Accompanied by a tmpAACA.tmp file
 
3) NAME: tmpDD9F.exe
    SIZE: 390 KB
    CREATED AND MODIFIED: Thursday, February 9, 2017, 9:11:52 PM
    FILE DESCP: SumatraPDF
    FILE VERSION: 3.1.0.9811
    NOTE: Oh my GOD, somethings wrong, gotta work quick: Accompanied by a tmpDD9F.tmp file
 
IMPORTANT NOTE: While I was looking through this VERY SUSPICIOUS files, precisely the tmp55D53.exe and tmpDD9F.exe files, and specifically by trying to open their properties, Malwarebytes (my current antivirus) detected them as a MALWARE! SPECIFICALLY, Malwarebytes described it as this, PLESE NOTE:
 
Threat: Ransom.Kovtar
 
Here's a quick guess, this temporary files are the Trojans that I got from a browser vulnerability, and this TROJANS used the "performancemonitor.dll" as the backdoor to wreack havoc on my precious files!
I'm worried that it must all be starting over again because I re-accessed the files, this sent chills down my bloody spine.
 
So right now I'm gonna UPLOAD this files, I hope that you guys have a quick look on it, I'm gonna go quarantine this Trojans as soon as I can!
 
EDIT NOTES: This is getting intense. Finally SUBMITTED AND LINKED the files, after that, I subsequently quarantined them. Due to my rush earlier, I overlooked this another malicious file(s) once again in the temp folder:
 
4) NAME: tmpC787.tmp
    SIZE: 0 KB
    CREATED AND MODIFIED: Monday, February 13, 2017, 9:23:08 PM
    FILE DESCP: (Opens with, Windows Shell Common)
    NOTE: Kind of nothing in this file, the last time it was modified was just so suspicious.
 
5) NAME: tmpCB6C.exe
    SIZE: 114 KB
    CREATED AND MODIFIED: Monday, February 13, 2017, 
    FILE DESCP: SFX 7-Zip archive (Language: Chinese, File Version: 1.0.0.1)
    NOTE: Something's so wrong with this file!!! (Also accompanied by its own .tmp file)
 
EXTENDED NOTE! Malwarebytes once again detected something malicious about the files I'm analyzing, specifically the file "tmpCB6C.exe". When I once re-accessed it, Malwarebytes detected it as follows, PLEASE NOTE:
 
Threat: Bootkit.Agent.VBR
 
I'm gonna upload #4 and #5 ASAP, and subsequently quarantine them, because I'm afraid the attack on my PC is starting all over again, I can't believe that this Trojans hid in a temporary folder and disguised themselves as legitimate files. I think right now we're on to something, just please take a look at the 5 files I uploaded for you guys to analyze. Please read this Post (#15) fully. Thank you in advance again!
 
PS: Sorry I can't find or restore the files from Post #11, since I've already deleted them and I regret that, least I can do is find logs of their activities on my computer before I erased them, or try to find samples from the web itself.

Edited by Yenzy, 21 February 2017 - 09:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users