Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spora Immunization Tool by Dario Goddin (Cykhet)


  • Please log in to reply
2 replies to this topic

#1 Cykhet

Cykhet

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 PM

Posted 01 March 2017 - 12:52 AM

 
  • Why?
    • ​​​After my company was recently hit with the Spora Ransomware, I was motivated to develop an inoculation tool that makes a target workstation immune to future Spora attacks.
  • How?
    • Spora was written in Visual Studio in the C++ language. After unpacking, decompiling and analyzing the pseudo-source, I wrote the tool I'm presenting to you today.
  • What does it do?
    • The tool will identify the system drive where windows is installed then enumerate through the users profile directories. After building this list, the application will write a small file containing an encrypted string to the AppData/Roaming folder(s). Before Spora infects a workstation, it will search for the presence of this file containing the unique signature. If it comes across a workstation containing this file, it will not infect the workstation.
  • What doesn't it do?
    • ​This tool will not remove any pre-existing Spora infections, nor will it decrypt any previously encrypted files. The purpose of this tool is to prevent you from being targeted by this ransomware in the future.  
 
 
I wanted to note that there's 3 detection's listed in VirusTotal - These are false positives and are the result of the reverse engineering and borrowing of a function contained within Spora that's the 'brains' of the application.
 
 
Screenshot of the Application in action:
 
ow18w5y.png
 
Hash checksum's can be found below:

 

 

MD5: 4EF9DC824351B5B1936A6255E37DA4B8
SHA256: 95499E75B12C2A183D7BA43E14C00F0DA1CB9F6C778E6D2F9BB41BB39C0C6E02
SHA512: 5C2AB40DDA6CAC4C59E2C3EEE32F362DB4334CD2C453EE271CC597FD12C2603E76EE8AEE611772CA348C0C4C8C64B797FE6919020B46677489B3265D954A4F3E
RIPEMD160: BBA3C2AAA64B41D91305D4102AF57903ECFE26EC
TIGER: 824C576D698D974AB96E54A84816CFACCA78C5AE50D73054

 

 
Finally, the tool itself can be downloaded here: https://drive.google.com/open?id=0B8g_BoeOOuSROTdJbm00RUwyRUU
 
Please reach out with any questions, concerns or suggestions you may have. Looking forward to any feedback.
 
Thank you!

Edited by Cykhet, 01 March 2017 - 11:28 AM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,028 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:39 AM

Posted 01 March 2017 - 06:01 AM

The issue with this is that if they criminals realise, they may change how they do immunisation. This means that it screws over those who paid.

 

I like the idea, but I just hope I'm wrong.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Cykhet

Cykhet
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 PM

Posted 01 March 2017 - 11:19 AM

The issue with this is that if they criminals realise, they may change how they do immunisation. This means that it screws over those who paid.

 

I like the idea, but I just hope I'm wrong.

 

xXToffeeXx~

 

Agreed that this is a possibility. Let the cat and mouse game commence.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users