Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, file extensions changed to .jse


  • Please log in to reply
10 replies to this topic

#1 agor76

agor76

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 30 June 2017 - 10:39 AM

Hi everyone,

 

a friend of mine has an old windows 2003 server with some shared folders, this morning, he found out that every files on these folders have been encrypted(probably) and left with .jse extension, the weird part, is that every file has the same size of 330KB and I'm able to send a sample if you guys want or need.

This friend of mine told me also that one of his colleagues received a mail carrying a false pdf invoice from which everything could be originated, but sorry, I don't have much more to share.

Since I'm unabe to find infos about ransomwares acting this way, I'm here asking for support, and of course I've already tried to upload a sample to ID Ransomware website.

Obviously, feel free to ask.

Thanks to everyone

 

Agor

 

 

 



BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:08 AM

Posted 30 June 2017 - 11:03 AM

Did you upload the ransom note AND an encrypted file to ID-Ransomware? What exactly did it report? If it could not identify the ransomware, it would have given you a SHA-1 has\h to post here.

 

If ALL files are exactly 330KB, you have a real problem. Uplead a few encrypted files to sendspace and post the download link here.


We are drowning in information - and starving for wisdom.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 30 June 2017 - 11:09 AM

What is the actual name of the ransom note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 agor76

agor76
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 30 June 2017 - 11:14 AM

sorry I don't have any ransom note, just uploaded an encrypted file to ID-Ransomware and the SHA-1 is a12e2f744beba156c8e58b84064e42d9794a885d

Here's some samples files:

 

https://www.sendspace.com/filegroup/OoihY%2BOu8XOJWG8Qh67RaQ

 

Thanks for your time



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 30 June 2017 - 01:01 PM

Ok...Demonslay335 will advise when he gets a chance if that is enough information to identify the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 agor76

agor76
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 30 June 2017 - 01:07 PM

Perfect.

 

Thanks again



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 30 June 2017 - 01:10 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 zainmax

zainmax

  • Banned
  • 344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 30 June 2017 - 01:38 PM

sorry I don't have any ransom note, just uploaded an encrypted file to ID-Ransomware and the SHA-1 is a12e2f744beba156c8e58b84064e42d9794a885d

Here's some samples files:

 

https://www.sendspace.com/filegroup/OoihY%2BOu8XOJWG8Qh67RaQ

 

Thanks for your time

There is two files, centri.jse and CIVICI 2010.jse All hashes matched, they are the same. That means the files are identical.

But sha1, which You gave, is different.

Here are the hashes

 

MD5 Checksum: 51F4D207759361D1FC39125E12830B39
SHA-1 Checksum: 7421397417E5D442649FE16ED44B5B8E76C63490
SHA-256 Checksum: 0275542544F20D41103B8DAC72D10BB91F9EE31B612EAED5BA5836587D589832
SHA-512 Checksum: E8A95AB97606E5229F995D0067D2D2B774AF67335D0D372E1A804E61B37B6B7872C5F5289B9C07F7DD49B16E945C40299C73D6C6BFE8CC5643F946FE61F35D13

MD5 Checksum: 51F4D207759361D1FC39125E12830B39
SHA-1 Checksum: 7421397417E5D442649FE16ED44B5B8E76C63490
SHA-256 Checksum: 0275542544F20D41103B8DAC72D10BB91F9EE31B612EAED5BA5836587D589832
SHA-512 Checksum: E8A95AB97606E5229F995D0067D2D2B774AF67335D0D372E1A804E61B37B6B7872C5F5289B9C07F7DD49B16E945C40299C73D6C6BFE8CC5643F946FE61F35D13

 



#9 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:08 AM

Posted 30 June 2017 - 02:06 PM

The SHA-1 hash given by ID-Ransomware is not the same as those given in your post. 


Edited by cybercynic, 30 June 2017 - 02:29 PM.

We are drowning in information - and starving for wisdom.


#10 agor76

agor76
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 30 June 2017 - 03:05 PM

sha1 given by ID-Ransomware seems to be differents, but thanks to zainmax, I realized that all the files encrypted by this virus are the same making them impossible to recover without a backup. Is it possible that  I'm dealing with a poor written virus?



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:08 PM

Posted 02 July 2017 - 09:27 AM

Hi everyone,

 

a friend of mine has an old windows 2003 server with some shared folders, this morning, he found out that every files on these folders have been encrypted(probably) and left with .jse extension, the weird part, is that every file has the same size of 330KB and I'm able to send a sample if you guys want or need.

This friend of mine told me also that one of his colleagues received a mail carrying a false pdf invoice from which everything could be originated, but sorry, I don't have much more to share.

Since I'm unabe to find infos about ransomwares acting this way, I'm here asking for support, and of course I've already tried to upload a sample to ID Ransomware website.

Obviously, feel free to ask.

Thanks to everyone

 

Agor

 

 

 

Do you have the false pdf invoice? If so, we will have a look and see what you are dealing with. Unfortunately, the files are probably are probably ruined without a backup.

 

xXToffeeXx~


Edited by xXToffeeXx, 02 July 2017 - 09:40 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users