SCRYPTmail virus-encode ransomware (help2015@scryptmail)

MisterFister

Valued Member
@MadDancer
I can confirm your Analysis. I inspected the files with tinyHexer. Exactly 30000 Bytes are encrypted, if the file is lagrer than 30000 Bytes. First two Bytes contain the size of the encrypred block, next two Bytes are zero. In my case the size of the file was changed. After the first 30000 encrypted Bytes, the files are the same. But at the end of the encrypted file, there are four Bytes, the original one doesn't have. I could imagine, this is the datee from the beginning of the file, where the size of the encrypted block is located in the encrypted file.
 

machura

New Email
@hrenki - I do not believe so much, that you decrypted it with Kaspersky tool. I checked PC with Kaspersky Spyhunter and it not found any infection, but there on PC was 3.tmp and 4.tmp files with infection ( detected virus with upload to virustotal ) from time, when was files crypted. And some blablabla 512B file.

Tell me diferences between safe mode and normal mode for Kaspersky tool ? Tried zip, tried xls on very power PC and no success. Which code was in names of your files ? Did you try it on infected or clear machine ?
 

hrenki

Valued Member
after infection i cleaned all with malwarebytes, then i searched for ransomware decryption tools and found kaspersky rakhni si gave him a try. file was .doc size cca 500kB

kaspersky exe was in download folder and doc file in my documents
 

MadDancer

Valued Member
@machura
Same on me, but "blablabla" file has size 522b, and there was a png file with random filename too. Virustotal.com write that .tmp file upon execution create and file in root of systém drive (C:\) with long random name. But file is gone on my system.
 

machura

New Email
@MadDancer - and no exit.hhr.oshit on PC. The "blablabla.." file has 525B (not 512B)
In png file is some as result spider.

@hrenski - do you have "exit.hhr.oshit" on PC ?
 

hrenki

Valued Member
where should i find "exit.hhr.oshit"?
i returned laptop to client after decryption...
rakhni didnt leave anything except log file (about 15mb) in c:/
 

MadDancer

Valued Member
Immediately uppon client call me (tuesday afternoon)and tell they cannot open files from server and name of files changes, i search internet and found this forum, where I see Hrenki post link to Kaspersky utility. And on Kaspersky description i see note about .oshit file and that the file may be deleted. I boot infected PC from Hiren's Boot DVD and I try find the .oshit file manualy and then listed all deleted files in R-Studio, but nothing helpful was found. I want leave source PC untouched, in case I will must pay ransom to criminals.
 

hrenki

Valued Member
hmm maybe it found password in 11:43 but i came from work at 17 and there was a message that pass was found... so it maybe continued log after i clicked ok
 

MadDancer

Valued Member
hmm maybe it found password in 11:43 but i came from work at 17 and there was a message that pass was found... so it maybe continued log after i clicked ok
I guess it. As I said previously - you was last lucky man in this case ;-) I tried another one encrypted file - DOC - no success.
 

machura

New Email
May be, your number starts with zero ? I have not first number as zero (=> 10 ciphers). Could you put somewhere some your crypted file for test ?

Lucky man...
 
Top