SCRYPTmail virus-encode ransomware (help2015@scryptmail)

Discussion in 'SCRYPTmail' started by popowich, Aug 5, 2015.

  1. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    @MadDancer
    I can confirm your Analysis. I inspected the files with tinyHexer. Exactly 30000 Bytes are encrypted, if the file is lagrer than 30000 Bytes. First two Bytes contain the size of the encrypred block, next two Bytes are zero. In my case the size of the file was changed. After the first 30000 encrypted Bytes, the files are the same. But at the end of the encrypted file, there are four Bytes, the original one doesn't have. I could imagine, this is the datee from the beginning of the file, where the size of the encrypted block is located in the encrypted file.
     


  2. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    almost forgot to mention, i was in safe mode when Rakhny decrypted files successfully
     

  3. MisterFister

    MisterFister Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    16
    Likes Received:
    1
    I can't imagine, this would make any difference, but who knows....it's at least worth a try....
    Thanks hrenki
     
  4. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    @hrenki - I do not believe so much, that you decrypted it with Kaspersky tool. I checked PC with Kaspersky Spyhunter and it not found any infection, but there on PC was 3.tmp and 4.tmp files with infection ( detected virus with upload to virustotal ) from time, when was files crypted. And some blablabla 512B file.

    Tell me diferences between safe mode and normal mode for Kaspersky tool ? Tried zip, tried xls on very power PC and no success. Which code was in names of your files ? Did you try it on infected or clear machine ?
     
  5. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    @hrenki - size of file, where you decrypted code ?
     
  6. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    after infection i cleaned all with malwarebytes, then i searched for ransomware decryption tools and found kaspersky rakhni si gave him a try. file was .doc size cca 500kB

    kaspersky exe was in download folder and doc file in my documents
     
    popowich likes this.
  7. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    @machura
    Same on me, but "blablabla" file has size 522b, and there was a png file with random filename too. Virustotal.com write that .tmp file upon execution create and file in root of systém drive (C:\) with long random name. But file is gone on my system.
     
  8. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    @MadDancer - and no exit.hhr.oshit on PC. The "blablabla.." file has 525B (not 512B)
    In png file is some as result spider.

    @hrenski - do you have "exit.hhr.oshit" on PC ?
     
  9. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    where should i find "exit.hhr.oshit"?
    i returned laptop to client after decryption...
    rakhni didnt leave anything except log file (about 15mb) in c:/
     
  10. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Immediately uppon client call me (tuesday afternoon)and tell they cannot open files from server and name of files changes, i search internet and found this forum, where I see Hrenki post link to Kaspersky utility. And on Kaspersky description i see note about .oshit file and that the file may be deleted. I boot infected PC from Hiren's Boot DVD and I try find the .oshit file manualy and then listed all deleted files in R-Studio, but nothing helpful was found. I want leave source PC untouched, in case I will must pay ransom to criminals.
     
  11. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Sorry, you right, filesize is 525bytes
     
  12. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    i will try to get client and search for that oshit file ;)
     
  13. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
  14. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Thank you for log file. It's look you are lucky man :) Meybe they
    Thank you for log file. It's look you are lucky man :) Maybe they changed encryption scheme day after.
     
  15. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    Why there is a time lapse more 5hrs between last combination attempt and line with "password recovered" ?
     
  16. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
    hmm maybe it found password in 11:43 but i came from work at 17 and there was a message that pass was found... so it maybe continued log after i clicked ok
     
  17. MadDancer

    MadDancer Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    15
    Likes Received:
    1
    I guess it. As I said previously - you was last lucky man in this case ;-) I tried another one encrypted file - DOC - no success.
     
  18. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    May be, your number starts with zero ? I have not first number as zero (=> 10 ciphers). Could you put somewhere some your crypted file for test ?

    Lucky man...
     
  19. hrenki

    hrenki Valued Member

    Joined:
    Aug 11, 2015
    Messages:
    13
    Likes Received:
    3
  20. machura

    machura New Email

    Joined:
    Aug 13, 2015
    Messages:
    6
    Likes Received:
    0
    hmm... lucky man
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...