February 23, 2015
The PandaLabs team recently discovered what appears to be a new variant of ransomware. The email includes a file called “Transfer returned wrong payment” and a .cmd extension that actually hides an executable.
When executing the file, the following notification is displayed:
An error in the file and nothing more. Nothing happens, right? Actually yes. What happens is that the malware is currently creating a folder in the background (C: xwintmp) and is downloading and executing a series of files.
Specifically, create the following 5 files:
· Chuingamshik -> File containing the word “chuingamshik”, which is probably the name of the project · filepas.asc -> File containing the PGP key calculated for the specific computer, as well as the ransom note · manager.exe -> File deposited by Transfer returned wrong payment.cmd and containing the malicious function of the malware · pgp.exe-> File that generates the custom PGP key · rar.exe -> File that encrypts the files on the machine
In order not to arouse suspicions and avoid the action of antivirus protection, the malware waits for a while using the “sleep” function of the Windows API, and then begins to “encrypt” all the files on the system:
Actually – and fortunately – it is not a real encryption process, but rather manager.exe starts to archive (or put in “RAR” files if you prefer) all the files on the system with a series of parameters and a password. , using the command line version of WinRAR.
The malware creates a random and unique key for each infection process, so that the initialization value of this key is the Windows API “GetCursorPos”. “GetCursorPos”, which is thrown 16 times, gets the X and Y coordinates of the mouse pointer at all times, making it impossible to guess or retrieve the key.
However, there is also good news. While the malware is “encrypting” the files, it is possible to easily retrieve the password from the memory as also shown in the image above. The value that starts with 5F0 and ends with 131 is actually the password used to encrypt the files. For example, you can use the Process Explorer tool to determine the command line arguments and extract the password.
As explained above, the filepas.asc file contains the PGP + key plus the ransom note, which is as follows:
Don’t pay the ransom. Restore files using Windows Volume Shadow Copy Service or directly from backup.
If you are fast enough, you will be able to obtain the necessary password and restore your files (don’t forget to ‘kill’ the manager.exe process once you have copied the password, or it will continue to encrypt the contents of your hard drive).
[+] Videos de nuestro canal de YouTube