Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Possibly Crypto Malware infection "freemail.org"
#1
Dear Britec members

A friend of mine has a problem at his pc, it seems he got infected, and the files on his workstation got encrypted.

My friend is currently working on disinfecting the box, the problem is, how do i find out what got the files encrypted, maybe which encryption algo is in use... so i might have a chance on breaking the crypto (if any)

running checks on i.e. a pdf file with virustotal shows no infections within the pdf, a filetype detection detects only that its of type octet/stream data, not the usual pdf file string.

a typical filename of such an "encrypted file" is ART.DBF.id-someid_helpme@freemail.org

file content of the encrypted dbf:

Code:
B   ^@^@û^?<92>½ëò<9d>Y:É9<86>h£^Ny«¥~Äø^U^G:¦Ò­Úowù<85>Y»Ö<9a>^Zk^C¼økÄ <9e>_Gs<9e>rµ<81>-yÍ«^[kÀ¯×£<8d>a^H<8e>³ÍP^D)<83> ÿÇ@                               ÇñεûC×^P½^GW3^[\(æ<<83>ÙÜ)F<80>¤ï¥Ò·Ôö!¦^?;àöÇ<9f>­f<84>¤G6­^M6$ã<8c>&Ã.Ø"»¹JÐÅVtÒ<8d>zJ½º$,¶øÔyÖ<91>6<85>±¼|¬#ë^] ZBþYað½<9c>¡©<90>òjX^P<9b>yü^N<9e>x¢ÙÀ:  ªÈ<8a>^M^CCI<93>a¡Tã:<ÓVµ<86>^UçÇ^[m¡PÚ«^?ú®é<86>§<9d>ÁúX¿S¯¶ê÷ïì¸8±^AËRooe<8d>"ÉlDs¿#3d<87>^N§<93>%1o^U^\2ã^Q^R©xç^N±£¹ÿ<8a>n'^W<99>n@^Z,                   íÒÀÅd<80>ü±<9d>#(^KôYmß´Ä^R^Lê·Ûñ^Os¶¶<8e><8c>×5^U<94>Æ]´ñΣ W÷²×&ù¶Öo_<82>(Ç^D<87>^Rûk^\¸æ`Uú¤oäþD-                                                         M°<8e><85>^H_\¦þ<8b><9f>¶ð^Rãûº¤^\Én<80>£¹<8a>\zÉ^A^P$µOâ¸Ss^XW/                                                                                             P<95>ê^]<8b>%%âZ^Hý¡<9e>"<87><90><8e>{M^?ùM%<96><8e>ýtçôª²^A¨u<9e>ù^MU^_omå^UÚGÕ¦½Ü$vìöú<9f>ì<9f>3a                                                          »*ÿÌ)6r^\BÎþUë  y¬Y^T<98>£é<86>¬üÔ^A¨<98>¨<93>¸hg§-V^X^GT<8f>[Tcã<83>è®"<92><85><87>â^Y2ìñtÙãD!^G<85>zû¹#í¥lêD<²ÉÔ^Ruimüê<94>Ì#^ZÊÖûe<92>2<91>/              {9^^EG<92>ÝÏfðkå^W^@^k^Mh¤äP<8c><86><99>l9ÄAÓ]δ<83>ÐÕõÙ^PY*<84>®Ã<88>c^@^Bk6Þ<80>ækÂ><9a>©<95>Ä:^K^VÊ/&m<8b>¾_<9d>_<96>Ñ¢ä<9b>d¼úBbF1c$õ^Lãq-^\Ýڪ׾ä^A     Í.¥é7Ìh<99>ûê^G^D<99>8<95>^[Ù« ^XåÝD<81>Ñ<8f>%?^GÊB-×·emd0^CBw¡<8f>Ï<99>7^_¤Ý/u<95><98>÷^Tí^D<83><81>Í<8c>8^U\[õ<8a>¨\<87>[¬ÓÔ*                              <9a>ûR^EÛ§ãå2S<83>^XY<90>^U<99>^M[ ü¹ÌÐú^R^Y³ë|\»¬+saÚ^<83>ºÌéOÚ^N]=^P§7ZÒ<99>z<85>»²½~^L<8f><9f>Àþå<9b>à^\<99>á<86>ôNç@+Õ9Ò<8e>                             5{<8c>TüdD^_<9c>®>ý^C]^S#«ß×Akë`]^Q^G<8c>O<8c>&r`ï{t^YƸ¯Ï:^[^GÀÙÛ.y6ö!                                                                                      ¡î^KwÙH<88>LJ^EÄmí^\ï¢'ë^\St<9a>^]M~ÑEü¹§Oä< ïvH^X²j5^NWN^@<80>Mä¹±°z´<8f>Å^<93>£¸=æ¼ß^VbA^DõXýPÆ^_^E<8b>-^B½sOã<80>^Aõ^C«L^[Ã^O<81>¼í<84>ù_ý.µË£NÙ:         ÌõÍÄ<91><85><80>þÚ^Z    üåææl<92>Bj=µlÀÿR<82>ÉãÆký^W^CÚ¦¶ÒÌ^O^?^^üA
^S^NYÌ×<94>Ù¬µóK<9d>Þº×;X³¤Èм^X<85>º3<Ië5^O"<9f>^[*ózç®vKÎõ¸<86><9e>^GEO<98><8b>M
S^GãNfw<98>òÇ<96>-^]@ú4<82>Iº3+b#Ý^]ËÄßÏ<8b>úAJþ<9f>M·¾ÑW<9a>^A4}¤Þ^Yÿ=$@                                                                                    ê<97><8d>^Z¥·^?«D©}ªr^@t^TK<91><9f>X¥ÈT`Ó<9d>¾n$<9d>¨øµ^[¦9<90>´ôè)a^K÷^F^T¼otÞ^]®ØÚt_p^N<8e>^X^_<98>cm|¡M^_13BôF^CîɸÓ<8a><81>Ø<89>±<97>jÐ<8c>Ý<9c>Ç^PM+    ^So^VøK^U^CÐT&>jP^GÓ^_^PªK[
VÜ<95>9Ǥ<95>â~ü^DJ²Â^DÐ<9a>Ì<98>ã<8d>ì×Ò¤<80>&^?^¶^Pe®<87>ý¼eV^Fì¦^Z^Au<98>Ò^^<8c>ô^]<9e>ªRÌß^C^AXé<83>é¾;&ÐQU^X3<97>¼¬^XT<87><8e>b<85>Jq_kz^?<92>^D^Y@     Â^?<9e>¶B[Ä|n-b Æ<86>Á<9e>^U_¾÷<90>Y"<88>ÉÐ^^ö^@p'í<8a>.<9d>"^TS^Yçh^B^]®<82>ñÃüÕ<99>D^X <83>ÑÂ^DF^_·¼<95>^K<9f>r^X
gÖ<8a>*ÏÈÃ^Vî)<93>p²#ó`lÐÔlù½ªzn F*¨û<93>S{å37q^R<8a>q¸^Xú^^ó<94>LAn̾^QN<9f>r¾<80>h^P`<³Y|<8d>nô²~ò^N¡^AG1^FúR^C¶<89>x<82>ß^H                              <91>í©<8c>7öqçèºËKó<92><90>÷bT8ÿÛ¨^\"#}<83>.­O,E<8c>$$<8c> û´dQ^\V^[Þ^X'î^K<94>^C^D^V]t<9e><92>d+ßm^KÖMQ/1f©?u]^_Ó"ÿúl½^%×?`:  <82>^Q±×!ý»^Z*YZæ%¤¸¼üIþyMwyR!Á^Q"N?    <98>ÎòÎß^[
FV<9f>U^Fm<9b>±ÊFEgS<88>¶T?ZI<81>ÖK&r^T/^O^Mº<9b>`x^L<9d>yÇZBlNÅhÊý«A³¨^L1^S<93>H«<96>.`^TúµêÏ^E«wE<93>òÚâ~ݵØJÑ^G?^H[(a<96>Ùø^BªÈ=¸p+<87>5ʦÂY<85>ôyç#0¸ÏWã:VEï£`öéÈ<90>PóOé^SzÖdÅOü<92>=¾Õ;<8c>®vL¤yú<81><9b>vÿ;ÿ^KÏßÝ    TªÜR^LoÏ<81><87>d^Yÿ¢Ø(Î^^TÕϯ¢ð<9f>:                                                         Á¡^\®ãâ¡óZ<8d>^ZHÑïù2Xt¹<8a>æ<86>BÐ^DA^YéW^R=¥Ý<83>Æ^P·üjÝv±<8c>J<8f> ú?àJ°Q*^Qù)úÄL'^Z<92>64ï±Ez[H)ïÞ^Uÿ«ó­^MÎï<90>,O¿æ^H^@¡¬ÄoÒ£^Q?                        ^La]«<93>ÖîígûÁÈ°Ë^Kà2Ç<<93>Õ<93>w§^KÝÝÇ<8e>gÞp|Y`®^Yº¢ç<90>éÅ^OÙnT!                                                                                         ç<93>}^P<95>¿mIPyf^WMhS^H<9a>_^B$NÓÝ<90>¢B^XåÄ^VuÕ<8c>{^[0^b`rΩ×<92>^K<89>jױ˿^N>Fl383ÞjzÂ^GÌóå.ÞCW2ÈÙ¥^P^Y_±L¸32ôØ~û<9b>*                                 k^P<87><93>ÿ<8c>n®^WÝ×¢j<9a><84><97>Ê°Ìu`>@^CÏJ<98>^C.±þ°ÐÀ¿^Y(<9e><96><82>Í,¨<9e>ò©Þj2¦^Z^U<98>ʤ§<8e>äêÌ^@^@¢$XÃ^[á.                                       "î]zv^[Ö^V£¬agWE^EÙ£æ<9d>^^ì<88>^O^@·<92>SX^¬^AwõÛw^XLTÀà^Níf^M/YTÑ<8d>ìs<84>Ä    z^Îcî6ÎúK<88>(ùhÙ^P¾{(ÛÃ>¯<8e>úîmj<9b>^Qv<95>ÓO7Ëæ<90>.öZ¨¦Ëf<8f>ú^CÛ!     <96>]O<90>ûêÖ«]^Aæ/«^Têe<87>m/ô^D%¾g^[^CU<86>.?wz<95>²¥Éæ°<90>ÿV ¢<85>D­}ÕÑC$¦<92>Û<81>¦<8c>H<94>¤<86>^\^V<95>ú>^N·<9b>í<94>^Yû3º^Xꬮö«C^KñÎ,               £Æ<9e><^\oK<áa¹ ëI6<80><89>^O°RÀjÿ<88><99>̯<91>^Yn¸<82>JoÂ^?)ê<84>á~îI»^Ó^X£¬íîCïªã<95>úm^U^NJûq4ú<8c>º<82><98>R<81>×^Egx^Yní<82><89>,ø¦<85>²
^A¼1Y<8c>FõÙza.$äJþ/2©~{Uwãóîo¡:zIu¡ÖÓM¿|zêî<9a>B<8a>UI¥G

any kind of tip or help would be greatly appreciated.

greetings
nev
Reply

#2
You might want to check out this service by Dr Web

Currently Doctor Web is the only company whose experts are able to recover compromised files with a probability of 90%.

Free decryption for Dr.Web commercial customers
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply

#3
Usually some form of Ransomware would be behind it are you able to show a pic of the ransom screen?
Reply

#4
I have dealt with this a couple of times.
1st thing to try is system restore.
2nd thing is to use the "Previous Versions" feature, if enabled.
Reply

#5
ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service. It's especially thought for users of the home editions, who don't have access to the shadow copies by default, but it's also useful for users of the other editions.

If the files are gone or its been disabled, then Dr Web might be your best way to go. 

All the new type wont allow you to recover with ShadowExplorer 
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.