Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
Konstantin Bulanov2015-02-12 18:21:21
Encryption
Konstantin Bulanov, 2015-02-12 18:21:21

Can anyone help me deal with the crypto virus?

Good afternoon! A letter came to one firm, there was js in the attachment, it, according to the classics of the genre, was launched. He crypted all the files from the Office, which he reached out to. My meager knowledge is enough to understand how it works approximately - but I can’t understand whether it can be restored at all. The site of the attackers lies, I can’t understand how much they want for unlocking.
Everything that I dug up on the malware (js + what he downloaded for work + work logs) is in zip at the link.
******
OK, how can I post it so they can help? Removed from the balls.
I ran js in the sandbox - it worked very quickly, closed a lot of files in a fairly short time. Here is a piece of the log of his work:

"%temp%\svchost.exe" -r Cellar --trust-model always --yes -z 3 -q --homedir "%temp%" -o "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_Germany.svg.jpg.vault" -e "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_Germany.svg.jpg" && move /y "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_Germany.svg.jpg.vault" "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_Germany.svg.jpg" & rename "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_Germany.svg.jpg" "150px-Flag_of_Germany.svg.jpg.vault"
"%temp%\svchost.exe" -r Cellar --trust-model always --yes -z 3 -q --homedir "%temp%" -o "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_the_United_States.svg.jpg.vault" -e "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_the_United_States.svg.jpg" && move /y "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_the_United_States.svg.jpg.vault" "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_the_United_States.svg.jpg" & rename "E:\xampp-win32-1.8.1-VC9\xampp\src\xampp-control-panel\gfx\150px-Flag_of_the_United_States.svg.jpg" "150px-Flag_of_the_United_States.svg.jpg.vault"
"%temp%\svchost.exe" -r Cellar --trust-model always --yes -z 3 -q --homedir "%temp%" -o "E:\xampp-win32-1.8.1-VC9\xampp\tomcat\webapps\examples\jsp\jsp2\jspx\textRotate.jpg.vault" -e "E:\xampp-win32-1.8.1-VC9\xampp\tomcat\webapps\examples\jsp\jsp2\jspx\textRotate.jpg" && move /y "E:\xampp-win32-1.8.1-VC9\xampp\tomcat\webapps\examples\jsp\jsp2\jspx\textRotate.jpg.vault" "E:\xampp-win32-1.8.1-VC9\xampp\tomcat\webapps\examples\jsp\jsp2\jspx\textRotate.jpg" & rename "E:\xampp-win32-1.8.1-VC9\xampp\tomcat\webapps\examples\jsp\jsp2\jspx\textRotate.jpg" "textRotate.jpg.vault"
"%temp%\tick.exe" -s"05FNSH-!hash5!" -r"05FNSH-OK" -o "%temp%\VAULT.KEY"
"%temp%\tick.exe" -s"05FNSH-!hash5!" -r"05FNSH-OK" -o "%appdata%\VAULT.KEY"
"%temp%\tick.exe" -s"05FNSH-!hash5!" -r"05FNSH-OK" -o "%userprofile%\Desktop\VAULT.KEY"

Corrupts files: doc, xml, jpg, docx. Haven't checked others yet.
Here is what is on the affected computer:
All your important data have been encrypted into LOCAL DIGITAL VAULT
You need to get your UNIQUE KEY to restore files with extension .vault

  THE PROCEDURE FOR OBTAINING YOUR PERSONAL KEY:

BRIEFLY
1. Access our secure website
2. Get your personal key
3. Unlock files

DETAILED
  STEP 1:
Download Tor browser from official site: https://www.torproject.org
Instructions for launching Tor browser: https://www.torproject.org/projects/torbrowser.html.en#windows
  STEP 2:
Visit our web resource using Tor browser: http://restoredz4xpmuqr.onion
If you CAN NOT access this website, read this: http://pastebin.com/raw.php?i=rs7jZ0TW
  STEP 3:
Find your personal VAULT.KEY on computer, it's your key for accessing Client Panel
Log into your personal fully automated Client Panel via VAULT.KEY
Read FAQ carefully in the relevant section.
  STEP 4:
After receiving key, you can decode your files using our open source software.

ADDITIONAL
a) You can't restore encrypted files without your personal key (which is securely stored on our server)
b) Do not forget about TIME. Usually it plays against you.

  ENCRYPT TIME: 12.02.2015 (17:40)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Report
V
Vladimir Martyanov, 2015-02-12
@vilgeforce

Firstly, there are thousands of encoder variants with similar symptoms, if you need help, you need more specific signs: the extension of encrypted files, contacts of authors, etc.
Secondly, the publication of a Trojan (or links) in the public domain - Art. 273 of the Criminal Code of the Russian Federation for distribution. You don't have to do that.

Report
M
makol, 2015-02-12
@mak-oleg

Try here https://xakep.ru/malware/ there is a forum on the site, or send your information to any Russian anti-virus laboratory www.kaspersky.ru www.drweb.ru/?lng=ru

Report
S
SagePtr, 2015-02-12
@SagePtr

If there is no private key, then there is no way to decrypt it, since it is asymmetric encryption. A private key is not needed for encryption, only for decryption.
"%temp%\svchost.exe" is usually a renamed gpg executable (I've encountered similar crypters)

Report
V
var01, 2015-02-20
@var01

+1 victim, even in the grid encrypted files, but not all, but only in those folders that the user opened, and only office files. If drweb can help you, please write back.

Report
S
shyrikoff, 2015-02-24
@shyrikoff

Hey! The same problem... Has anyone figured out this Trojan? What do you advise to do?

Report
J
JustSoul, 2015-02-24
@JustSoul

The best protection is preventive measures. Warning users and backups.
In my case, most of the data was saved by the second.
Source: letter with subject "reconciliation act", attached zip-archive with .js script.
Antiviruses: virustotal.com , Fri (02/20/2015) was 3/57.
Creates the following files in %temp%:
random_seed, take.bat, cryptlist.cmd, svchost.exe, tick.exe, pubring.gpg, CONFIRMATION.KEY, VAULT.KEY, VAULT.txt
and empty secring.gpg, secring.gpg .lock
Encrypts files, renames them to *.vault
Probably the work of the crypter was interrupted by turning off the PC.
Who can help decipher? :)

Report
S
SysBlack, 2015-03-24
@SysBlack

Today in my office, two managers also opened, such a letter, right now they are sitting without working files, I'm trying to restore them using Recuva

Similar questions
F
FinEkat2021-03-20 21:49:40
How to continue decrypting ccrypt file? 0Reply
B
bozuriciyu2019-08-30 16:37:51
Open source alternative to truecrypt? 4Reply
T
tex6202019-08-30 21:33:55
Ways to decrypt game files? 5Reply
J
JavierPena2021-03-25 19:46:45
How to find out the hashing method from previously known strings? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question