Other

Subnetting for beginners

For many application developers (like me) is Subnetting a lack of applicable situations to catch a right in the abstract, that often causes problems. However, it is in the IT world actually one of the Basics to be able subnets. I would like to explain on the basis of a method how you can create subnets, without running too much risk of making a mistake.

Read More

[Tutorial] PI display on a Windows PC

Often you would access like to the surface of the Pi, but an additional VNC Server, or the like often causes more load and will eventually be forgotten in the Background. One (of many) options to the program Xming is. Xming allows for the production of a surface on a Linux machine to a Windows machine. In this Tutorial I explain how you can do it by means of and realize. I represent the whole, as you can do it under Windows 7 to do. To be a bit clever, it zuscheissen – use the X11 Forwarding.

Read More

Git – Cheat Sheet

Some time ago I made a GIT course, I’ve created a Cheat-Sheet. Before I put it on my plate rot, I thought I share it with the world.

It does not claim to be exhaustive, but it covers the most important commands.

Ransomware chop

We are all aware of Mails like this. You get bills from people and companies you don’t know. My mailbox is full of it. That is reason enough to see me once a of Mails.

Please do not imitate. Fiddling with Malware in non-protected environments can have devastating consequences.

From where comes the Mail?

In this case, the Email should come from a Germany-based online shop.
A look at the Email Header shows a different picture. The Mail came from India, the online shop was just in need of a disguise, miss.

 Received: from unknown (HELO abts-tn-dynamic-x. x. 164.122.Airtel broad band.in)
 (122.164.x.x)

What is in the Annex?

The Annex consists of a Zip archive with a JavaScript File. So is it possible that we have here a Downloader in front of us.

Please do not imitate. Fiddling with Malware in non-protected environments can have devastating consequences.

With whom am I speaking?

The script is only detected by 13 out of 54 virus scanners as Malware. Shockingly, I don’t think that well-known manufacturers such as Kaspersky to detect this already a few days old Malware. Microsoft Defender also found nothing, okay, that was surprising.

On the Basis of the present results is that we have a Downloader for a Cryptolocker, possibly Locky in front of us.

PluhiPluhiShickPick

The Code of the Malware is made in a variety of ways unreadable. It seems you had have a preference for the word “Pluhi”. Pluhi could be Polish, and for “plug”. Even if it makes no real sense.

I would not like to delve now into the Details, so I’m going to the core of the Downloader, where is what is downloaded. The source text (and the Scanner’s results) can more conclude that it is a pure Dropper. In the Code, interpret the fragments as 00M+11SX+22ML on the WScript-object MSXML2.XMLHTTP . This object is used to Download files.

The URL of the actual download destination is lax disguises, namely with Unicode notations, such as \u0066 for f.

The URL I have censored so that none of the “download from” Is a Ransomware.

The actual Virus

The actual, from the Dropper downloaded and executed a Virus is detected by 37 of the 53 anti-virus scanner. These results also suggest a Locky-blend.

Nevertheless, it is, in my opinion, quite shockingly, that not all virus scanners detect this Malware.

Functioning

I have carried out a dynamic analysis. A static analysis by Assembler of course of study, I could not implement yet. Maybe that will follow.

You can feel it in the %TEMP% file dropped a huge load.
The Malware rioted in the own files and encrypts the files stored there according to the scheme clearly GUID.zepto.
Windows files don’t touch the Ransomware, the operating system needs to work as part of the blackmail, Yes.

To me, this Sample requires at least 2 (more likely 3) victims, in order to work.

  • Victim 1 runs a website where the Ransomware is stored (often web shop).
  • Victim 2 has an Email address that will be abused (by a shop), there is no connection to the victim 1.
  • Victim 3 (may) has a mail server that is used. But it is also possible that victims 3 exists and the mail server is operated by the Ransomware developers

The Zepto-Ransomware has placed a behavior, which suggests the following structure/ functioning include:

This is the behavior through dynamic analysis in a virtual machine. Depending on the Sample origin and the behavior of this Malware may vary, however.

Numbers, please!

Zepto wants to have 2.5 Bitcoins (about 1200 €) from his victim. Will be paid back over a page in the TOR network.

This Malware want in the Internet. Using fakenet I have the Internet communication is recorded and invalid responses answered; the Malware tries to make the victim host to register to have an ID to get. He does not, creates the first Upload so he tries a number of other Server. He then still does not Upload, does not remain Zepto in a kind of Rigid, but.

Summary

  • Name
    • Zepto
  • Type
    • Ransomware (“Crypto-Locker”)
  • Attack Vector: Email
    • Zip archive 83124_Rechnung_2016-861461_20160705.zip md5 4568DA4758DC10902F6B01F9649C054A
    • JavaScript-Dropper 6446_2016-13312_20160705.js md5 BAA53ACD268E3B39250EA4734C2842D1
  • Activity
    • Created application in %TEMP%
    • Created recursive file list -> causing high load
    • Encrypted files according to the Schema guid.zepto
    • In each of the encrypted directory a HTML file with claims
    • Changes the Wallpaper
  • Network Actions:
    • trying to eltiche .ru, .biz and *.pl Domains to access (Necurs Botnet)
    • Target HTTP GET /upload/_dispatch.php