tomnic

Member
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About tomnic

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi, using a virtual machine and the encryptor exe I recover from my infected true pcs, I can create as many infections as I want... A used who paid the dudes sent me the Decryptors... it works using as user the file ID extension (the same 10 digit integer dec number after report || string) and a long hex password that is stored in temp000000.txt file which is later sent to the criminals via sendmail and replaced OVERWRITING with a 1 once encryption and sending is done, so no file recovering is possible... taking out internet to the virtual machines solves the problem... these are samples of that file I dump here: report||1227079162||313232373037393136325F15A964E0A95DBF5F2034F798AF12C597470973B2FA2D0E6D49614C5DDD6C81485F3D97424B0E7DF72B1F11B5A593712C365F611087F08F9E1B1FFE8C1628D97BBB7BBFCFE48CE0BDBFC489C4999B94A63B9B5F3784CC49AC01DDE86915A45320DC3B703D3246AF959C26D461A2683D0B4FC09CBC5C04BFC07DCAE811A1E8C1AC2BB802A674E544E52C62A9124D764034C83F4FF82A06FCA1B82FFDFEF0C52C2A60D634AC1916DA6A6E906A6EA56B3B6CBADB8FA879E0297E817735D2F1439618E1ED9FACD2B3B9D3BDCF9D7885E10D78D264324AA7CA200B3BF70D6BE40C3DFA2ABAD2C82AC5D65A09293E6F1A18CA1FD406FD21E4197580DDE878EB626E8D5EC35C4EE37775DDB4CE81B7DBE0EDBE299750AE3438446E99F565E1BE52612CCB515787AAEC0E2F2529A7EE87B0E96467053DF15079EC0496A46B258EF279ECD68693E5888D01DB69BE4E3A80B1376CAC1D256C00||DESKTOP-TEV46AV||Windows 8||x32||IT|| report||1227079162||313232373037393136325FEBD3E59D45A8633CEB8805FE93A92B22B68143B8AF69D71F05A549044C9622845FCA757A8B96D940193CB25D2655EA246E5F5F7D0A094DB82C26CB5BF2D4C8CBC4AC41EA7B33B454716703901D421B9C60BB5FB9AD32122956DC22983804840D50C91A1D97044F535FFD23CBCA3285E7CC549C38247E83F42D717CA78D26BAD30F2E3BCD239F470DF7869A9411175964B42035ECCE7675FDF159DCBDA30475892CF0D3D77A8C6782ED3CC6FE092133805DDFA0FC435D189518302ED12348F1BF600A8CE0BCBE5B679D4D6C42A56C87ED28DC2412A7590D4E64378EDBC70562CB358EBF149B1140B2B58A8399EE7DC2274881B255B9776D03F050D764ABE9C60CBC7C1D5D3EA79D3C6A3A44FE3A4564C85BF677C7A4C6CC2F05F8C8DB18A28F16F5872ED9E899A88807ED8405EA60A6861D4FADB61810DD7F46B2288399C55CBD59FC80968F93481D36A143415CB2339CCBAEFD00||DESKTOP-TEV46AV||Windows 8||x32||IT|| report||1227079162||313232373037393136325F2EF3F5B20A4923AB6EDCB1C2F2E8C44B6F7AB77CC90D770BB28059500C9BF0675F49328A3EEC1C6F8A2C03D59E0C95C47E5F6FA235B46A0B4699730812D5E4923C4E6EE90204DDCE523E63DF910B829A74365FD6A6A35A99D3F61D89E2425ED87BE76B5704908604CCF195E0376BD6F4FE9987DB4B577F6F0ECE3C49DE87DF3D73A20A022AADA2A87DB9FD9A4A9CE1422096588D2DB664F365B6FBB6FE34DA6A67760B24352F43C2DBD07B301589459931E3CFF3E39DB25B364CD20395BE0CE7594F67701088148E74D1633CFA067B4D262788F12E9C9968BAA27BB097D33052AF0AD972C8E344DBB6C653AB061607C057F5DD39EAF4C977173FF29A9D560B56347AE28792218910F4322CC2DFF56B6F82E1F24F21A179744E1D7EEBE65964B81569C4DEC4CE1B2067061217D81533E2C56AAC92F54B63E24AA8A0265525064FE48F8880D935B39929A96C92E415E9BDA704B400||DESKTOP-TEV46AV||Windows 8||x32||IT|| The first 10 bytes represent the ASCII codes of the file ID number, then there is ALWAYS a 5F (underscore) and a long pseudocasual HEX string which ALWAYS terminates with 00. We have the encryptor, we have a WORKING decryptor using the ID and key generated in temp000000.txt file, we have the original files, the corresponding crypted files, we can generate infinite ids and keys to study the way they are generated and parsed with the encrypted files... can you help us now? I don't think we cannot do anything with all these pieces of the puzzle... Please!!!