Jump to content

Nemucod decrypter - correct XOR Key, but fails to decrypt.

Recommended Posts


First, thank you all for your great work. Must be a great feeling to be kicking the Malware authors down a few notches :)


I have a case of Nemucod I am recovering for a colleague on a.. (I know!) Win XP box! (I laughed.. then felt sad...).  I was very happy to see the great work by Fabian and tried the latest decryptor version


 The key was found ok, but during the decryption all files reported in the log as "File could not be decrypted properly. Skipping ..."


Not sure if the option to use a custom key is supposed to work, but during trying to remedy, I could not tick the box to try it manually - though I would be using the same key anyway, as it is correct.


verified the key by:


1. extract 4 clean sample images from a winxp CD.

2. compared the 4 files with corresponding crypted versions and each file identical, except, of course the first 2048 bytes.

3. setup XOR key by concatenating the found key until it was 2048 bytes long.

4. Applied the 2048 byte XOR key to the first 2048 bytes of each of the sample crypted files. saved them.

5. compared the manually worked files with the files extracted from WinXP CD and they were binary identical.


Note: the DECRYPT.txt has a different BTC amount than others Ive seen reported.  I see this is a variable in some of the sample sourcecode for this malware, so I don't know if it is relevant in establishing a version?



In case you feel like investigating why it didn't work in this case, I have attached a zip of:


DECRYPT.txt - Original Ransom note from victim PC

Blue hills.jpg - sample verified original file.

Blue hills.jpg.crypted - straight from victim PC.

key(2048b).txt - key I made.

key.txt - from dialog box of Fabians decryptor.


I can probably dust of some coding skills and bodge up something to decrypt all my colleagues files, so I am not in dire need of actual support.    Of course it is just my luck!


Cheers, and thanks again.






For Emsisoft Support.zip

Link to post
Share on other sites

Great, Thank you.  Further to this... I still have the victim machine.  the user had saved some .msg files with attachments, so I was able to extract some original files, match them with encrypted ones and verify it is the same XOR key, and can manually restore files.  I was worried the version of winxp may have been slightly different and some minor changes in the headers of the bitmap may have been an issue - but this appears to not be the case.


Finding that writing a similar tool is not as quick and easy as I thought it would be ;-)

Link to post
Share on other sites


You are welcome.

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...