Nemucod decrypter - correct XOR Key, but fails to decrypt.

[HaQue 0]

Hi,

First, thank you all for your great work. Must be a great feeling to be kicking the Malware authors down a few notches

 

I have a case of Nemucod I am recovering for a colleague on a.. (I know!) Win XP box! (I laughed.. then felt sad...).  I was very happy to see the great work by Fabian and tried the latest decryptor version 1.0.0.11.

 

 The key was found ok, but during the decryption all files reported in the log as "File could not be decrypted properly. Skipping ..."

 

Not sure if the option to use a custom key is supposed to work, but during trying to remedy, I could not tick the box to try it manually - though I would be using the same key anyway, as it is correct.

 

verified the key by:

 

1. extract 4 clean sample images from a winxp CD.

2. compared the 4 files with corresponding crypted versions and each file identical, except, of course the first 2048 bytes.

3. setup XOR key by concatenating the found key until it was 2048 bytes long.

4. Applied the 2048 byte XOR key to the first 2048 bytes of each of the sample crypted files. saved them.

5. compared the manually worked files with the files extracted from WinXP CD and they were binary identical.

 

Note: the DECRYPT.txt has a different BTC amount than others Ive seen reported.  I see this is a variable in some of the sample sourcecode for this malware, so I don't know if it is relevant in establishing a version?

 

 

In case you feel like investigating why it didn't work in this case, I have attached a zip of:

 

DECRYPT.txt - Original Ransom note from victim PC

Blue hills.jpg - sample verified original file.

Blue hills.jpg.crypted - straight from victim PC.

key(2048b).txt - key I made.

key.txt - from dialog box of Fabians decryptor.

 

I can probably dust of some coding skills and bodge up something to decrypt all my colleagues files, so I am not in dire need of actual support.    Of course it is just my luck!

 

Cheers, and thanks again.

 

Brian

 

 

 

For Emsisoft Support.zip

[Kevin Zoll 309]

Brian,

Thank You for the information and files. I have alerted Fabian about this post.

[HaQue 0]

Great, Thank you.  Further to this... I still have the victim machine.  the user had saved some .msg files with attachments, so I was able to extract some original files, match them with encrypted ones and verify it is the same XOR key, and can manually restore files.  I was worried the version of winxp may have been slightly different and some minor changes in the headers of the bitmap may have been an issue - but this appears to not be the case.

 

Finding that writing a similar tool is not as quick and easy as I thought it would be ;-)

[Kevin Zoll 309]

Fabian, can make changes to the Nemucod decryption tool after researching the new variant, if supplied with the installer, and a copy of the original and encrypted file.

[HaQue 0]

This was at a PC Shop before I got it, so not sure what they did.  I will have a look for the dropper/infector after I research what this one uses.  Thanks again

[Fabian Wosar 390]

The decrypter has been updated:

 

https://decrypter.emsisoft.com/nemucod

 

Please download the new version

[HaQue 0]

Nice work! this version decrypts perfectly  Thank you very much! 

 

There were no malware samples left on the box, and a fresh install of Norton 360.

 

Thanks again,

Brian

[Kevin Zoll 309]

Brian,

You are welcome.

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.