HaQue 0 Posted May 19, 2016 Report Share Posted May 19, 2016 Hi, First, thank you all for your great work. Must be a great feeling to be kicking the Malware authors down a few notches I have a case of Nemucod I am recovering for a colleague on a.. (I know!) Win XP box! (I laughed.. then felt sad...). I was very happy to see the great work by Fabian and tried the latest decryptor version 1.0.0.11. The key was found ok, but during the decryption all files reported in the log as "File could not be decrypted properly. Skipping ..." Not sure if the option to use a custom key is supposed to work, but during trying to remedy, I could not tick the box to try it manually - though I would be using the same key anyway, as it is correct. verified the key by: 1. extract 4 clean sample images from a winxp CD. 2. compared the 4 files with corresponding crypted versions and each file identical, except, of course the first 2048 bytes. 3. setup XOR key by concatenating the found key until it was 2048 bytes long. 4. Applied the 2048 byte XOR key to the first 2048 bytes of each of the sample crypted files. saved them. 5. compared the manually worked files with the files extracted from WinXP CD and they were binary identical. Note: the DECRYPT.txt has a different BTC amount than others Ive seen reported. I see this is a variable in some of the sample sourcecode for this malware, so I don't know if it is relevant in establishing a version? In case you feel like investigating why it didn't work in this case, I have attached a zip of: DECRYPT.txt - Original Ransom note from victim PC Blue hills.jpg - sample verified original file. Blue hills.jpg.crypted - straight from victim PC. key(2048b).txt - key I made. key.txt - from dialog box of Fabians decryptor. I can probably dust of some coding skills and bodge up something to decrypt all my colleagues files, so I am not in dire need of actual support. Of course it is just my luck! Cheers, and thanks again. Brian For Emsisoft Support.zip Link to post Share on other sites
Kevin Zoll 309 Posted May 19, 2016 Report Share Posted May 19, 2016 Brian, Thank You for the information and files. I have alerted Fabian about this post. Link to post Share on other sites
HaQue 0 Posted May 20, 2016 Author Report Share Posted May 20, 2016 Great, Thank you. Further to this... I still have the victim machine. the user had saved some .msg files with attachments, so I was able to extract some original files, match them with encrypted ones and verify it is the same XOR key, and can manually restore files. I was worried the version of winxp may have been slightly different and some minor changes in the headers of the bitmap may have been an issue - but this appears to not be the case. Finding that writing a similar tool is not as quick and easy as I thought it would be ;-) Link to post Share on other sites
Kevin Zoll 309 Posted May 20, 2016 Report Share Posted May 20, 2016 Fabian, can make changes to the Nemucod decryption tool after researching the new variant, if supplied with the installer, and a copy of the original and encrypted file. Link to post Share on other sites
HaQue 0 Posted May 21, 2016 Author Report Share Posted May 21, 2016 This was at a PC Shop before I got it, so not sure what they did. I will have a look for the dropper/infector after I research what this one uses. Thanks again Link to post Share on other sites
Fabian Wosar 390 Posted May 22, 2016 Report Share Posted May 22, 2016 The decrypter has been updated: https://decrypter.emsisoft.com/nemucod Please download the new version Link to post Share on other sites
HaQue 0 Posted May 23, 2016 Author Report Share Posted May 23, 2016 Nice work! this version decrypts perfectly Thank you very much! There were no malware samples left on the box, and a fresh install of Norton 360. Thanks again, Brian Link to post Share on other sites
Kevin Zoll 309 Posted May 23, 2016 Report Share Posted May 23, 2016 Brian, You are welcome. Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts