tomnic

Cry36: infinite keys available with the right working Decrypter available

Recommended Posts

Hi, using a virtual machine and the encryptor exe I recover from my infected true pcs, I can create as many infections as I want... A used who paid the dudes sent me the Decryptors... it works using as user the file ID extension (the same 10 digit integer dec number after report || string) and a long hex password that is stored in temp000000.txt file which is later sent to the criminals via sendmail and replaced OVERWRITING with a 1 once encryption and sending is done, so no file recovering is possible... taking out internet to the virtual machines solves the problem... these are samples of that file I dump here:

report||1227079162||313232373037393136325F15A964E0A95DBF5F2034F798AF12C597470973B2FA2D0E6D49614C5DDD6C81485F3D97424B0E7DF72B1F11B5A593712C365F611087F08F9E1B1FFE8C1628D97BBB7BBFCFE48CE0BDBFC489C4999B94A63B9B5F3784CC49AC01DDE86915A45320DC3B703D3246AF959C26D461A2683D0B4FC09CBC5C04BFC07DCAE811A1E8C1AC2BB802A674E544E52C62A9124D764034C83F4FF82A06FCA1B82FFDFEF0C52C2A60D634AC1916DA6A6E906A6EA56B3B6CBADB8FA879E0297E817735D2F1439618E1ED9FACD2B3B9D3BDCF9D7885E10D78D264324AA7CA200B3BF70D6BE40C3DFA2ABAD2C82AC5D65A09293E6F1A18CA1FD406FD21E4197580DDE878EB626E8D5EC35C4EE37775DDB4CE81B7DBE0EDBE299750AE3438446E99F565E1BE52612CCB515787AAEC0E2F2529A7EE87B0E96467053DF15079EC0496A46B258EF279ECD68693E5888D01DB69BE4E3A80B1376CAC1D256C00||DESKTOP-TEV46AV||Windows 8||x32||IT||

 

report||1227079162||313232373037393136325FEBD3E59D45A8633CEB8805FE93A92B22B68143B8AF69D71F05A549044C9622845FCA757A8B96D940193CB25D2655EA246E5F5F7D0A094DB82C26CB5BF2D4C8CBC4AC41EA7B33B454716703901D421B9C60BB5FB9AD32122956DC22983804840D50C91A1D97044F535FFD23CBCA3285E7CC549C38247E83F42D717CA78D26BAD30F2E3BCD239F470DF7869A9411175964B42035ECCE7675FDF159DCBDA30475892CF0D3D77A8C6782ED3CC6FE092133805DDFA0FC435D189518302ED12348F1BF600A8CE0BCBE5B679D4D6C42A56C87ED28DC2412A7590D4E64378EDBC70562CB358EBF149B1140B2B58A8399EE7DC2274881B255B9776D03F050D764ABE9C60CBC7C1D5D3EA79D3C6A3A44FE3A4564C85BF677C7A4C6CC2F05F8C8DB18A28F16F5872ED9E899A88807ED8405EA60A6861D4FADB61810DD7F46B2288399C55CBD59FC80968F93481D36A143415CB2339CCBAEFD00||DESKTOP-TEV46AV||Windows 8||x32||IT||

 

report||1227079162||313232373037393136325F2EF3F5B20A4923AB6EDCB1C2F2E8C44B6F7AB77CC90D770BB28059500C9BF0675F49328A3EEC1C6F8A2C03D59E0C95C47E5F6FA235B46A0B4699730812D5E4923C4E6EE90204DDCE523E63DF910B829A74365FD6A6A35A99D3F61D89E2425ED87BE76B5704908604CCF195E0376BD6F4FE9987DB4B577F6F0ECE3C49DE87DF3D73A20A022AADA2A87DB9FD9A4A9CE1422096588D2DB664F365B6FBB6FE34DA6A67760B24352F43C2DBD07B301589459931E3CFF3E39DB25B364CD20395BE0CE7594F67701088148E74D1633CFA067B4D262788F12E9C9968BAA27BB097D33052AF0AD972C8E344DBB6C653AB061607C057F5DD39EAF4C977173FF29A9D560B56347AE28792218910F4322CC2DFF56B6F82E1F24F21A179744E1D7EEBE65964B81569C4DEC4CE1B2067061217D81533E2C56AAC92F54B63E24AA8A0265525064FE48F8880D935B39929A96C92E415E9BDA704B400||DESKTOP-TEV46AV||Windows 8||x32||IT||

The first 10 bytes represent the ASCII codes of the file ID number, then there is ALWAYS a 5F (underscore) and a long pseudocasual HEX string which ALWAYS terminates with 00.

We have the encryptor, we have a WORKING decryptor using the ID and key generated in temp000000.txt file, we have the original files, the corresponding crypted files, we can generate infinite ids and keys to study the way they are generated and parsed with the encrypted files... can you help us now? I don't think we cannot do anything with all these pieces of the puzzle... Please!!!

Share this post


Link to post
Share on other sites

Keys are randomly generated, and the algorithm used to do so is already known. It's simply too many bits to decrypt it within a reasonable amount of time, and you're not going to learn anything that will help you figure out how to decrypt your files by repeatedly running the ransomware and looking at the new keys it generates.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.