Jump to content

.MME + .XLS (told it's both LolKek, GlobeImpostor 2.0 & BitRansomware)


Recommended Posts

Yesterday, I was hit with the above. 
I have to admit I panicked and wiped anything my antimalwares found when I had discovered it and pulled the internet as well as non-essential hard drives, so I have no clue what the name of the original malware file was, nor do I think I have a copy.
I can almost guarantee it was nested and hibernating in a Windows Loader Tool. (I know, lesson learned.)

All .exe files from my C-drive software have vanished and next to all remaining files on this partition has the .XLS extension. (As well as a good chunk on my external harddrive that I used for backup. Also not wise, I'm aware now.)
There are very few .XLS.MME.

A new partition of 499MB has been created, of which 35MB has been used, despite it only containing the ransom note which is a 1,40KB file (I do have hidden files shown).

I also can't make changes to boot in msconfig, there's just nothing there. (I'm dualbooting win7 with win10 secondary. I know I'm behind but I'm autistic and Win10 just doesn't work for me mentally yet.) When trying to check the safe mode boot option, I get an error message and cannot check it again.

I've put the ransom note, a few different .xls encrypted files, a screenshot of the msconfig issue and an .xls.mme file in a .zip folder.
I've also added the file found in my \AppData\Roaming as Kaspersky advised on one of their recovery tools that it might hold a key or ID that could make recovery easier, as far as I could gather.

I'm aware that there probably isn't a functioning decryption method currently, but I'm hoping these files can be of assistance in getting me a solid identification for future reference and possibly help decryptors find a solution down the road.

I tried using dropmefiles, but I got an error message in russian so I hope filebin is okay. 
The link to the .zip:
https://filebin.net/nhso3s8nrj5yt1q3

The link they want me to open:
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
Alternative link given:
http://helpqvrg3cc5mvb3.onion/
ID:
49 FC B2 C3 E4 94 A2 4B 5A 42 85 04 86 D4 15 9B
40 05 D5 E6 F9 FA D0 46 3D F7 9E 70 69 78 43 F3
51 BA 4F 54 47 20 D6 D7 95 C1 E1 5E 81 74 70 23
98 0A 83 B7 B7 18 ED 80 AB B4 95 A0 21 91 DE EC
C9 50 64 4D E7 13 5E F0 BF 50 D5 70 36 A2 8E 7E
D6 61 F3 6F 9A CB FC 1C A7 A2 13 BE AA 3A FB 35
45 07 FD 60 20 65 61 35 56 CC B2 29 54 37 8E 5C
FF A9 4F D2 DC BE 13 F1 D1 CD 2E 17 17 E8 4B CC
6C DF 56 8D D6 AF AA C9 4F 9C 6B B6 38 EE AA 9C
B8 50 6D 73 CC 97 98 8A 92 AA F1 7E D0 3B E7 A7
E9 1E 0F 37 2F 3A 17 09 25 A5 AF 82 C1 EB 0A 3E
29 A4 76 C5 55 52 2C A9 09 47 F9 3A D9 68 81 68
74 05 E1 70 5B F0 96 72 56 9E 58 9E 4C DF 7A 34
08 86 B7 A8 DB 68 12 6D C4 3E 44 97 78 FC 37 C0
6F 29 48 13 7F 7D 68 22 48 10 E9 23 B0 5E AF 72
3A 24 91 DC 32 0E A3 15 F0 5B 42 4D DD FD 03 A5
 

 

Link to comment
Share on other sites

ShadowPuterDude - Thanks! 
I hope it can help. It's a horrific thing to do to people :( 

---------

Demonslay, I've only found 2 files that have the .xls.mme file ending, everything else is just .xls files. 
So hopefully they aren't all double-encrypted >.<

I will keep an eye out for developments on the GlobeImpostor 2.0 front, thank you very much for the relevant and detailed response. 


If I have a copy of the malicious file in a temp folder somewhere (have not cleared those yet it seems), how would I go about finding it for you guys? 

Link to comment
Share on other sites

All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------

| 1. Download Tor browser - https://www.torproject.org/ and install it.

| 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
               
| 3. Create Ticket

----------------------------------------------------------------------------------------

Note! This link is available via Tor Browser only.

------------------------------------------------------------
or
http://helpqvrg3cc5mvb3.onion/

Your ID

   A3 9B F9 05 46 93 6E 06 CD 2B F0 46 6D 3F BB BE
11 49 17 9B 07 59 1D 87 11 89 85 63 12 C5 17 3B
4B F7 B6 EB 7F 9A 54 96 EA 97 A5 25 A9 07 73 EC
60 00 41 CF 03 01 53 18 F5 0E 29 13 C8 1B 0E 8D
8D DB B1 82 4C 2B 10 40 F9 59 C1 AB 18 DD D8 EB
14 CF BE 2A E4 4E B6 95 06 3D E2 29 DB 21 5C 2E
5D 22 DF 9A 17 F9 C4 FB 59 D9 F8 51 5E 7D 7F BC
CE C5 43 C7 63 74 D5 7D 7D A5 44 1F 62 2E AF 37
7B F2 B1 68 AF 75 4D 63 E0 19 C0 AB D2 1A 1C 86
40 77 C2 C7 8B 7B 78 01 81 DC 1F 7F 0B 5C A8 DA
4B 78 AA F7 2A 36 BD B9 E3 BB 5A 1A 63 DA 4A AD
BB 5C 94 09 58 74 74 CA B8 67 E9 AF D5 A6 59 CF
BD 26 89 A5 4B 03 94 C3 79 8D B0 92 93 65 16 0C
21 6B 21 B9 FE A6 67 8B B6 BE 51 16 0B B0 0E 96
70 DC 25 3B 88 EC F1 6B A5 21 49 27 B6 8F 27 18
2E C3 97 CC 65 53 05 E3 70 AD 7B AF 55 84 C9 ED
 

Link to comment
Share on other sites

It seems Rajesh has been attacked by the exact same ransomware or at least the same people that I was though. 

I really want to wipe my drive and start over, so can I grab the quarantined malicious file for you guys first? 
Will that help any?

Link to comment
Share on other sites

That would be great. 
I, however, am more proficient in other areas of computing, so I have no clue how to safely get it, store it and upload it for you. 
Do you have a guide or a quick step-by-step for me? 
Do I restore the file via my antimalware software (is that even safe?) or grab the (what appears to be encrypted/split apart) bits in the quarantine folder, is my main question? 

 

Link to comment
Share on other sites

On 2/4/2022 at 8:36 AM, ShadowPuterDude said:

If you have the malware file still we can use that.

@ShadowPuterDude
Hi, speaking of that...
I just realised that I do still remember the very site's link I downloaded my STOP/DJUV malware, I don't have the malware, but is is sufficient enough? to sent it to you guys in Emsisoft???

Link to comment
Share on other sites

  

On 2/5/2022 at 6:58 AM, Si-Li Qin said:

I just realised that I do still remember the very site's link I downloaded

For a more accurate analysis, you need a malicious file that did the encryption.

Malware distributors and sites specially prepared for the attack may not store malicious content for a long time.
Moreover, they may not deliver it to all visitors, for this they use exploits that work differently, depending on the version of the operating system, browser version, installed updates, and other parameters. Over time, the version of the malicious component may also change.

If nothing has changed since the attack on your PC, then the provided link to the file can help in the analysis.

Link to comment
Share on other sites

1 hour ago, Amigo-A said:

For a more accurate analysis, you need a malicious file that did the encryption.

Malware distributors and sites specially prepared for the attack may not store malicious content for a long time.
Moreover, they may not deliver it to all visitors, for this they use exploits that work differently, depending on the version of the operating system, browser version, installed updates, and other parameters. Over time, the version of the malicious component may also change.

If nothing has changed since the attack on your PC, then the provided link to the file can help in the analysis.

There's only one thing that could really be the culprit on my system. 
In my case, it's most likely a Windows Activation Loader. 
I know. I'm aware. Never had an issue before. 
But I had to re-get it after dualbooting my system with Windows 10 as well. Just a few weeks ago. 
Then one day, my computer utilized 100% CPU for a few minutes after booting and everything was encrypted.

That file is still in quarantine somewhere, I just need to figure out how to safely get it and upload it. 

Link to comment
Share on other sites

Yes, this is one of the most effective methods of attacking and infecting user computers.
Another: using infected repackaged and hacked distributions of popular applications (Photoshop, Office, and others).
For these programs is easier to find a free or low price alternative and not use repack, hacks and cracks.
---
For Windows, finding an alternative is a little more difficult, but it is safer to buy and use a key for 1 activation. This is a legal method, available to everyone, and you don't have to use hacked and repackaged distributions from pirate sites. 

Link to comment
Share on other sites

I'm fully aware of everything you just said, I'm not new to computers, hardware or software.
When one has done something for a good decade or two with no negative consequences though, that habit is hard to break. Especially when it's easy and free, considering my extremely low income, being disabled. 
Habit's broken now, I learned my lesson. 

I can't use this information for anything at all right now. Because I know it already and it doesn't help me move on from here.
I need to know how to extract the malicious file so I can upload it and finally format and reinstall this computer.

Thanks, though.

Link to comment
Share on other sites

OK. We are in contact with different people, from different countries, using different PCs and OS, having different levels of preparedness or having no experience, therefore it is better to say, to warn, to advise than to say nothing.

On 2/5/2022 at 2:00 PM, MNdrskv said:

That file is still in quarantine somewhere

What antivirus software quarantined the file? Is this an Emsisoft program or another Antivirus? What language is used?

Link to comment
Share on other sites

11 hours ago, Amigo-A said:

OK. We are in contact with different people, from different countries, using different PCs and OS, having different levels of preparedness or having no experience, therefore it is better to say, to warn, to advise than to say nothing.

I totally understand. 
I made an assumption that I at least appeared slightly more tech-savvy than most who post in this forum because I provided so much detail. That's on me, I apologize.
No matter, I meant no harm by what I said at least. I'm just really itching to reinstall this PC, I want this to be as over as it can be as quickly as possible. 

Kaspersky is the software I used to scan & clean. 
It says it deleted the .exe file, but it also seems I can restore it? 

I actually see a bunch of "interesting" files in the quarantine section of Kaspersky. 
DiskWriter.gen - Hosts2.gen - SelfDel.pef amongst others. 
Would any of these be of any use to you alongside the loader tool .exe?

Link to comment
Share on other sites

9 hours ago, MNdrskv said:

DiskWriter.gen - Hosts2.gen - SelfDel.pef amongst others. 
Would any of these be of any use to you alongside the loader tool .exe?

I will clarify. The files may be needed for analysis not by me, but by Emsisoft specialists.
Kaspersky specialists use their own naming system. Sometimes, under one of these names, an encryptor or one of its components may be hidden.

In rare cases, when an attack can be well researched and described with an article, they give it a unique name or use an international one. 

---
To prevent Kaspersky antivirus from deleting files, you need to configure its action for malicious files.
If you can recover files without quarantine, then do it by one.

Upload each separately or all in one archive to the resource from the link.
https://www.emsisoft.com/en/support/submit/
Indicate this subject and your contacts (if you want to receive a response by mail) in a message box.

Link to comment
Share on other sites

45 minutes ago, Amigo-A said:


To prevent Kaspersky antivirus from deleting files, you need to configure its action for malicious files.
If you can recover files without quarantine, then do it by one.

Upload each separately or all in one archive to the resource from the link.
https://www.emsisoft.com/en/support/submit/
Indicate this subject and your contacts (if you want to receive a response by mail) in a message box.

Thank you so much, that is massively helpful.

So if possible, I can just let it restore the files without any adverse effects to my PC?
As long as I don't open them, right?

Link to comment
Share on other sites

On 2/5/2022 at 3:11 PM, Amigo-A said:

  

For a more accurate analysis, you need a malicious file that did the encryption.

Malware distributors and sites specially prepared for the attack may not store malicious content for a long time.
Moreover, they may not deliver it to all visitors, for this they use exploits that work differently, depending on the version of the operating system, browser version, installed updates, and other parameters. Over time, the version of the malicious component may also change.

If nothing has changed since the attack on your PC, then the provided link to the file can help in the analysis.

Hi,

You're right with Nothing has changed since the attack on my PC, and yes, while writing now: I already did already provided the link to Emsisoft. Should I send one to you too?
If yes, then you can find my email in my thread:

Just email me (and state who you are in your email), so I'll send the ransomware's orig.link to you - the one I've already sent to emsisoft (But if you are in touch with Emsisoft's staffs, you can also contact them - because I already gave them the link via my email)

Link to comment
Share on other sites

2 hours ago, MNdrskv said:

So if possible, I can just let it restore the files without any adverse effects to my PC?
As long as I don't open them, right?

Yes. Isolated files are safe as long as they have a neutral extension. But even in this form, antiviruses can detect these files as dangerous. When switching from one antivirus to another, users are faced with a problem when the new antivirus grabs isolated files from the remaining quarantine and reports the discovery of a malicious files. This gives reason to think that the new antivirus is better than the old one. Talk about all the nuances for a long time. 

Link to comment
Share on other sites

As mentioned above, files encrypted with these encryptors are unlikely to be decrypted. But specialists can investigate the specific case with your files. Sometimes, very rarely, some intermediate versions have flaws that allow some files to be decrypted. This is rare, but sometimes it happens. It's bad when the files are encrypted with 2-3 encryptors, in which case the probability of returning the files tends to 0...

Link to comment
Share on other sites

41 minutes ago, Amigo-A said:

Yes. Isolated files are safe as long as they have a neutral extension. But even in this form, antiviruses can detect these files as dangerous. When switching from one antivirus to another, users are faced with a problem when the new antivirus grabs isolated files from the remaining quarantine and reports the discovery of a malicious files. This gives reason to think that the new antivirus is better than the old one. Talk about all the nuances for a long time. 

What constitutes a "neutral extension"?
The file I assume is the culprit is an .exe.

So do I restore the files, then immediately turn off my antivirus, then pack them up in a .rar/.zip, then upload? 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...