Thursday 7 July 2011

Trojan-Ransom.Win32.Xorist - Encoder Builder v2.31

Another ransomware builder i've found by error (it's true!)

This one is from 2010 and the file encryption used XOR or TEA.
Interesting feature (hm... joke :þ) maybe the number of password attempt who conduct to a melt..

An output have a size of 10,5 Kb and after UPX: 6,5Kb (Builder in Delphi, stub in asm)

The unlock code for decrypts files is not stored in cleartext, but in build MD5x5 hash.
A good solution to recover files without knowing the password... maybe a generic loader for force the good unlock code, it's very weak:

Related ~
Unxoring Trojan-Ransom.Win32.Xorist
WinLocker Builder v0.4 - Cracking Generated winlocks
WinLocker Builder v0.2/v0.3 - Cracking Generated winlocks and the 4B XOR Ransomware

1 comment: