网络科技

    今日:500| 主题:244820
收藏本版
互联网、科技极客的综合动态。

[其他] CryPy: ransomware behind Israeli lines

[复制链接]
qijiworld20140 发表于 2016-10-14 06:13:39
336 13

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.
   This Python executable comprises two main files. One is called boot_common.py and the other encryptor.py . The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server. The C&C is hidden behind a compromised web server located in Israel. The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back.
  A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks. The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.
   It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.
  Ransomware Analysis

   ICON:
    SHA1:ad046bfa111a493619ca404909ef82cb0107f012
   MD5:8bd7cd1eee4594ad4886ac3f1a05273b
   Size:5.22 MB
   Type:exe
  To reverse the executable one should first conduct a number of checks using a convenient debugger. The universal steps for unpacking an unknown packer start with trying to set a memory breakpoint on popular functions that packers use, such as VirtualAlloc.
  If the breakpoint hits, the next step involves switching to user mode and setting a hardware breakpoint (on access). That will assist in inspecting where exactly the program initializes the memory block. In most cases, an executable magic header (MZ) should appear in the memory block. However, in this case the following screenshot shows the readable data that was allocated to that memory block:
   
CryPy: ransomware behind Israeli lines-1 (behind,enemy,lines,behind,the,lines,cerber,ransomware,ransomware)

   After the data was allocated to the memory block, it appeared to be using VM code (python vm) to execute the code. For those who are not familiar with the term, VM code is the process of creating new instruction sets based on the author’s request. The CPU uses those instruction sets to understand the instructions.
   py2exesimply converts the code to x86 assembly, the architecture used on the CPU for communication, and, by loading a python DLLs, loads all the modules into the memory.
   We found that the executable file was generated using py2exe . The first indicator was a stack PUSH instruction to add the string – PY2EXE_VERBOSE : a module that compiles Python scripts to Microsoft Windows executables.

CryPy: ransomware behind Israeli lines-2 (behind,enemy,lines,behind,the,lines,cerber,ransomware,ransomware)

  PY2EXE module string disclosure
   A module that reverse the operation of the py2exe can be found in Github and is called unpy2exe . This module will revert the executable back to its origin Python compiled code (i.e. .pyc file). From that format, another step will be required to fully revert to the original code. We randomly chose to use EasyPythonDecompiler .
更多图片 小图 大图
组图打开中,请稍候......
友荐云推荐




上一篇:6 more ways to make the most of Mail for iOS
下一篇:What does "Modern C++" really mean?
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

微企力 发表于 2016-10-14 06:51:26
火前留名,前排占座,此楼出租,欢迎议价。
回复 支持 反对

使用道具 举报

我的黑色主题 发表于 2016-10-14 06:53:46
楼主不许动,我是来抢沙发的,沙发没有,板凳也行!
回复 支持 反对

使用道具 举报

黄梅 发表于 2016-10-14 07:04:10
兰州烧饼,鉴定完毕!
回复 支持 反对

使用道具 举报

段能凤 发表于 2016-10-14 07:28:31
爱妃,别急,洗完澡了我会翻牌子的.
回复 支持 反对

使用道具 举报

如今的我们_陷入 发表于 2016-10-14 16:11:49
楼下的小伙伴,速度跟上!
回复 支持 反对

使用道具 举报

柔夏 发表于 2016-10-14 17:22:19
拥护楼主,楼主英明呀!!!
回复 支持 反对

使用道具 举报

極度囂張→鴻 发表于 2016-10-15 07:25:38
二货回帖,二出新生活
回复 支持 反对

使用道具 举报

mayan123 发表于 2016-10-15 08:20:20
夏天就是不好,穷的时候我连西北风都没得喝……
回复 支持 反对

使用道具 举报

生活如此心酸 发表于 2016-10-15 18:02:55
求沙发。。。
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表