Wait for Emmanuel_ADC-Soft go to the forum.
There are holidays in Europe now, many people are not working these days.
Edited by Amigo-A, 02 January 2019 - 02:54 PM.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
Phobos Ransomware (<ID>-<id***8 random>.[<email>].phobos) Support
Started by
rauluar
, Dec 20 2018 11:50 AM
1606 replies to this topic
#16
Amigo-A
-
- Members
- 3,057 posts
- OFFLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:45 AM
Back to top
#17
jfsantos
-
- Members
- 3 posts
- OFFLINE
- Local time:05:45 AM
Posted 03 January 2019 - 12:21 PM
I again
Dr Web identified the ramson as Trojan.Encoder.3953v4+
Best regards
#18
Amigo-A
-
- Members
- 3,057 posts
- OFFLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:45 AM
Posted 03 January 2019 - 01:09 PM
Trojan.Encoder.3953v4+
DrWeb cannot decrypt it yet. Link >>
jfsantos
You can upload the sample of malware you have in HA here, and give me in PM a link to the analysis result.
Edited by Amigo-A, 03 January 2019 - 01:12 PM.
My site: The Digest "Crypto-Ransomware" + Google Translate
#19
al1963
-
- Members
- 1,181 posts
- OFFLINE
- Local time:12:45 PM
Posted 04 January 2019 - 10:36 AM
I again
Dr Web identified the ramson as Trojan.Encoder.3953v4+
Best regards
hmm,
according to the DrWeb classification - Trojan.Encoder.3953 is Crysis.
https://vms.drweb.ru/virus/?i=8051858&virus_name=Trojan.Encoder.3953
according to ESET .id-% hexnum% .-- [% EmailAddress%]. PHOBOS - this is also Crysis.
although I never personally met on the forums.
for analysis, the executable file is needed, not just a ransom note and encrypted files
You can also check the system using FRST,
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
and provide us with a validation log.
Edited by al1963, 04 January 2019 - 11:24 AM.
#20
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:45 PM
Posted 04 January 2019 - 11:00 AM
CrySiS == Dharma, and Phobos does not have the same file structure as Dharma. Unless they found a sample of the malware and confirm it is a new variant of Dharma with some drastic changes to the structure, I believe they are mistaken.
Dharma has the filemarker "00000000020000000CFE7A410000000000000000000000002000000000000000" followed by the original filename as widechars and some campaign ID I think. I haven't analysed the rest of the file structure honestly, but I assume it is the encrypted key and other meta data like the original filesize.
These Phobos encrypted files do not have that marker, and ends with 4 ASCII uppercase letters (correlating to the email address), and 2 ASCII numbers; or just "PHOBOS".
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#21
Amigo-A
-
- Members
- 3,057 posts
- OFFLINE
Security specialist and Ransomware expert
- Gender:Male
- Location:Bering Strait
- Local time:10:45 AM
Posted 04 January 2019 - 12:22 PM
As it turned out, the victim sent a Data.hta note for analysis, so the ESET engine reacted to it in this way.
But this again suggests that such a detect of ESET is wrong and should be corrected long ago.
Edited by Amigo-A, 04 January 2019 - 12:30 PM.
My site: The Digest "Crypto-Ransomware" + Google Translate
#22
al1963
-
- Members
- 1,181 posts
- OFFLINE
- Local time:12:45 PM
Posted 04 January 2019 - 12:34 PM
ESET has long defined .phobos as one of the variants of Crysis. another question: is it right or not?
Because the structure of an encrypted .phobos file is noticeably different from the structure of a typical encrypted Dharma file.
Therefore, we need an executable file of the encoder .phobos
Edited by al1963, 04 January 2019 - 12:34 PM.
#23
al1963
-
- Members
- 1,181 posts
- OFFLINE
- Local time:12:45 PM
Posted 05 January 2019 - 09:34 AM
in early versions of Crysis, such as .Crysis, .xtbl, .crypt, crypted file marker is present only if the structure of the name of the encrypted file is id-hex.
eg:
WhatsNew.txt.id-F5A4D1.Vegclass@aol.com.xtbl
filemarker: 0000000002000000FF50AEFF000000000000000000000000000000000000000
If the structure of the encrypted file contains IDHex:
eg:
keygpg.rar.IDF5A4D1.Vegclass@aol.com.xtbl
in this case, the file marker string is missing.
(it is clear that both of these options are decrypted.)
file marker 00000000020000000CFE7A4100000000000000000000000020000000000000 starts with dharma, wallet, onion and then follows.
#24
architectt
-
- Members
- 37 posts
- OFFLINE
Posted 08 January 2019 - 11:52 AM
Hello Guys, any news? I have my Thesis Project Encrypted and lot of works.
I already sent the .ex file they were using.
I already sent the .ex file they were using.
ESET has long defined .phobos as one of the variants of Crysis. another question: is it right or not?
Because the structure of an encrypted .phobos file is noticeably different from the structure of a typical encrypted Dharma file.
Therefore, we need an executable file of the encoder .phobos
#25
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:45 PM
Posted 08 January 2019 - 12:16 PM
@al1963
Thanks for the info, I've updated IDR with that older filemarker structure. I was able to confirm it with some sample submissions from back then.
Comparing the files, Phobos still looks different. The original CrySiS with IDHex still stored the original filename as widechar, and had some sort of marker after it that is the same between victims of the same email address as far as I can tell.
@architectt
I'm currently analyzing the executable you provided. So far, it doesn't really do anything when run.
Edited by Demonslay335, 08 January 2019 - 12:17 PM.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#26
architectt
-
- Members
- 37 posts
- OFFLINE
Posted 08 January 2019 - 12:24 PM
@al1963
Thanks for the info, I've updated IDR with that older filemarker structure. I was able to confirm it with some sample submissions from back then.
Comparing the files, Phobos still looks different. The original CrySiS with IDHex still stored the original filename as widechar, and had some sort of marker after it that is the same between victims of the same email address as far as I can tell.
@architectt
I'm currently analyzing the executable you provided. So far, it doesn't really do anything when run.
I have more file that were in the same folder of the executable, but those got encrypted has well, the guy left the folder at the Desktop and everything there was encrypted less that .exe
#27
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:45 PM
Posted 08 January 2019 - 12:26 PM
Any chance the encrypted system contains this file?
C:\Users\<username>\AppData\Local\Temp\k.txt
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#28
architectt
-
- Members
- 37 posts
- OFFLINE
Posted 08 January 2019 - 12:30 PM
Any chance the encrypted system contains this file?
C:\Users\<username>\AppData\Local\Temp\k.txt
I have an exam at university now, has soon has I get back I will turn on my desktop and search for that, do you recommend to start on SAFE-MODE or is not needed? (sorry my crappy EN)
#29
Demonslay335
-
- Security Colleague
- 4,770 posts
- OFFLINE
Ransomware Hunter
- Gender:Male
- Location:USA
- Local time:11:45 PM
Posted 08 January 2019 - 12:32 PM
Safe mode would probably be recommended until the infection has been fully quarantined.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
#30
architectt
-
- Members
- 37 posts
- OFFLINE
Posted 08 January 2019 - 12:34 PM
Safe mode would probably be recommended until the infection has been fully quarantined.
21 years without infections, and the first has to kill my THESIS, damm.
Well brb
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
