: relating to or involving a method of calculating and of representing information especially in computers by using the numbers 0 and 1
: to ravage in search of spoils
The purpose of this blog is to delve into the depths of forensic artifacts in order to fully realize all of the information available in said artifacts. It will involve discussing code, algorithms, and design decisions related to such things as parsers and higher level tools that help to make sense of voluminous amounts of information.
CTB Locker += NL & IT
Studying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear Pack
Revslider Case 3 - Path to Nuclear Pack delivering Critroni
Decoded Payload : 10f0eaa794f48ad0b15034e0683cb15f
It's CTB Locker aka Critroni.
What is new to me here is the random encrypted file extension :
Encoded RTF with unique extension
Files dropped in MyDocuments
(background wallpaper and decryption explanation)
And the integration of two Languages : NL and IT
Critroni - First Screen NL
2014-12-28Critroni - First Screen IT
2014-12-28Critroni - Test Explanation - NL
2014-12-28Critroni - Test Explanation - IT
Critroni - Decryption Test - NL
Bitcoin Address Screen - NL
BTC explanation - NL
Critroni / CTB Locker in German - 2015-01-17
Critroni - German 2015-01-17
CTB Locker - FR
Files: Critroni_NL_IT.zip (Fiddler and payload)
+= DE version (Sample : 82f941fbd483e0684daed99f006488f1)
+=FR ES LV version (sample f251200975ae1eb1df4fab9c1b715b77 - 2015-02-22 )
Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.
Since many months what i was mentally naming "Weird Styx" that was really similar to Kein/Styx Kein puzzled me.
2013-01-22 - "a Weird Styx"
This was as Styxy as an exploit kit can be...but not as randomized as Styx was.
Exploits were rotating really slowly as in Kein.
I would not be surprised if the coder of the exploits/scheme of Styx, Styxy Cool, Kein and Null Hole is the same.
Null Hole - Login PageNull Hole - 1 API Call (Used for instance by TDS to get the actual landing)
Null Hole - Raw Stats on one Thread
Null Hole - Partner managementNull Hole. A bunch of Sploits.
Null Hole - Manage Clone (vhosts/proxies)You remember the Signed Cryptowall that got some attention a month ago ?
It was pushed in Both Nuclear Pack and Null Hole.
This is the Null Hole thread :
Null Hole 2014-09-29
The number of Victims of that thread : 770.
This Exploit Kit seems to be blinking. Used few weeks...disappear a month or two.
Here is a fresh pass (Thanks to : @robemtnez )
Null Hole - 2014-11-17
Here: Firing CVE-2014-0515 - 2014-0569 (Thx TimoHirvonen)
You'll find a Pcap from Brad here.