- Jun 3, 2015
- 200
So, I infected a virtual machine with one of the most nasty ransomwares imo, Krotten. I used the og variant.
It was a Windows XP machine. I tried all the fixes that I could find on YouTube, but after a while of running into the blocking payload, I got enough of it and tried looking for a solution myself.
I found out a weakness of some Krotten variants. If you use the Windows Key + E to open explorer and get yourself to the desktop... Create a shortcut to the folders like the Windows folder, Documents and Settings and etc, you want to go... And it works just fine.
Then I dug deeper and deeper. But on a certain moment, I got a breakthrough. I wondered how the malware was able to only run internet explorer. So, I tried renaming CMD to iexplore.exe... After a few seconds, the CMD window was open.
I was unable to open regedit by this method sadly.
So, using this method, you might be able to install MBAM or any other good anti-malware program. But when you download programs using IE, it actually blocks the save function. So, "run" is your only option... Then you run into the blocking payload.
So, I got myself a USB and downloaded the firefox installer on my host. Then I actually renamed it to iexplore.exe (the setup) and it installed just fine. After that, renaming the executable of Firefox to iexplore.exe is easy. (Rightmouse click -> Find Target -> Rename)
So yeah, firefox doesn't have the issue that you can't save files. Hehehehe. ;3 Using Spyhunter 4, I was able to get some features back but not all.
In any case, I'm quite sure that using this method will allow you to install programs like Malwarebytes, HerdProtect or others that will kill the blocking payload.
But after seeing the mess it leaves behind it's better to actually reinstall Windows or go back to a back-up. Since it doesn't encrypt your files from what I have seen... It actually deletes a lot of features from Windows.
I hope I explained it clearly enough. If I wasn't clear in any part of my findings here... Feel free to ask. It's the first real report as a malware researcher I have written
It was a Windows XP machine. I tried all the fixes that I could find on YouTube, but after a while of running into the blocking payload, I got enough of it and tried looking for a solution myself.
I found out a weakness of some Krotten variants. If you use the Windows Key + E to open explorer and get yourself to the desktop... Create a shortcut to the folders like the Windows folder, Documents and Settings and etc, you want to go... And it works just fine.
Then I dug deeper and deeper. But on a certain moment, I got a breakthrough. I wondered how the malware was able to only run internet explorer. So, I tried renaming CMD to iexplore.exe... After a few seconds, the CMD window was open.
I was unable to open regedit by this method sadly.
So, using this method, you might be able to install MBAM or any other good anti-malware program. But when you download programs using IE, it actually blocks the save function. So, "run" is your only option... Then you run into the blocking payload.
So, I got myself a USB and downloaded the firefox installer on my host. Then I actually renamed it to iexplore.exe (the setup) and it installed just fine. After that, renaming the executable of Firefox to iexplore.exe is easy. (Rightmouse click -> Find Target -> Rename)
So yeah, firefox doesn't have the issue that you can't save files. Hehehehe. ;3 Using Spyhunter 4, I was able to get some features back but not all.
In any case, I'm quite sure that using this method will allow you to install programs like Malwarebytes, HerdProtect or others that will kill the blocking payload.
But after seeing the mess it leaves behind it's better to actually reinstall Windows or go back to a back-up. Since it doesn't encrypt your files from what I have seen... It actually deletes a lot of features from Windows.
I hope I explained it clearly enough. If I wasn't clear in any part of my findings here... Feel free to ask. It's the first real report as a malware researcher I have written
