![zip: central directory header not found chimera tool zip: central directory header not found chimera tool](https://cdn.osxdaily.com/wp-content/uploads/2019/05/unzip-end-of-central-directory-signature-not-found-error-610x201.jpg)
- #Zip: central directory header not found chimera tool serial
- #Zip: central directory header not found chimera tool full
- #Zip: central directory header not found chimera tool code
Show a threatening message in full screen using Internet ExplorerĬhimera first tries to obtain the public ip address of the infected machine using a simple query to :Īfter that a new thread is started to contact two embedded IP addresses: 95.165.168.168 and 158.222.211.81:.
#Zip: central directory header not found chimera tool serial
Phone home and tell the C2 who we are (ip address + volume serial number).The function we called infectionProc() performs three main actions: The pseudo-code below shows the first steps of the infection process: If Chimera is not running the next action is to remove itself from the disk and then call the main infection routine that can be called through a thread, or directly in case the core has been invoked statically. First of all Chimera tries to understand if it’s already running on the system, to do this it simply creates a mutex using as a name the VolumeSerialNumber of the computer it’s running on, if the instance is found then the ransomware stops. Once again from the debug information we retrieve the (supposedly) original name of the component: C:\Projects\Ransom\bin\Release\Core.pdb. This stage seems to use parts of ReflectiveLoader to perform the loading into the the final host process.
#Zip: central directory header not found chimera tool code
Once a suitable process is found the core is injected and started: a OpenProcess() is called to open the process, a chunk of memory is allocated into the host process though VirtualAllocEx() then the code is copied with WriteProcessMemory().Īfter injecting the unpacked third stage’s code a CreateRemoteThread() is called and the ransomware core life begins. The first step performed is to acquire SeDebugPrivilege capabilities for the current process:Īfter that the loader begins to enumerate every window through the EnumWindows() function, looking for a 32-bit process to use as a host for the infection: reloc sections headers are still visible: Checking the binary we can indeed notice the presence of a third and final stage packed into the payload, the MZ signature, DOS stub, the PE header together with pieces of.
![zip: central directory header not found chimera tool zip: central directory header not found chimera tool](https://images-na.ssl-images-amazon.com/images/I/51RXNCVg84L._SX218_BO1,204,203,200_QL40_.jpg)
This loader is actually quite simple and its function is simply to find a suitable process for the injection of the core module of Chimera. SHA256: fb02021257e90f3feb1be35dbc98db8a9cd68a83da320ba106b6ad1c77ff701fĬhecking the debug information we find: C:\Projects\Ransom\bin\Release\Loader.pdb an indication that (when in doubt) yes, we are dealing with a ransomware and the current stage is just a loader DLL for the next stage. The next stage is 54.265 bytes in size, we can dump it to obtain the second stage. Let’s jump now to the next stage, exactly where the fnDllEntry() is called on the raw assembly by the run_pe() function. That’s where the job of the first stage is done. Interestingly enough the decrypted payload is manually mapped in memory:Īfter mapping every section the module is called directly through a function pointer: All the relevant code is contained inside the Stub class, the main method is pretty straightforward:Ī base-64 encoded key is used to decrypt whatever is contained inside Stub.pe which, as it happens, is the second stage’s encrypted payload, analysts can retrieve it from here, this is the key used: fO69CKrW5riZeZWZibAc2jzkqvbrNOMxgsBGRGG39ogzNQA0uB8sJXASVzhq5yZn2RldONsSsEgKjITpkKJX4A=Ī quick look at the method cryptBloc() suggests that we are dealing with a local implementation of AES and according to the decoded key, it should be in its 256-bit flavour. NET, the first stage doesn’t perform any malicious function other than decrypting and extracting the second stage. The main executable appears to be mainly delivered by email and is written in. Recently the ransomware world provided a couple surprises: the discovery of CryptoWall 4 in the wild and a new ransomware dubbed Chimera, so far found to be infecting businesses mainly in Germany and threatening to leak personal files if the ransom isn’t paid.