A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8547  by Xylitol
 Tue Sep 13, 2011 12:52 pm
Some changes, malware download come from a BlackHole exploit kit and instead of beeline numbers there is webmoney IDs.
Code: Select all
hxxp://8klbw.2lkjdj.ru/w.php?f=18&e=4
Image
WebMoney: U159972976081
WebMoney: U191228079133
WebMoney: U151459219666
WebMoney: U250063339599
Code to unlock Windows: ol.ol.
VT: 5/42 >> 11.9%
http://www.virustotal.com/file-scan/rep ... 1315917889
Attachments
pwd: xylibox
(458.53 KiB) Downloaded 87 times
 #8614  by agadive
 Sun Sep 18, 2011 8:27 am
I've got one with the number 7 9811293557 (text message 300) anyone's got a code for that? Help. I found a code that says I need to type any 8 keys (not numbers though), and the keybord only enables me to type numbers from 1-9, but not "0" . No letters either.
I'd appreciate any help.
 #10610  by GMax
 Mon Dec 26, 2011 6:41 pm
Image

URL:
hxxp://k-trah-v-celku.ru/xvid/xvid1x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x4.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x4.avi
...
hxxp://k-trah-v-celku.ru/xvid/xvid8x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x4.avi
ADD:
hxxp://pornommix.ru/xvid/xvid1x1.avi
hxxp://pornommix.ru/xvid/xvid1x2.avi
hxxp://pornommix.ru/xvid/xvid1x3.avi
hxxp://pornommix.ru/xvid/xvid1x4.avi
hxxp://pornommix.ru/xvid/xvid2x1.avi
hxxp://pornommix.ru/xvid/xvid2x2.avi
hxxp://pornommix.ru/xvid/xvid2x3.avi
hxxp://pornommix.ru/xvid/xvid2x4.avi
...
hxxp://pornommix.ru/xvid/xvid8x1.avi
hxxp://pornommix.ru/xvid/xvid8x2.avi
hxxp://pornommix.ru/xvid/xvid8x3.avi
hxxp://pornommix.ru/xvid/xvid8x4.avi
Unlock code: 2011
Attachments
pass: malware
(570.32 KiB) Downloaded 76 times
 #10714  by GMax
 Fri Dec 30, 2011 6:24 pm
Image

URL:
hxxp://deregby.ru/avik/vidok1x1.avi
hxxp://deregby.ru/avik/vidok1x2.avi
hxxp://deregby.ru/avik/vidok1x3.avi
hxxp://deregby.ru/avik/vidok1x4.avi
...
hxxp://deregby.ru/avik/vidok11x1.avi
hxxp://deregby.ru/avik/vidok11x2.avi
hxxp://deregby.ru/avik/vidok11x3.avi
hxxp://deregby.ru/avik/vidok11x4.avi

hxxp://severbludnicha.ru/avik/vidok1x1.avi
hxxp://severbludnicha.ru/avik/vidok1x2.avi
hxxp://severbludnicha.ru/avik/vidok1x3.avi
hxxp://severbludnicha.ru/avik/vidok1x4.avi
...
hxxp://severbludnicha.ru/avik/vidok11x1.avi
hxxp://severbludnicha.ru/avik/vidok11x2.avi
hxxp://severbludnicha.ru/avik/vidok11x3.avi
hxxp://severbludnicha.ru/avik/vidok11x4.avi
Unlock code: 070707
Attachments
pass: malware
(577.18 KiB) Downloaded 83 times
 #12923  by EP_X0FF
 Fri Apr 27, 2012 12:16 pm
Ransom LockScreen

Thanks for sample to Xylitol and mrbelyash.

Image

Unblock code: 9109101313

Drops from a fake porn site as xxx_video.avi.exe
Runs through SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon as Shell replacement of Explorer.

For unpacking load dropper into debugger and set a break on CreateProcess (due to drop period ransomware restarts itself from %temp% folder for original file self-deletion purposes). Then locate decrypted payload container in dropper memory and dump it to disk. Cut off garbage, remove UPX and "unpacking" complete. Next it is trivial. Unblock button is Button3. Yes this crapware written on Delphi 7 and even include image named "winlockimage". Used WinBlockTerr Delphi component for various system parameters blocking.
Code: Select all
CODE:0047FDCC TForm1_Button3Click proc near           
CODE:0047FDCC
CODE:0047FDCC var_4           = dword ptr -4
CODE:0047FDCC
CODE:0047FDCC                 push    ebp
CODE:0047FDCD                 mov     ebp, esp
CODE:0047FDCF                 push    0
CODE:0047FDD1                 push    ebx
CODE:0047FDD2                 mov     ebx, eax
CODE:0047FDD4                 xor     eax, eax
CODE:0047FDD6                 push    ebp
CODE:0047FDD7                 push    offset loc_47FE2B
CODE:0047FDDC                 push    dword ptr fs:[eax]
CODE:0047FDDF                 mov     fs:[eax], esp
CODE:0047FDE2                 lea     edx, [ebp+var_4]
CODE:0047FDE5                 mov     eax, [ebx+358h]
CODE:0047FDEB                 call    ControlGetText
CODE:0047FDF0                 mov     eax, [ebp+var_4]
CODE:0047FDF3                 mov     edx, offset _str_9109101313.DelphiString
CODE:0047FDF8                 call    LStrCmp
CODE:0047FDFD                 jnz     short loc_47FE0B
CODE:0047FDFF                 call    pRestoreShell
CODE:0047FE04                 call    pSelfDelete
VT Original
https://www.virustotal.com/file/c2ce0db ... /analysis/

Unpacked
https://www.virustotal.com/file/91e0a27 ... /analysis/

Both in attach.
Attachments
pass: infected
(623.02 KiB) Downloaded 101 times
 #17913  by EP_X0FF
 Mon Jan 28, 2013 2:40 pm
The actual payload downloads from as hxxp://dasfanvid.ru/codfullhdxavi.exe
dasfanvid wrote:icq 34568623 if u need to speak
:)

Do not work without referer
Code: Select all
15:37:42	28.1.2013	GET http://dasfanvid.ru/codfullhdxavi.exe HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17
Accept: */*
Referer: http://masvideo1hd.ru/
Host: dasfanvid.ru
15:37:45	28.1.2013	HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Mon, 28 Jan 2013 14:37:44 GMT
Content-Type: application/x-msdos-program
Content-Length: 1728512
Connection: close
Last-Modified: Mon, 28 Jan 2013 11:02:24 GMT
ETag: "d803f3-1a6000-4d457363c3000"
Accept-Ranges: bytes
Btw, file updated, unlock code the same.
 #18060  by EP_X0FF
 Wed Feb 06, 2013 4:38 pm
Landing at masvideo1hd.ru.

However we already knocked out payload part.
From: CISHost.ru <mail@cishost.ru>
Hello. User blocked

On Wed, 06 Feb 2013 15:54:30 +0800

>
> Hello,
>
> the following site
>
> devki-traxbest.ru
> masvideo1hd.ru
>
> IP address: 5.9.59.109 (g4.cishost.ru)
> Host name: masvideo1hd.ru
> Alias: masvideo1hd.ru
>
>
> host and distributes malicious software known as Trojan Winlock.
> Direct link to malware hxxp://masvideo1hd.ru/avik/vidok1x1.avi (resolves to hxxp://devki-traxbest.ru/codfullhdxavi.exe, referrer "masvideo1hd.ru" is required for access).
>
> Please take a measures against this rogue customer.
>
> Thank you.
Attached sample downloaded before server block.
codfullhdxavi.exe is now detected as Trojan:Win32/LockScreen.AO
Attachments
pass: malware
(1.64 MiB) Downloaded 88 times