A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11805  by EP_X0FF
 Sat Feb 25, 2012 9:18 am
GMax wrote:Image
So many spelling and grammatical errors, author apparently poorly studied in school.
 #12269  by Kafeine
 Thu Mar 22, 2012 2:50 pm
Not 100% sure it's a ransom, but found on a BH EK spreading Ransomware.
This one is escaping all online sandboxes (malwr, anubis, threatexpert..)
Am not able to run it on VMware esx/esxi.

According to me it's escaping on Sound Driver check. If someone want to take a look at it would be nice ! :)
Attachments
password to extract : infected
(25.88 KiB) Downloaded 57 times
 #12302  by Maxstar
 Fri Mar 23, 2012 6:05 pm
rkhunter wrote:@Maxstar Sure that this is ransom?
So far as I looked are these files dropped by the ransom infection, In many cases you will see the same files with extensions like *.cmd *.pif *.exe *.cmd *.com *.scr in an F3 line in HijackThis.
http://www.pcwebplus.nl/phpbb/viewtopic ... 741#p24741

There are many topics with problems now, and I advised some people to upload the quarantained files of MBAM so I can use this on my own machine to decrypt them with MBAM to get a loader.
Code: Select all
Files Detected: 3
C:\Users\User\AppData\Roaming\0.2644139947080457h7i.exe (Trojan.Agent.TKH) -> Quarantined and deleted successfully. 
C:\Users\User\AppData\Roaming\0.4427793733083154.exe (Trojan.Agent.TKH) -> Quarantined and deleted successfully. 
C:\Users\User\AppData\Local\Temp\0.4427793733083154.exe (Trojan.Agent.TKH) -> Quarantined and deleted successfully. 
The weird thing is that some GEMA (german) versions will show a Dutch or Belgium version of the 'fake-police' ransom, so it looks like there is a check on IP to show the right variant of it.
For now I don't catch the used files or get a full sample of these version.
 #12306  by EP_X0FF
 Sat Mar 24, 2012 4:48 am
rkhunter wrote:@Maxstar Sure that this is ransom?
This is muldrop with Gamarue worm and Ransom Foreign. It injects payload code to newly spawned wuaclt copy. Some strings from inside
id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu s r c s r c %lu % U S E R P R O F I L E % Software\Microsoft\Windows NT\CurrentVersion\Windows L o a d % A L L U S E R S P R O F I L E % SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run % l u e x e c o m s c r p i f c m d b a t c o m e x e \ L o c a l S e t t i n g s \ T e m p % s \ m s % s . % s D:(A;;KA;;;WD) D:(A;;KRWD;;;WD) D:(A;;KA;;;WD) % 0 8 X % T M P % \ % 0 8 x . t m p D:(A;;KA;;;WD) id:%lu|tid:%lu|result:%lu 55a9af88e3f12d7e503abe9d6781e50c°%С%т%%4%U%
hxxp://zaletelly011.be/image.php
hxxp://zaletelly012.be/image.php
hxxp://zaletelly013.be/image.php
hxxp://zaletelly014.be/image.php
hxxp://zaletelly015.be/image.php
hxxp://zaletelly016.be/image.php

POST /%s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close

GET /%s HTTP/1.0
Host: %s
User-Agent: Mozilla/4.0
Connection: close
Runs as you see from SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run with body in %USERPROFILE% temp.

Second part of payload mapped in the same wuaclt and it's ransom.
p i n o k cow/gate.php like/gate.php mozy/gate.php leex/gate.php zuum/gate.php plea/gate.php code/gate.php zerro/gate.php milk/gate.php tron/gate.php prog/gate.php win/gate.php pic8/gate.php zip/gate.php loc/gate.php pin/gate.php localhost20 localhost19 localhost18 localhost17 localhost16 localhost15 localhost14 1111localhost13 1111localhost12 1111localhost11 1111localhost10 1111localhost9 1111localhost8 1111localhost7 1111lertionk016.be 1111lertionk017.be lertionk016.be lertionk015.be lertionk014.be http://www.microsoft.com 00001 /%s?user=%s&uid=%s%s&os=%i&pin=%s /%s?user=%s&uid=%s%s&os=%i del i p ok /%s?getpic=getpic http:// /%s?getip=getip . Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) GET Ping
Shell32.dll kernel32.dll advapi32.dll psapi.dll shlwapi.dll ntdll.dll wininet.dll Ole32.dll wsock32.dll ws2_32.dll g i z z a % s % A P P D A T A % % s \ % s \ % s % s 0 0 1 0 1 1 0 1 8 0 2 1 0 2 2 0 2 3 0 2 4 0 2 5 0 2 6 0 2 7 0 2 8 0 2 9 0 3 0 0 3 1 0 3 4 0 3 5 0 3 6 0 3 7 0 3 9 0 4 1 0 4 2 0 4 3 0 4 6 1 5 1 6 3 3 7 1 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 1 2 3 4 5 6 7 8 9 9 8 7 6 5 4 3 2 1 1 1 1 1 2 2 2 2 3 3 3 3 4 4 4 4 5 5 5 5 6 6 6 6 7 7 7 7 8 8 8 8 9 9 9 9 0 0 0 0 S T A T I C T i m e s N e w R o m a n O K B U T T O N E D I T 1 0 2 9 3 8 4 7 5 6 D o w n l o a d : P r o g r e s s B a r m s c t l s _ p r o g r e s s 3 2 E r r o r P I N U k a s h : P a y s a f e c a r d : W i n d o w s t a s k m g r . e x e r e g e d i t . e x e s e t h . e x e m s c o n f i g . e x e u t i l m a n . e x e n a r r a t o r . e x e
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9