A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21464  by Cody Johnston
 Wed Nov 27, 2013 1:02 am
hxxp://194.28.174.119/0388.exe

https://www.virustotal.com/en/url/466e3 ... /analysis/
It completes the initial post, but I never get the ransom messages. Any insight as to what is going on behind the scenes would be much appreciated!
It will not bring the message up until the RSA key is returned from the server and it can encrypt the files. Otherwise it will just spin through the DGA and then do nothing.
 #21595  by Intimacygel
 Fri Dec 06, 2013 6:35 pm
PX5 wrote:https://www.virustotal.com/en/file/c7dc ... /analysis/
This sample in particular deletes system restore points including the VSS (Volume shadow service) which is really nasty as around 2/3 of the samples I've been testing leave that alone and allow me to restore previous save states of files.

Does anyone know the exact command this uses to access and delete these restore points? I'm looking to see if it's possible to create heuristic detection on anything that tries to do this as I know of no legitimate process that would do this..

Thanks!
 #21648  by Intimacygel
 Wed Dec 11, 2013 3:21 pm
Anyone got any working samples still? Most of the ones I've found here only drop their components and make registry changes, but they wont encrypt or show the ransom window. I presume because the server it would send the RSA key is no longer active...
 #21660  by Intimacygel
 Thu Dec 12, 2013 3:36 pm
Got one - pulled it off of a customers box.

invoice.exe dropped it.
E4817AE88D6D43FB9AF973827241FDE0
Then dropped this
F4073E00E675D759CBAC3A556ACDD739
Then dropped this
2BEE39281327441275E59A6247C9F9AC
Then dropped this
186D960FDF8F96855A78376FBD9EEA3A
Which then dropped the active cryptolocker process.
2A1609EF72F07ABC97092CB456998E43

Still working as of my last test a couple hours ago.
Attached is the 2A1609EF72F07ABC97092CB456998E43

https://www.virustotal.com/en/file/038d ... /analysis/
Attachments
pw = infected
(506.81 KiB) Downloaded 104 times
 #21663  by r3shl4k1sh
 Thu Dec 12, 2013 7:20 pm
Intimacygel wrote: Still working as of my last test a couple hours ago.
Attached is the 2A1609EF72F07ABC97092CB456998E43

https://www.virustotal.com/en/file/038d ... /analysis/
This one has DGA to get the server address.

In attached unpacked exe: B1D46F77F3A12235ED1699363ACF6948

VT 16 / 48
Attachments
pass: infected
(295 KiB) Downloaded 111 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 12