Neurofunk wrote:https://www.virustotal.com/file/d5a7e7c ... /analysis/
edit: this one is kind of fucked up in my opinion, there is a VERY questionable image embedded into it when it executes. Also not sure if the right place but does anyone know what the giant 90+ meg .pad files this thing writes are for?
MD5: 179caa8975162f0be43fa08b1a8dbde7
Detection ratio: 11 / 45
There is no embedded images or HTML data, all downloaded from C&C 31.44.184.134:https. Reveton and C&C are now working with SSL. Pad file you mentioned is encrypted container containing wave file. Why it 90Mb? Mad skillz maybe the reason. It creates it already 90 Mb and fills with 65k block write loop. Downloaded content stored at offset 11576 with size about 1 Mb.
Scary face with some pron.
img.jpg (282.97 KiB) Viewed 616 times
As for ransom exports, it determines which mode Reveton use.
H1N1 - something like initialize, lock screen by switching to specially created desktop (name random) with full screen IE window.
H1N2 - doing webcam record from rundll32.exe process launched again on different specially created desktop (name random). H1N2 export called via rundll32.exe from Reveton mapped code inside IEXPLORE zombie process.
Because of using different desktops this trojan is very comfortable for dynamic analysis.
Autoruns via Start->Programs->Autorun. Terminates TaskManager process (lookups in watchdog by TASKMGR.EXE name).
Decrypted working ransom dll in attach, crappy Delphi origin. Run from debugger or rundll32. Contains massive log output with spelling errors
Lock DLL Download and Write Complite
.
X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas
In comparison with Urausy - Reveton is simple and trash.