A forum for reverse engineering, OS internals and malware analysis 

Ransom Weelsof

Forum for analysis and discussion about malware.

Re: Trojan Ransom / FakePoliceAlert

 #13366  by tachion
 Tue May 22, 2012 7:05 pm
Ransomware - FakePoliceAlert
9cd87975bfd230a767d497a1f5dfbf4d
https://www.virustotal.com/file/3e3f980 ... /analysis/

Detailed report of suspicious malware actions:

Created a mutex named: Local\!IETld!Mutex
Defined file type created in Windows folder: C:\Windows\explorer_new.exe
Defined file type created in Windows folder: C:\Windows\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\ugjuzuaefophikn\jquery.main.js
Defined file type created: C:\ProgramData\ugjuzuaefophikn\main.html
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer_new.exe
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Deleted activity traces
Detected process privilege elevation
File copied itself
Got computer name
Internet connection: Connects to "62.76.47.158" on port 80.
Internet connection: Connects to "euro-police.in" on port 80.


Image
Attachments
pass. sg
(34.89 KiB) Downloaded 81 times

Trojan:Win32/Weelsof

 #13415  by Xylitol
 Fri May 25, 2012 7:38 am
Weelsof package + unpacked and some old design.
I've used the TDS for determine the winlock history:
[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)
Attachments
infected
(337.82 KiB) Downloaded 95 times
infected
(1.82 MiB) Downloaded 379 times

Re: Trojan Ransom / FakePoliceAlert

 #13542  by Xylitol
 Wed May 30, 2012 2:36 pm
Weelsof ransom themes (AT,FI,DE,BE,FR,GR,IT,NL,PL,PT,ES,SW,SH) and sample in attach.
also some news... they moved, previous machine hosted on clodo.ru shutdown.
Code: Select all
• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM
still same shit dolores.cursopersona.com/cp.php

packed bin tds: 4FC0D14D - 12:49:17, 26 may
dumped version: 4FBF2E76 - 07:02:14, 25 may 2012

edit: 62.76.41.126 is back.
Attachments
infected
(68.58 KiB) Downloaded 90 times
infected
(784.79 KiB) Downloaded 100 times
Last edited by Xylitol on Wed May 30, 2012 3:38 pm, edited 1 time in total.

Re: Trojan Ransom / FakePoliceAlert

 #13716  by thisisu
 Tue Jun 05, 2012 7:58 am
Gimemo - France - "Gendarmerie Nationale" v2
MD5: 1e3711818e1c1474ef24c4a59843be74
https://www.virustotal.com/file/9ccd219 ... /analysis/
Code: Select all
C:\sOxs5YdeJvsd\sOxs5YdeJvsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sOxs5YdeJvsd
Additional info here.
Attachments
pass: infected
(339.67 KiB) Downloaded 77 times

Re: Trojan Ransom / FakePoliceAlert

 #13790  by Xylitol
 Thu Jun 07, 2012 8:57 am
thisisu wrote:Gimemo - France - "Gendarmerie Nationale" v2
Not Gimemo, and not a 'v2'
just some lame shit made by kids, panel and even the ransom is clearly unprofessional work.

In attach last weelsof dump.
Attachments
infected
(374.05 KiB) Downloaded 82 times
 Return to “Malware”