[gjf]

Ok, But i test MSE on detection/remove Mayachok.2 and not detect it with last update. Actually, I making quick scan.

What is Mayachok.2? If it is Rootkit.CiDox it could be caused by non-standard mechanism of infection. IPL is not MBR and it is a problem now for not only Microsoft.

BTW it can be cured by simple fixboot under console.

[EP_X0FF]

New domain.

hxxp://ebemnayaziki.ru/xxxvideo.avi.exe
hxxp://valenkirusporno.ru/xxxvideo.avi.exe

Unblock code like previous, H701630.

[EP_X0FF]

Source

hxxp://hammanshamanxxx.ru/xxxvideo.avi.exe

Numbers to call:

89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459

Unblock code: K91732109

In attach dropper and decrypted.

hxxp://kseksporno.ru/xxxvideo.avi.exe
hxxp://yurpornoxxxxx.ru/xxxvideo.avi.exe

Number to call:

89859612064

Unblock code: 70093112

Number to call:

89645912917
89645617404
89645617374
89645617262
89645617259
89645617210
89645619795
89645619741
89645619648
89645619492

Unblock code: Z0907419

EDIT:

hxxp://vazneunitazxxx.ru/xxxvideo.avi.exe

Number to call:

89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459

Unblock code: T610381D

EDIT2:

hxxp://mitsubishierotica.ru/xxxvideo.avi.exe

Unblock code like previous

EDIT3:

hxxp://toyotasexix.ru/xxxvideo.avi.exe

Unblock code the same

EDIT4:

hxxp://mazdayayci.ru/xxxvideo.avi.exe

Num to call:

89162886186

Unblock code: 651073RD

EDIT5:

hxxp://pornodetall.ru/xxxvideo.avi.exe

Number to call:

89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459

Unblock code: M103917D

EDIT6:

hxxp://migapilossex.ru/xxxvideo.avi.exe
hxxp://futuresexxx.ru/xxxvideo.avi.exe

Unblock code the same as previous

EDIT7:

hxxp://linamuilavski.ru/xxxvideo.avi.exe

Number to call:

89672692932
89672692931
89672692930
89672692928
89672692927
89672692921

Unblock code: Q103912D

EDIT8:

hxxp://misstuberux.ru/xxxvideo.avi.exe
hxxp://ssssaniedirki.ru/xxxvideo.avi.exe

Number to call:

89670627530
89652276281
89652276300
89671068927
89671071205
89671068912

Unblock code: V710482D

[EP_X0FF]

kseksporno.ru and it alias yurpornoxxxxx.ru blocked by hoster due to abuse.

[Xylitol]

How to debug MBR Ransomware.
(taken from my blog)



I received several questions about previously posted MBRLock, the idea here to resume all: a tiny tutorial for pwned these lockers.


Firstly get infected (lol) you have two options, browsing a fake porn site and get exe or visit an infected webpage who lead to MBRlock execution.




The xxxvideo.avi.exe file have generally a ~61Kb size and most of time use a VB crypter.
It spawns new copy of process, decrypts data and writes them to new process ImageBaseAddress and then resumes main thread.
A quick way to unpack it is to set breaks on CreateProcess/WriteProcessMemory, but here the unpacking is not really important (We want just the MBR right?)


A fast way is to use HideToolz by Fyyre and enable the reboot protection, then you can infect your machine, HideToolz will block ExitWindowsEx done by the MBRLock.

The MBR is infected... what's now ?
For make a dump personally I know two way: Hiew and HDHacker.

HDHacker is really handy:


Hiew is fastest (and used by most of malware researcher?)


For make a dump with Hiew, load it like this: hiew32 \\.\PhysicalDrive0

Then in hex mode press * for select the infected block and * again for finish,
Then, F2 to save the dump.


Now we have a copy of our infected MBR
To debug it, we will use IDA Pro, but firstly you need the good packages.
- Bochs
- Python 2.6
- IDAPython
- MBR package of Elias

Install 'em all, then build your image file with mbr.py
Or just open command prompt, make sure IDA is in the path Set path=%path%;"C:\Program Files\IDA 6" for example and run ida.bat, it will take care of the rest.


Drag 'n' drop your bochsrc file on IDA, and you can start to debug, if everything load properly :þ


For do it fast with these lame lockers:




Nj0y ~

[EP_X0FF]

New domain name. Previous annihilated.
Crypter change.

hxxp://govnobakovkaxxx.ru/xxxvideo.avi.exe

Number to call:

89639710397
89096698355
89639710524
89639710699
89670621885
89670621896

Unblock code: F710382D

hxxp://vaginudetrhr.ru/xxxvideo.avi.exe
hxxp://fatrmutrfaker.ru/xxxvideo.avi.exe

Number to call:

89036261519
89036641227
89036638831
89036277841
89036277968
89036299720
89036642904
89036631902
89036279647
89036602893

Unblock code: K105103D

hxxp://utubexxxvideo.ru/xxxvideo.avi.exe

Number to call:

89672695844
89036265004
89036264319
89036265319
89672695834
89672695833
89645076098
89096698344

Unblock code: Q120102D

hxxp://gigosporno.ru/xxxvideo.avi.exe

Number to call:

89645680274
89645681824
89645681894
89645682649
89645675422
89645675936
89645676219
89645675394
89645676093
89645631569
89645681824
89645675394
89645675422
89645675936
89645680274

Unblock code D403873D

[EP_X0FF]

This time script-kiddies put on it some new vb crap, method mentioned in Xylitol blog post not work for this one. They generated over 150 Kb of sh*t. But it is not a problem.

In attach original and unpacked.

Unblock code, tel numbers and source -> see previous post.

C:\DocumentsandSettings\Admin\Рабочий стол\VBCrypter\VBCrypter\Payload\Project1_Generated-1\ObfuscatedNr-1\nomrc_Generated-1\nomrc.vbp

[mc0blck]

hxxp://dikiesu4ki.ru/xxxvideo.avi.exe

[EP_X0FF]

hxxp://dikiesu4ki.ru/xxxvideo.avi.exe

Skiddies packed it UPX additionally to reduce size from 200 Kb.

Number to call:

89645630966
89645630631
89645631125
89645631261
89645631392
89645630966
89645630631
89645631125
89645631261
89645631392
89645630966
89645630631
89645631125
89645631261
89645631392

Unblock code: W100278D

[mc0blck]

hxxp://RUSSIANSUKAVOM.ru/xxxvideo.avi.exe