A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5390  by Xylitol
 Wed Mar 09, 2011 11:48 pm
hXXp://prozatychka.cz.cc/
hXXp://lichiri.ru/
hXXp://video.lichiri.ru/video/xxx_video.avi
hXXp://progreen.cz.cc/
hXXp://video.progreen.cz.cc/video/xxx_video.avi

https://www.virustotal.com/file-scan/re ... 1299699587
Attachments
See archive comment for password
(54.08 KiB) Downloaded 55 times
 #5431  by Xylitol
 Fri Mar 11, 2011 3:20 pm
locs:
hXXp://theflowerzf.info/release/0a040895f021b41d3f5ce5acd237cadd/Firefox_update.exe
hXXp://theflowerzf.info/release/daac05dc55bc7a55ea051514e2afbd90/file35820289892.exe
hXXp://theflowerzf.info/release/bf36de36ab531ddfeb4b8d129ba11f2a/WindowsWebSecurity.exe
hXXp://theflowerzf.info/release/472b7b885d74254ab0820982171e3130/Install_Flash-Player.exe
hXXp://theflowerzf.info/release/8d1518999402f4acabb1a3475e5e4938/Install_Flash-Player.exe
hXXp://theflowerzf.info/release/74028a60b9b380c99133b802cb44086f/Install_Flash-Player.exe
hXXp://theflowerzf.info/release/d1c238130b36fd50827ef81d33fcffc1/Install_Flash-Player.exe

Image

Image

http://www.threatexpert.com/report.aspx ... 98a68012b6
http://anubis.iseclab.org/?action=resul ... ormat=html
https://www.virustotal.com/file-scan/re ... 1299783978
https://www.virustotal.com/file-scan/re ... 1299857153
https://www.virustotal.com/file-scan/re ... 1299858064
https://www.virustotal.com/file-scan/re ... 1299858068
https://www.virustotal.com/file-scan/re ... 1299858073
https://www.virustotal.com/file-scan/re ... 1299858082
https://www.virustotal.com/file-scan/re ... 1299858087

Trojan.Ransom - Cracking with SoftIce
Attachments
See archive comments for passwords
(1.02 MiB) Downloaded 93 times
 #5562  by Xylitol
 Sun Mar 20, 2011 5:53 am
loc: hXXp://video.partizan.in/a18f7016c784a0717c67b6e360dbd629.avi

Image

Image

original: 8/43
http://www.virustotal.com/file-scan/rep ... 1300599824
unpacked: 10/43
https://www.virustotal.com/file-scan/re ... 1300600063
Attachments
See archive comment for password
(7.8 KiB) Downloaded 52 times
See archive comment for password
(139.02 KiB) Downloaded 59 times
 #5564  by GMax
 Sun Mar 20, 2011 12:28 pm
location:
traffall.ru
inhere.ru
Number to Call:
89067424398
89067424836
89067418170
89067425066
89067425141
89067424301
89067418243
89067424932
89067424364
89067418077
89067424936
89067424966
89067424814
89067424397
89067418239
89067418239
To unlock, set time for a couple of days forward
 #6029  by EP_X0FF
 Sun Apr 24, 2011 5:27 am
Win32/MBRlock.B post moved to dedicated thread
 #6046  by Xylitol
 Tue Apr 26, 2011 1:21 am
Image
Another interesting treat today.
A ransomware who XOR the first byte of some formats

If you have your wallpaper changed by this:
Image
You should worry :)
--------------------------

Setup.exe on VT: https://www.virustotal.com/file-scan/re ... 1303751832

The infection is composed of two Delphi binary who are exactracted and run by Setup.exe (Setup.exe is a file powered by Smart Install Maker v5.02).
1 File (named svchost.exe) Will crypt your datas and the second (named also svchost.exe) will lock your screen if you attempt something for stop the file

For example if an antivirus is detected or if you browse the website 'VirusTotal' your pc will be locked.
We will see this file later, let's see the one who xor your file.

A file named инфа.txt is created:
Code: Select all
все ваши файлы заблокированы посетите сайт: http://xddd.66ghz.com/
вам присвоен id 215 cообщите его на почту указанную на сайте
Infection locs:
%Programs%\Startup\
%ProgramFiles%\KOPPEKTOP\Soft\
C:\ttt.jpg

xddd.66ghz.com Website capture (domain shutdown requested):
Image

---
Firstly the ransomware will crawl these drives:
Image
Code: Select all
C:\
D:\
E:\
F:\
In each drive it will list your datas and compare the extention (for know wich files the ransomware will xor)
Image

'Attacked' extentions list:
Image
Code: Select all
*.JPG
*.DOC
*.RTF
*.XLS
*.ZIP
*.3GP
*.RAR
*.7Z
*.DOCX
*.MP4
*.PPS
*.DPR
*.POT
*.DOT
*.HTM
*.PDF
*.ISO
*.PPSX
*.EML
*.AVI
*.PPTX
*.HTML
*.TIF
When done, it start to xor all files he have found previously into this loop:
Image

Detail of the procedure:
Image

Take the first byte of your file:
Image

Then it XOR the byte with 4B (41 XOR 0A)
And do a WriteFile for save the change, then it proceed to the next file.

When all files are Xored, it change your wallpaper by 'ttt.jpg' (what a wonderful wallpaper heh...)
0046AF7C=scvhost2.0046AF7C (ASCII "c:\ttt.jpg")
EDX=0012FDBC
Image

Then it create a .BAT file for his auto-delete (like that, no proof about the file who xored your datas)
Image

Then ExitProcess (ByeBye)
Image

That all for the first scvhost.exe of 643 Kb.
Now for the second file: the scvhost.exe of 378 Kb

This file is just a protection for the previous one, like i've said
It just do a loop and compare the title of all opened windows

If a windows contain one of these word:
Image

The application will appear maximized on your screen and alway at the top
Tricks like ALT+F4, ALT+TAB, CTRL+ALT+DEL will not work for move the maximized windows.
Image

As you can see here, i've tryed to go on the site 'VirusTotal' and suddenly this grey window appear.
So that all for the second file, just a protection for the real malware.

---------------
How to see your datas back

For the moment i'm really bored to write a asm tool for recover xored datas (sorry guys) so use simply xor calculator and a hexadecimal editor.

Here you have a PE Header of a JPG file, and those who know the PE Header of a JPG will clearly reconize there is a problem on the first byte:
Image

'B4' here is the first byte of the file, and also a victim of the xor ransomware.
The ransomware XOR all your files with 4B, so do the same operation.
XOR yourself the first byte of your damaged file with 4B
Do that for all your file, the first byte XOR 4B
Image

Here we have the original byte: FF, now save your image and check.
Image

Another way is to reverse the file for do it xor again
Attachments
See archive comment for password
(825.27 KiB) Downloaded 68 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 9