Attachments
Password: infected
(37.39 KiB) Downloaded 125 times
(37.39 KiB) Downloaded 125 times
A forum for reverse engineering, OS internals and malware analysis
HKU\Owner\...\Run: [] C:\Users\Owner\dildptvfbm.exe [109056 2012-11-04] ()
2012-11-04 07:29 - 2012-11-04 07:29 - 00109056 ____A C:\Users\Owner\dildptvfbm.exe
2012-11-04 07:29 - 2012-11-04 07:29 - 00089600 ____A C:\Users\Owner\rojwxdnhuhitlfbrxmht.exe
RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.I ran it on my system No VM or Sandbox etc in use, It took awhile to finally load the ransom UI and play the audio message. I also had the system32/spoolsv.exe file get removed.
RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.Set break on CreateProcess. Unpacks fine. Same as TeamRocketOps posted.
Adobe ARM SOFTWARE\Microsoft\Windows\CurrentVersion\Run "%s\ifgxpers.exe" AdobeUpdaters SOFTWARE\Microsoft\Windows\CurrentVersion D:\xidpwooedd" path %s\ifgxpers.exe System\CurrentControlSet\Control\SafeBoot SHDeleteKeyA SHCopyKeyA Shlwapi.dll System\CurrentControlSet\Control\SafeBoot\%s net Network mini Minimal Error HttpSendRequest = %d
Error HttpOpenReques = %d
GET Error InternetConnect = %d
Error InternetOpen = %d
%s\sound.mp3 %s\1.jpg URLDownloadToFileA Urlmon.dll 209.85.229.104 RtlDecodePointer ntdll ZwAllocateVirtualMemory close myFile wait play myFile wait SetAudio myFile volume to 1000000 mciSendStringA Winmm.dll open "%s" type mpegvideo alias myFile getunlock.php picture.php http://62.109.28.231/gtx3d16bv3/upload/img.jpg http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3 %s\1.bmp Edit Button Pay MoneyPak You have 72 hours to pay the fine! Wait! Your request is processed within 24 hours. picture.php?pin= C:\report.txt
G:\WORK\WORK_PECEPB\Work_2012 Private\Project L-0-ck_ER\NEW Extern\inject\injc\Release\injc.pdb