Attachments
PW = infected
(39.1 KiB) Downloaded 91 times
(39.1 KiB) Downloaded 91 times
A forum for reverse engineering, OS internals and malware analysis
Another one.
Attachments
(87.77 KiB) Downloaded 86 times
Maxstar wrote:https://www.virustotal.com/file/a3f010c ... /analysis/
This is Rannoh?
no sir, its encryption malware trustezeb.c
The file for C:\Documents and Settings\All Users\Application Data\lsass.exe is as far as I can work out legit, it is a copy made by the likes of the FBI family so that the ransom can use this copy. Although I also move the file when cleaning a system
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ctfmon.lnk
Look at the properties in ctfmon.lnk, the Target points to the legit MD5 but also points to the bad dll that a lot of the time is in the TEMP folder
I think I have 2 of the .dll's and a ctfmon.lnk, if people want it.
037B1E7798960E0420003D05BB577EE6 is the correct MD5 for rundll32.exe on XP, The ransom copies it places it in a different location and renames it from rundll32.exe to lsass.exe.
Quads
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ctfmon.lnk
Look at the properties in ctfmon.lnk, the Target points to the legit MD5 but also points to the bad dll that a lot of the time is in the TEMP folder
I think I have 2 of the .dll's and a ctfmon.lnk, if people want it.
037B1E7798960E0420003D05BB577EE6 is the correct MD5 for rundll32.exe on XP, The ransom copies it places it in a different location and renames it from rundll32.exe to lsass.exe.
Quads
Thanks Quads for clearing that up. I agree with you. I had a feeling there was more to this ransomware especially after seeing lsass.exe / rundll32.exe receiving 0 hits on VT and its file size. What happened was I ran CCleaner first which must have removed any bad file(s) in temporary directories before I started to look for actual malware :roll:
I'd like to see the .dlls if you feel like attaching. :)
I'd like to see the .dlls if you feel like attaching. :)
Attached
I realised using OTL for people that removing the startup entry (for this variant) stops FBI, but no other files like the .dll was found or detected, figured out that with the script I was using the [emptytemp] command which was deleting the .dll, so changed the script so as not to touch the temp folders.
Quads
I realised using OTL for people that removing the startup entry (for this variant) stops FBI, but no other files like the .dll was found or detected, figured out that with the script I was using the [emptytemp] command which was deleting the .dll, so changed the script so as not to touch the temp folders.
Quads
Attachments
password = infected
(457.84 KiB) Downloaded 108 times
(457.84 KiB) Downloaded 108 times
Well now I'm kind of confused because of this log (attached):
Inside we can see the ransomware file:
Notice how there is not any reference to lsass.exe in the registry. It's clean unless FRST is unable to detect it.
BTW the other crap deleted is not related (ZeroAccess Oak Technologies / IOMEGA Netsvcs variant)
Inside we can see the ransomware file:
Code: Select all
This is essentially the only file I moved and then the user was able to boot normally without ransom screen.2012-10-12 19:22 - 2012-10-12 19:22 - 00044544 ____A (Microsoft Corporation) C:\Users\All Users\lsass.exeNotice how there is not any reference to lsass.exe in the registry. It's clean unless FRST is unable to detect it.
BTW the other crap deleted is not related (ZeroAccess Oak Technologies / IOMEGA Netsvcs variant)
Attachments
(54.64 KiB) Downloaded 62 times
Last edited by thisisu on Fri Oct 19, 2012 7:27 pm, edited 1 time in total.
normaly it should also create an lnk
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\lsass.exe
but
lsass.exe is clean copy of original file i think
it use lsass.exe for startup (but not 100 % sure)
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\lsass.exe
but
lsass.exe is clean copy of original file i think
it use lsass.exe for startup (but not 100 % sure)
Yes but it must have been lsass.exe that was displaying the ransom screen. I do not see how it could be anything else other than lsass.exe since this is the only file removed from the system.
Attached fixlist.txt used.
Attached fixlist.txt used.
Attachments
(47.46 KiB) Downloaded 62 times