A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12241  by MindfreaK
 Tue Mar 20, 2012 4:11 pm
ransomeware sample i found on a friends pc.

Uses only HKCU startup and drops at appdata\local\skype\skypePM.exe

Image
https://www.virustotal.com/file/433fd0a ... 332259209/

//it's not graftor ( my fault )
Attachments
pw: infected
(128.29 KiB) Downloaded 73 times
Last edited by MindfreaK on Tue Mar 20, 2012 8:18 pm, edited 1 time in total.
 #12680  by EP_X0FF
 Fri Apr 13, 2012 12:52 pm
Web-page based ransom

"Specialist Crime Directorate
Police Cental e-crime Unit"

Scary face

hxxp://credit.shadowpirate.com/?b933de68eae80dadb34b9d4b889575eb
hxxp://crime.driftwood-cairns.com/?b933de68eae80dadb34b9d4b889575eb
hxxp://criminal.dutrasherard.biz/?b933de68eae80dadb34b9d4b889575eb
Attachments
pass: infected
(175.03 KiB) Downloaded 69 times
 #13279  by Xylitol
 Thu May 17, 2012 3:20 pm
Blaze wrote:MD5: 327cea8d93ff1094fe1ba9008e8c5657
https://www.virustotal.com/file/d2164cd ... /analysis/

Belgium ransomware.
Unpacked version in attach, 5/42 >> https://www.virustotal.com/file/cdffb7e ... 337268071/
With the 4 more easy design to grab.
Attachments
infected
(243.7 KiB) Downloaded 77 times
infected
(29.01 KiB) Downloaded 72 times
 #13436  by Xylitol
 Sat May 26, 2012 2:21 pm
Image
https://www.virustotal.com/file/b1d614b ... 338041920/
Code: Select all
0040103F  |> /6A 00         /PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
00401041  |. |68 9F354000   |PUSH 40359F                             ; |Title = "Please bitchz, I'm fabulous"
00401046  |. |68 BB354000   |PUSH 4035BB                             ; |Text = "I love u Xylitol"
0040104B  |. |68 28FCFFFF   |PUSH -3D8                               ; |hOwner = FFFFFC28
00401050  |. |E8 1D000000   |CALL 00401072                           ; \MessageBoxA
what the...
Attachments
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 14