A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28578  by patriq
 Sat May 28, 2016 1:08 pm
Active C&C - abuse/NOC have been notified.
mem_dump_cnc.png
mem_dump_cnc.png (77.86 KiB) Viewed 771 times
Notes:
Code: Select all
dma2004@zerobit.email
http://5.8.63.54/crypto/gate?action=0
http://5.8.63.54/crypto/client_payment_instructions?botId=B1B1E7A41C5F49889DD195303392CB5D
Apparently they leave the encryption key in plain text on the "original" binary - not sure about that, I did not see it.. good luck.
Attachments
ransom_note.png
ransom_note.png (163.46 KiB) Viewed 771 times
cnc checkin_get botId.png
cnc checkin_get botId.png (25.99 KiB) Viewed 771 times
 #28608  by unixfreaxjp
 Fri Jun 03, 2016 10:09 pm
Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt
The PE downloader (downloaded by vbs) is downloading payloads, are x32 & x64 loader, with the ransomware binary bbv.exe all fours are attached.
Image
Identification:
Image
VT detection is VERY bad for these:
https://virustotal.com/en/file/37194a9a ... /analysis/
https://virustotal.com/en/file/fa389e42 ... /analysis/
cc: @EP_X0FF @Xylit0l you both must see the loader part..
Attachments
usual
(265.96 KiB) Downloaded 57 times
 #28611  by unixfreaxjp
 Sat Jun 04, 2016 9:44 am
Forensics data of :
Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt
Finally could run it well : <Screenshot> <Screenshot> <Screenshot>
Info:
Code: Select all
Domains :  actioncompass.online
BTC: 16hHkyuzCDRFzoejVuqajqrnbmKHSmEfQM
Emails: dma4004@zerobit.email and team4004@gmx.com
CNC:
Code: Select all
{
  "ip": "5.8.63.31",
  "hostname": "No Hostname",
  "city": "Saint Petersburg",
  "region": "St.-Petersburg",
  "country": "RU",
  "loc": "59.8944,30.2642",
  "org": "AS29182 JSC ISPsystem",
  "postal": "190808"
}
Attachments
(3.58 KiB) Downloaded 43 times
 #28612  by sysopfb
 Sat Jun 04, 2016 1:29 pm
Was also seeing cerber from these but the actor switched to DMA locker it seems?

hxxp://avtomatika-dv[.]ru/image/data/avatars/.../log.php?f=404
hxxp://www[.]harmanhouse[.]com/catalog/language/english/error/.../log.php?f=404

Has a pretty large list of file extension targets

Strings for traffic:
Code: Select all
http://actioncompass.online/crypto/client_payment_instructions?botId=%s
http://%s/crypto/client_free_decrypt?botId=%s
http://%s/crypto/client_payment_instructions?botId=%s
GET /crypto/gate?action=0 HTTP/1.1
GET /crypto/gate?action=1&botId=%s HTTP/1.1
GET /crypto/gate?action=5&botId=%s HTTP/1.1
GET /crypto/gate?action=2&botId=%s HTTP/1.1
GET /crypto/gate?action=3&botId=%s HTTP/1.1
GET /crypto/gate?action=4&botId=%s&transactionId=%s HTTP/1.1
GET /crypto/gate?action=6&botId=%s HTTP/1.1
 #28618  by EP_X0FF
 Sun Jun 05, 2016 6:05 am
unixfreaxjp wrote: cc: @EP_X0FF @Xylit0l you both must see the loader part..
Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash.
 #28621  by unixfreaxjp
 Sun Jun 05, 2016 5:35 pm
EP_X0FF wrote:Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash.
Thank you.
sysopfb wrote: Was also seeing cerber from these but the actor switched to DMA locker it seems?
hxxp://avtomatika-dv[.]ru/image/data/avatars/.../log.php?f=404
hxxp://www[.]harmanhouse[.]com/catalog/language/english/error/.../log.php?f=404
Yes, I was informed also It switched also to Cerber in the DMA initial url(below), the actor played double version of ransomware:
Code: Select all
h00p://irinahair.ru/.../log.php=404
sample: https://www.virustotal.com/en/file/02a6 ... /analysis/
xref: https://www.reddit.com/r/Malware/commen ... 16/d3vckhv
^ credit: @rootjacker