A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16468  by thisisu
 Tue Nov 06, 2012 4:24 am
I believe these are considered Reveton, but of course, correct me if I'm wrong.

One of them was running through HKU\..\Run
The other just in same directory

MD5: a3d8e17f2b046317c86c597038c4e00c
https://www.virustotal.com/file/6f1a2a3 ... /analysis/

MD5: 23a9921941e535db22b6e117cc6f0cdb
https://www.virustotal.com/file/81a3c80 ... /analysis/
Code: Select all
HKU\Owner\...\Run: [] C:\Users\Owner\dildptvfbm.exe [109056 2012-11-04] ()

2012-11-04 07:29 - 2012-11-04 07:29 - 00109056 ____A C:\Users\Owner\dildptvfbm.exe
2012-11-04 07:29 - 2012-11-04 07:29 - 00089600 ____A C:\Users\Owner\rojwxdnhuhitlfbrxmht.exe
Attachments
pass: infected
(96.59 KiB) Downloaded 122 times
 #16528  by Kafeine
 Fri Nov 09, 2012 9:07 pm
MD5: a3d8e17f2b046317c86c597038c4e00c <-- We name it Tobfy (but really similar to Ysreef) https://www.botnets.fr/index.php/Tobfy - https://www.botnets.fr/index.php/Ysreef
It use same design than Urausy https://www.botnets.fr/index.php/Urausy
C&c : jgnmnokkl.sunnytime.info /get.php?id=10 <-- Up right now.
(have updated botnets.fr with that data. Thanks thisisu :)
 #16728  by Win32:Virut
 Tue Nov 20, 2012 2:49 pm
Image
Click to enlarge

hxxp://clexphoto300.com/web700/lending/EN.php
hxxp://clexphoto300.com/web700/
hxxp://clexphoto300.com/web700/lending/

https://www.virustotal.com/file/65da159 ... /analysis/
Attachments
Password is "infected" without quotes.
(19.54 KiB) Downloaded 122 times
Last edited by Xylitol on Wed Nov 21, 2012 8:53 am, edited 1 time in total. Reason: Rule 3, obfuscate your links if malware related
 #16999  by Cody Johnston
 Mon Dec 03, 2012 6:28 pm
Here is another one.

Asking for $300 and the graphic does not look as good. Seems this one works with the audio drivers as well (recording audio?).

- Kills all safeboot keys
- Places startup key in HKCU/HKLM
- Takes about 15 mins to start up interface
- Connects to: 212.83.40.235

MD5: 54d2ddaa17f101acde32a072410b49c3

VT 13/43

https://www.virustotal.com/file/584b0b3 ... /analysis/

Image

EDIT: PLAYS audio, not records. Leaves file named '1.mp3' in %userprofile%
Attachments
Password: infected
(159.33 KiB) Downloaded 117 times
 #17025  by Quads
 Wed Dec 05, 2012 2:40 am
RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
I ran it on my system No VM or Sandbox etc in use, It took awhile to finally load the ransom UI and play the audio message. I also had the system32/spoolsv.exe file get removed.

Quads
 #17027  by EP_X0FF
 Wed Dec 05, 2012 4:21 am
RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
Set break on CreateProcess. Unpacks fine. Same as TeamRocketOps posted.
Code: Select all
Adobe ARM   SOFTWARE\Microsoft\Windows\CurrentVersion\Run   "%s\ifgxpers.exe"   AdobeUpdaters   SOFTWARE\Microsoft\Windows\CurrentVersion   D:\xidpwooedd"  path    %s\ifgxpers.exe System\CurrentControlSet\Control\SafeBoot   SHDeleteKeyA    SHCopyKeyA  Shlwapi.dll System\CurrentControlSet\Control\SafeBoot\%s    net Network mini    Minimal Error HttpSendRequest = %d
    Error HttpOpenReques = %d
 GET Error InternetConnect = %d
    Error InternetOpen = %d
   %s\sound.mp3    %s\1.jpg    URLDownloadToFileA  Urlmon.dll  209.85.229.104      RtlDecodePointer    ntdll   ZwAllocateVirtualMemory close myFile wait   play myFile wait    SetAudio myFile volume to 1000000   mciSendStringA  Winmm.dll   open  "%s" type mpegvideo alias myFile  getunlock.php   picture.php http://62.109.28.231/gtx3d16bv3/upload/img.jpg  http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3  %s\1.bmp    Edit    Button  Pay MoneyPak    You have 72 hours to pay the fine!  Wait! Your request is processed within 24 hours.    picture.php?pin= C:\report.txt 
mp3 + jpg in attach
Code: Select all
G:\WORK\WORK_PECEPB\Work_2012 Private\Project L-0-ck_ER\NEW Extern\inject\injc\Release\injc.pdb 
Russian origin.
Attachments
pass: malware
(129.55 KiB) Downloaded 99 times