A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26028  by EP_X0FF
 Tue Jun 09, 2015 4:39 am
Cryptographic ransom. Delivered via email.

Smart install maker -> Delphi. In attach dropper and extracted ransom. Installs to %Program Files%, runs via HKLM Run key.

Used https://github.com/SnakeDoctor/FGInt

Changing desktop wallpaper to it own with ransom message. Wallpaper can be found inside ransom resources.

Email: trojanencoder@aol.com

C&C list
hxxp://decimallightness.com/root/inst.php
hxxp://craigslistlasvegascars.com/wp-includes/admin/inst.php
hxxp://deenislam.org/img/inst.php
hxxp://dentistinnicaragua.com/php/inst.php
hxxp://dedhamfoodpantry.org/news/inst.php
Target extensions
qic:wps:r3d:rwl:rx2:p12:sbs:sldasm:wps:sldprt:odc:odb:old:nbd:nx1:nrw:orf:ppt:mov:mpeg:csv:mdb:cer:arj:ods:mkv:avi:odt:pdf:docx:gzip:m2v:cpt:raw:cdr:3gp:7z:rar:db3:zip:xlsx:xls:rtf:doc:jpeg:jpg:
accdb:abf:a3d:asm:fbx:fbw:fbk:fdb:fbf:max:m3d:ldf:keystore:iv2i:gbk:gho:sn1:sna:spf:sr2:srf:srw:tis:tbl:x3f:ods:pef:pptm:txt:pst:ptx:pz3:odp:
Autoelevate in loop
Code: Select all
  pExecInfo.cbSize = 60;
  pExecInfo.hwnd = GetFocus();
  pExecInfo.fMask = 1280;
  pExecInfo.lpVerb = "runas";
  pExecInfo.lpFile = (LPCSTR)sub_404E98();
  pExecInfo.lpParameters = (LPCSTR)sub_404E98();
  pExecInfo.nShow = 1;
  while ( !ShellExecuteExA(&pExecInfo) )
    Sleep_0(0x7D0u);
VT
https://www.virustotal.com/en/file/add9 ... 433824692/
https://www.virustotal.com/en/file/94f3 ... 433824702/

Derivative of this https://securelist.ru/blog/issledovaniy ... shevalsya/ (use google translate)
Attachments
pass: infected
(751.25 KiB) Downloaded 124 times