[Kafeine]

From 2013-02-24 to 2013-03-11 -- 72 items. Note the *_dler which appeared yesterday.

[Blaze]

Another one.

From http://kernelmode.info/forum/viewtopic. ... =40#p18604

[Kafeine]

Reveton & Reveton Downloader from 2013-03-11 to 2013-03-22
132 samples

[Fabian Wosar]

New Reveton variant:
https://www.virustotal.com/en/file/32bd ... /analysis/

If I remember correctly there are a few changes to the way it works:

• Multiple new autoruns are used (winmgmt service is hijacked as well as a new autorun in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with name ctfmon.exe), in addition to the shortcut in the Startup folder
• RunDLL32.exe executable is copied to the common appdata folder now and an obfuscated JavaScript is created there to run the Reveton malware DLL using the local RunDll32 copy, at least on my system I didn't observe that JavaScript being used in any way though, but I didn't look into it in much detail

Take these information with a grain of salt. I haven't looked at Reveton in a while, so if the additional autoruns have been introduced a while ago please apologize. At least I haven't seen them yet :).

[Blaze]

Hi Fabian

I haven't seen the winmgmt service being hijacked yet. The autorun key & ctfmon.lnk in Startup folder is being used for a while.
Example:

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\

Thought the .js and .pad files it created are just dummy files though? Do you have a copy of the .js file you encountered?

Cheers :) !

[Blaze]

Attached.

[Xylitol]

https://www.virustotal.com/fr/file/8e5b ... 367572071/

[Blaze]

https://www.virustotal.com/en/file/2849 ... /analysis/

[thisisu]

From customer laptop.

MD5: cea0f6e822522a5d221a16d08786fac6

https://www.virustotal.com/en/file/615b ... 368647810/

I moved the ransomware file first before running Farbar Recovery Scan Tool. That's why the main file shows up as missing ([x])

Code: Select all

HKU\Flexi\...\Run: [ctfmon.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\3jelori.dat,FG00 [x]
Startup: C:\Users\Flexi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\3jelori.dat (No File)

Also, what is this? I don't think it's related to Reveton, just wondering

Code: Select all

Tcpip\..\Interfaces\{F359DE43-7CFB-41C3-8AD7-204DFFE88DFC}: [NameServer]0.0.0.0

EDIT: I believe it belonged to "Hotspot Shield".

Inside archive is:

1. 3jelori.dat
   irolej3.bat
   irolej3.js (previously requested)
   irolej3.reg

Did not include

1. 3rrt.pad (92,797KB // too big to attach)
   trr3.dat (copy of 3jelori.dat in same directory)

[Cody Johnston]

New picture:



285f5eb4.exe:
MD5 5589cbe6b00c0643041840495e34c0d9
https://www.virustotal.com/en/file/d218 ... 369022638/

285f5eb4.dll:
MD5 28eadb3bcb4f267580a86579b9de763d
https://www.virustotal.com/en/file/b9a3 ... /analysis/