Trojan Ransom / FakePoliceAlert

Re: Trojan Winlock / Ransom / ScreenLocker

#6880 by markusg
Mon Jun 20, 2011 8:56 am

info[1].exe
http://www.virustotal.com/file-scan/rep ... 1308559296

Attachments

info[1].rar

(109.04 KiB) Downloaded 206 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

#6882 by Xylitol
Mon Jun 20, 2011 10:30 am

markusg wrote:info[1].exe
http://www.virustotal.com/file-scan/rep ... 1308559296

Hello, in attach unpacked sample

20/41 >> 48.8%
http://www.virustotal.com/file-scan/rep ... 1308565159

Attachments

Dumped_.zip

pwd: xylibox
(70.39 KiB) Downloaded 159 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Trojan Ransom / FakePoliceAlert

#8975 by markusg
Wed Oct 05, 2011 5:32 pm

svchoct.exe
http://www.virustotal.com/file-scan/rep ... 1317835411

Attachments

svchoct.rar

(52.17 KiB) Downloaded 103 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Malware/Not classified

#8977 by EP_X0FF
Wed Oct 05, 2011 5:46 pm

markusg wrote:svchoct.exe
http://www.virustotal.com/file-scan/rep ... 1317835411

Trojan ransom

posts moved.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan Winlock / Ransom / ScreenLocker

#9315 by markusg
Thu Oct 20, 2011 2:15 pm

explorer.exe
MD5 : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/rep ... 1319118846

Attachments

explorer.rar

(172.19 KiB) Downloaded 102 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

#9317 by EP_X0FF
Thu Oct 20, 2011 2:53 pm

markusg wrote:explorer.exe
MD5 : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846

Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.

W:\locker\locker\Release\locker.pdb

Attachments

decrypted.rar

pass: malware
(72.36 KiB) Downloaded 84 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan Winlock / Ransom / ScreenLocker

#9746 by Maxstar
Fri Nov 18, 2011 2:09 pm

Trojan.Ransom Police (Dutch)

http://www.pcwebplus.nl/phpbb/viewtopic ... 222&t=5525

Attachments

Sample.rar

PW = infected
(95.37 KiB) Downloaded 94 times

Malware Removal Instructions

Username

Maxstar

Posts

88

Joined

Wed Jan 26, 2011 10:20 am

Re: Trojan Winlock / Ransom / ScreenLocker

#9747 by EP_X0FF
Fri Nov 18, 2011 2:29 pm

Interesting. Internally this sample looks equal to those posted by markusg earlier.

y:\src\_cpp\bwin_nl\Release\bwin3.pdb

Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.

Attachments

decrypted.rar

pass: malware
(84.72 KiB) Downloaded 76 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan Ransom / FakePoliceAlert

#9793 by S!Ri
Mon Nov 21, 2011 8:37 am

Didn't see this spanish version (or I miss it):

Attachments

DDD58AD8B4C14853AF0A53A74906A1F2.rar

Password: infected
(77.64 KiB) Downloaded 100 times

Username

S!Ri

Posts

5

Joined

Fri Sep 02, 2011 7:36 am

Re: Trojan Ransom / FakePoliceAlert

#9833 by Xylitol
Tue Nov 22, 2011 6:06 pm

Switzerland version
it do a GET req and call tools.ip2location.com as usual later

Code: Select all

GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Following url was found on the server:

Code: Select all

http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/

Attachments

7917D1EEEA34A2873895.8933.zip

infected
(119.67 KiB) Downloaded 96 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact