A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16058  by Quads
 Tue Oct 16, 2012 11:39 pm
The file for C:\Documents and Settings\All Users\Application Data\lsass.exe is as far as I can work out legit, it is a copy made by the likes of the FBI family so that the ransom can use this copy. Although I also move the file when cleaning a system

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ctfmon.lnk

Look at the properties in ctfmon.lnk, the Target points to the legit MD5 but also points to the bad dll that a lot of the time is in the TEMP folder

I think I have 2 of the .dll's and a ctfmon.lnk, if people want it.

037B1E7798960E0420003D05BB577EE6 is the correct MD5 for rundll32.exe on XP, The ransom copies it places it in a different location and renames it from rundll32.exe to lsass.exe.

Quads
 #16059  by thisisu
 Wed Oct 17, 2012 12:45 am
Thanks Quads for clearing that up. I agree with you. I had a feeling there was more to this ransomware especially after seeing lsass.exe / rundll32.exe receiving 0 hits on VT and its file size. What happened was I ran CCleaner first which must have removed any bad file(s) in temporary directories before I started to look for actual malware :roll:

I'd like to see the .dlls if you feel like attaching. :)
 #16060  by Quads
 Wed Oct 17, 2012 1:05 am
Attached

I realised using OTL for people that removing the startup entry (for this variant) stops FBI, but no other files like the .dll was found or detected, figured out that with the script I was using the [emptytemp] command which was deleting the .dll, so changed the script so as not to touch the temp folders.

Quads
Attachments
password = infected
(457.84 KiB) Downloaded 107 times
 #16165  by thisisu
 Fri Oct 19, 2012 7:20 pm
Well now I'm kind of confused because of this log (attached):

Inside we can see the ransomware file:
Code: Select all
2012-10-12 19:22 - 2012-10-12 19:22 - 00044544 ____A (Microsoft Corporation) C:\Users\All Users\lsass.exe
This is essentially the only file I moved and then the user was able to boot normally without ransom screen.

Notice how there is not any reference to lsass.exe in the registry. It's clean unless FRST is unable to detect it.

BTW the other crap deleted is not related (ZeroAccess Oak Technologies / IOMEGA Netsvcs variant)
Attachments
(54.64 KiB) Downloaded 61 times
Last edited by thisisu on Fri Oct 19, 2012 7:27 pm, edited 1 time in total.
 #16166  by markusg
 Fri Oct 19, 2012 7:25 pm
normaly it should also create an lnk
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\lsass.exe
but
lsass.exe is clean copy of original file i think
it use lsass.exe for startup (but not 100 % sure)
 #16167  by thisisu
 Fri Oct 19, 2012 7:47 pm
Yes but it must have been lsass.exe that was displaying the ransom screen. I do not see how it could be anything else other than lsass.exe since this is the only file removed from the system.

Attached fixlist.txt used.
Attachments
(47.46 KiB) Downloaded 62 times
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14