A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15059  by EP_X0FF
 Wed Aug 08, 2012 1:26 pm
Blackhole which is distributing this ransom moved to new host, also ransom was redesigned, renamed (LokoMoTO) and got fresh refined crypter. Be aware this trojan trashes Windows SafeMode by renaming corresponding root keys.

Image

Runs from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell


In attach todays 3 binaries extracted from BH EK + unpacked one.
Attachments
pass: malware
(294.71 KiB) Downloaded 88 times
 #15141  by EP_X0FF
 Mon Aug 13, 2012 6:19 am
Main and only one BH EK server distributing this ransom, enjoy 91.202.244.134. For last year they're moving in range of 91.202.2XX.XXX periodically in 4-5 months changing binary GUI and enabling/disabling ransom ability to be unlocked. This service is bulletproof and seems only serves as malware hosting. Todays payload in attach.
Attachments
pass: malware
(260.07 KiB) Downloaded 85 times
 #15535  by thisisu
 Thu Sep 06, 2012 7:06 am
EP_X0FF wrote:renamed (LokoMoTO) and got fresh refined crypter.
If you don't mind me asking, is it referred to as LokoMoTO because of of this line of code (from your unpacked.ex_)?
Code: Select all
CODE:004175B4 WindowName      db 'LokoMoTO',0
Is WindowName the key here in giving you the alias?

Trying to understand a bit better for example, why wouldn't the string h0xA be an alias?
Code: Select all
CODE:00417810 aH0xa           db 'h0xA',0
Simply because WindowName isn't near it in the code? :?

Thanks
 #15539  by EP_X0FF
 Thu Sep 06, 2012 11:35 am
Yes because of main window name title string. Initially it was named WindowsSecurity, now LokoMoTo. How things in current version IDK - their crap distribution server didn't resolving and old IP also don't respond :)

Image
 #16517  by EP_X0FF
 Fri Nov 09, 2012 5:22 am
Fresh LokoMoTo dropper pulled from SweetOrange exploit pack they now use (Blackhole was too expensive?). Notice that because this malware created in Delphi it is impossible to tell exact time/date of compilation - Delphi linker puts wrong information in PE structures (1992 for header and 1970 for Import Table datetime stamps).
Attachments
pass: malware
(132.96 KiB) Downloaded 97 times
 #17729  by EP_X0FF
 Wed Jan 16, 2013 1:50 pm
Fresh LokoMoTo + decrypted

SHA1: 0adef55f8e9e2da27c5f1c0abdb739a0291ab0b5
https://www.virustotal.com/file/ff0813f ... /analysis/

landing: hxxp://1.hotpornedojitube.ru/x/
Redirector: hxxp://adavysalu.ru/
Attachments
pass: malware
(117.84 KiB) Downloaded 86 times
 #18327  by EP_X0FF
 Mon Feb 25, 2013 5:53 am
189b654b6f2c81c09305856a3d904a36ad3d588f
1c36f99204b510af78f8046b74eb0c832a40fed3
6f7da8738ffe46c9aa31c6f07bdb46270d99cdd1
797faaaf50a01276a084a871e3be708773c213d8
896fa4a91125e1534b42de8f0b29d995ecf595f0
9837b683967c5d5eded813065af17990496ae0a8
c5475fb6d4a785e2613a34e7f9235bb66a45649e
faa11eea29b3ba6d1aa7602275e37424b5b1e044

Lokomoto from jan - feb 2013
Attachments
pass: infected
(623.71 KiB) Downloaded 104 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7