A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13366  by tachion
 Tue May 22, 2012 7:05 pm
Ransomware - FakePoliceAlert
9cd87975bfd230a767d497a1f5dfbf4d
https://www.virustotal.com/file/3e3f980 ... /analysis/

Detailed report of suspicious malware actions:

Created a mutex named: Local\!IETld!Mutex
Defined file type created in Windows folder: C:\Windows\explorer_new.exe
Defined file type created in Windows folder: C:\Windows\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\ugjuzuaefophikn\jquery.main.js
Defined file type created: C:\ProgramData\ugjuzuaefophikn\main.html
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer_new.exe
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Deleted activity traces
Detected process privilege elevation
File copied itself
Got computer name
Internet connection: Connects to "62.76.47.158" on port 80.
Internet connection: Connects to "euro-police.in" on port 80.


Image
Attachments
pass. sg
(34.89 KiB) Downloaded 82 times
 #13415  by Xylitol
 Fri May 25, 2012 7:38 am
Weelsof package + unpacked and some old design.
I've used the TDS for determine the winlock history:
[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)
Attachments
infected
(337.82 KiB) Downloaded 96 times
infected
(1.82 MiB) Downloaded 380 times
 #13542  by Xylitol
 Wed May 30, 2012 2:36 pm
Weelsof ransom themes (AT,FI,DE,BE,FR,GR,IT,NL,PL,PT,ES,SW,SH) and sample in attach.
also some news... they moved, previous machine hosted on clodo.ru shutdown.
Code: Select all
• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM
still same shit dolores.cursopersona.com/cp.php

packed bin tds: 4FC0D14D - 12:49:17, 26 may
dumped version: 4FBF2E76 - 07:02:14, 25 may 2012

edit: 62.76.41.126 is back.
Attachments
infected
(68.58 KiB) Downloaded 91 times
infected
(784.79 KiB) Downloaded 101 times
Last edited by Xylitol on Wed May 30, 2012 3:38 pm, edited 1 time in total.
 #13716  by thisisu
 Tue Jun 05, 2012 7:58 am
Gimemo - France - "Gendarmerie Nationale" v2
MD5: 1e3711818e1c1474ef24c4a59843be74
https://www.virustotal.com/file/9ccd219 ... /analysis/
Code: Select all
C:\sOxs5YdeJvsd\sOxs5YdeJvsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sOxs5YdeJvsd
Additional info here.
Attachments
pass: infected
(339.67 KiB) Downloaded 78 times
 #13790  by Xylitol
 Thu Jun 07, 2012 8:57 am
thisisu wrote:Gimemo - France - "Gendarmerie Nationale" v2
Not Gimemo, and not a 'v2'
just some lame shit made by kids, panel and even the ransom is clearly unprofessional work.

In attach last weelsof dump.
Attachments
infected
(374.05 KiB) Downloaded 82 times