A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4464  by EP_X0FF
 Sat Jan 15, 2011 6:12 pm
Written on Delphi, scrambled UPX (sometimes used PECompact, UPX + VB cryptor in later versions).

Kinda idiotic locker, because it's virtual keyboard does not allows to user enter non numeric chars, while unblock key is word not digits.

Comes from pornosites, as Flash Player update. This locker constantly updates, but only tel numbers and unblock code changes.

Runs through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, replacing original Explorer.exe entry
File location depends on where executable was stored by browser while downloading.

Image

Tel to call (stored into TMemo.Lines, even pascal arrays are quite difficult to these locker authors)
8-967-268-34-67
8-965-340-10-22
8-903-137-30-91
8-964-628-99-74
8-965-319-29-91
8-905-508-40-05
8-905-777-80-94
8-962-962-59-67
8-965-391-96-82
8-906-741-18-39

Unblock key lord

Image

To enter unblock code user needs to do some additional steps. For example execute Win Run command, type "lord", then Ctrl+A, then Ctrl+C and finally Ctrl+V to locker input window.

Reversed design mode
Image

In attach both original and unpacked binaries.
Attachments
pass: malware
(727.8 KiB) Downloaded 214 times
 #4610  by EP_X0FF
 Fri Jan 21, 2011 10:02 am
This one updated.

http://www.virustotal.com/file-scan/rep ... 1295604135

Tel to call
8-965-338-65-16
8-962-931-00-24
8-964-723-83-28
8-965-315-86-61
8-965-283-27-47
8-903-518-01-27
8-903-965-86-77
8-965-241-69-75
8-965-266-43-65
8-906-741-24-31
Unblock key poputal

Source hxxp://telki-best.ru/flash_player.exe
8-965-180-38-54
8-965-361-16-43
8-967-256-08-89
8-963-666-86-02
8-965-148-91-31
8-967-256-01-18
8-909-649-98-60
8-905-546-02-30
8-965-210-62-93
8-903-243-51-31
Unblock key poputalda

Source hxxp://tut-ok.ru/flash_player.exe
Last edited by EP_X0FF on Sat Jan 22, 2011 7:37 am, edited 2 times in total. Reason: edit
 #4611  by Xylitol
 Fri Jan 21, 2011 10:24 am
someone have sent me this sample by mail yesterday, the number was 8-903-965-86-77
Image
Image

Image

anyway ~ xxx_video_52974.avi.exe.vir
Image
attached.
http://www.virustotal.com/file-scan/rep ... 1295594176
Attachments
see archive coment for password
(52.05 KiB) Downloaded 108 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:27 pm, edited 2 times in total. Reason: edit: resized images
 #4841  by Xylitol
 Tue Feb 01, 2011 1:30 pm
Attachments
see archive comment for passwd
(639.33 KiB) Downloaded 99 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:23 pm, edited 1 time in total. Reason: edit: resized images
 #4856  by Xylitol
 Wed Feb 02, 2011 1:13 pm
Ransom deliver, new locs:
hXXp://deviant-mordoboev.narod2.ru/xxx_video.avi.exe
hXXp://buipanno.narod.ru/xxx_video.exe

~ xxx_video.avi.exe+unpacked.zip
Image
http://www.virustotal.com/file-scan/rep ... 1296652359
https://www.virustotal.com/file-scan/re ... 1296651540

~ xxx_video.exe+unpacked.zip
Image
http://www.virustotal.com/file-scan/rep ... 1296651540
https://www.virustotal.com/file-scan/re ... 1296652248
Attachments
See archive comment for password
(641.98 KiB) Downloaded 82 times
See archive comment for password
(103.16 KiB) Downloaded 75 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:26 pm, edited 1 time in total. Reason: edit: resized images
 #4860  by Xylitol
 Thu Feb 03, 2011 1:36 pm
Ransom deliver, locs:
hXXp://geolaykick.narod.ru/xxx_video.exe
hXXp://malinkixxx.ru/flash_player.exe

Image

http://www.virustotal.com/file-scan/rep ... 1296738196
http://www.virustotal.com/file-scan/rep ... 1296738267
Attachments
See archive comment for password
(642.25 KiB) Downloaded 81 times
See archive comment for password
(812.51 KiB) Downloaded 85 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:28 pm, edited 1 time in total. Reason: edit: resized images
 #4874  by Xylitol
 Fri Feb 04, 2011 10:22 am
Ransom deliver, new locs:
hXXp://planka.mcdir.ru/flash_player.exe
hXXp://telki.mcdir.ru/flash_player.exe

According to virusTotal the first sample was full undetected: http://www.virustotal.com/file-scan/rep ... 1296811894

The second is: 2/43:
http://www.virustotal.com/file-scan/rep ... 1296811890

Image
Image
Image
Attachments
See archive comment for password
(1.52 MiB) Downloaded 79 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:30 pm, edited 1 time in total. Reason: edit: resized images
 #4892  by Xylitol
 Sat Feb 05, 2011 2:04 pm
new loc:
hXXp://milaya.mcdir.ru/flash_player.exe

Image
Code to unlock Windows: izvini
Attachments
see archive comment for password
(775.29 KiB) Downloaded 76 times
Last edited by EP_X0FF on Sat Feb 05, 2011 3:43 pm, edited 1 time in total. Reason: edit: resized images
 #4900  by Xylitol
 Sat Feb 05, 2011 7:19 pm
new loc: hXXp://usarfor.narod.ru/xxx_video.exe
Code to unlock Windows: 70000004

basic unpacking schem of flash_player (not upx, the crap after):
Code: Select all
BP -> 00440766 - C3 - RETN ;Return to 003D08DD
(CALL EAX before normally for VirtualAlloc)
F9
Breaked
F7
BP -> 003D1044 - C3 - RETN ;Return to 7C91D370 (ntdll.ZwFreeVirtualMemory)
F9
Breaked
F7
BP -> 0055D472 - FFE0 - JMP EAX ;EAX=0048078C (xxx_vide.0048078C)
F9
Shift+F9 if problem
Breaked
F7 & dump
After fix the sections and the stuff.

Image
Attachments
see archive comment for password
(630.05 KiB) Downloaded 90 times