A forum for reverse engineering, OS internals and malware analysis 

zyklon locker ransomware

Forum for analysis and discussion about malware.

zyklon locker ransomware

 #28571  by twisterxz
 Wed May 25, 2016 4:50 pm
hey guys,

I'm new around the forums. And i like to learn about malware analyses, but unfortunatly i don't have much time to learn.
so i just look around here and read your topics.

But straight to the point. my boss came to me today, and showed me his pc. His pc is infected with zyklon locker ransomware
I never heard of this one before, so if anyone wants to analyse it, feel free. or just delete this post if im doing someting wrong.

Best regards,

twisterxz
Attachments
(382.02 KiB) Downloaded 156 times

Re: zyklon locker ransomware

 #28581  by xors
 Sun May 29, 2016 6:07 pm
I am not the best with .NET/C# so don't assume that i am correct 100%.
As far i can see the when the 'freegaza_israeli_killers.exe' is executed it will run the 'Ponmsiyyks.exe' from the %temp% folder. The 'Ponmsiyyks.exe' will create the 'RegAsm.exe' process and will inject the malicious code inside it. In the attachment you will find what i found so far.

https://malwr.com/analysis/ZjZjOWY1Y2Rj ... FkZDFlMWE/
Attachments
(17.53 KiB) Downloaded 91 times
 Return to “Malware”