Some info about this new ransom that now replaced LockEmAll.
Runs from:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Terminates Explorer while execution, prevents user work - usual ransomware behavior.
File is dropped through Blackhole Exploit Kit, so on vulnerable systems it may autostart right after user visited compromised site.
Malware repacks everyday, probably few time per day - nothing changes, except obfuscation.
Quick unpack, code/tel extract information for these who are lazy.
This ransom is as always nothing special and authors using combination with well-known packers and custom made obfuscation. This one is UPX->Obfuscator->UPX->Delphi. Warning: since malware obfuscation layer may change in any time, do all this in protected environment, for example on masqueraded (in case of possible vm-detections on obfuscation level that can be added in future) virtual machine.
Unpack, deobfuscate.
1. Load malware in OllyDbg, set break on
NtWriteVirtualMemory
2. Once break is hit, see malware memory regions map (with what ever, I use internal tool) as on figure below (sorted by Allocation Protect)
take region that has greater size (or you can simple locate image signatures in region - whatever).
3. Dump it on disk, cut garbage if it has it on the beginning. Now you have original malware stub.
4. Remove UPX to get clean Delphi code.
Extracting unblock code
1. Load in disassembler and locate GetWindowTextA call. Because this is Delphi compiler actual call to WinAPI will be represented as stub, see figure below
2. Look-up place from where this stub is called. In example case it is CODE:0040660C. This is internal routine that used to read text from the given control. Lets call it
GetControlText.
See references to this routine, for example for IDA
3. Jump to reference. You are in main malware handler.
4. When correct code is entered malware kills itself and restart Explorer.exe (which is terminates on ransom start). Ransom doing this by calling
WinExec. Locate this function call.
5. Now look above code, there is the unblock code checking code. First it passes valid hardcoded unblock code (stored as ansi string), and then calls internal routine called
LStrCmp. Regarding to results of compare malware displays fcuk off message or removes itself.
Extracting tel numbers
While working main window of this ransom is called "windowssecurity". Open unpacked and deobfuscated file and locate this ansi string. Here we go - all numbers will be clearly visible somewhere near this string.
P.S.
This is primitive ransomware coded by script-kiddies, however this does not makes it less dangerous than any other malware and due to blocking nature it is much more annoying, so inexperienced users may be forced to do Windows reinstall. Remember - as always nobody from ransom side will not provide unblock code, even if you pay them. This is pure extortion and fraud.
See attach for sample (+unpacked) I used to write this post.
