[Xylitol]

Some changes, malware download come from a BlackHole exploit kit and instead of beeline numbers there is webmoney IDs.

Code: Select all

hxxp://8klbw.2lkjdj.ru/w.php?f=18&e=4

WebMoney: U159972976081
WebMoney: U191228079133
WebMoney: U151459219666
WebMoney: U250063339599
Code to unlock Windows: ol.ol.

VT: 5/42 >> 11.9%
http://www.virustotal.com/file-scan/rep ... 1315917889

[agadive]

I've got one with the number 7 9811293557 (text message 300) anyone's got a code for that? Help. I found a code that says I need to type any 8 keys (not numbers though), and the keybord only enables me to type numbers from 1-9, but not "0" . No letters either.
I'd appreciate any help.

[GMax]

URL:

hxxp://k-trah-v-celku.ru/xvid/xvid1x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid1x4.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid2x4.avi
...
hxxp://k-trah-v-celku.ru/xvid/xvid8x1.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x2.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x3.avi
hxxp://k-trah-v-celku.ru/xvid/xvid8x4.avi

ADD:

hxxp://pornommix.ru/xvid/xvid1x1.avi
hxxp://pornommix.ru/xvid/xvid1x2.avi
hxxp://pornommix.ru/xvid/xvid1x3.avi
hxxp://pornommix.ru/xvid/xvid1x4.avi
hxxp://pornommix.ru/xvid/xvid2x1.avi
hxxp://pornommix.ru/xvid/xvid2x2.avi
hxxp://pornommix.ru/xvid/xvid2x3.avi
hxxp://pornommix.ru/xvid/xvid2x4.avi
...
hxxp://pornommix.ru/xvid/xvid8x1.avi
hxxp://pornommix.ru/xvid/xvid8x2.avi
hxxp://pornommix.ru/xvid/xvid8x3.avi
hxxp://pornommix.ru/xvid/xvid8x4.avi

Unlock code: 2011

[GMax]

URL:

hxxp://deregby.ru/avik/vidok1x1.avi
hxxp://deregby.ru/avik/vidok1x2.avi
hxxp://deregby.ru/avik/vidok1x3.avi
hxxp://deregby.ru/avik/vidok1x4.avi
...
hxxp://deregby.ru/avik/vidok11x1.avi
hxxp://deregby.ru/avik/vidok11x2.avi
hxxp://deregby.ru/avik/vidok11x3.avi
hxxp://deregby.ru/avik/vidok11x4.avi

hxxp://severbludnicha.ru/avik/vidok1x1.avi
hxxp://severbludnicha.ru/avik/vidok1x2.avi
hxxp://severbludnicha.ru/avik/vidok1x3.avi
hxxp://severbludnicha.ru/avik/vidok1x4.avi
...
hxxp://severbludnicha.ru/avik/vidok11x1.avi
hxxp://severbludnicha.ru/avik/vidok11x2.avi
hxxp://severbludnicha.ru/avik/vidok11x3.avi
hxxp://severbludnicha.ru/avik/vidok11x4.avi

Unlock code: 070707

[GMax]

URL: hxxp://m-siekiezzz.ru/

Number to call:

89185329482
89897213587

Unlock code: 2012

[EP_X0FF]

Ransom LockScreen

Thanks for sample to Xylitol and mrbelyash.



Unblock code: 9109101313

Drops from a fake porn site as xxx_video.avi.exe
Runs through SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon as Shell replacement of Explorer.

For unpacking load dropper into debugger and set a break on CreateProcess (due to drop period ransomware restarts itself from %temp% folder for original file self-deletion purposes). Then locate decrypted payload container in dropper memory and dump it to disk. Cut off garbage, remove UPX and "unpacking" complete. Next it is trivial. Unblock button is Button3. Yes this crapware written on Delphi 7 and even include image named "winlockimage". Used WinBlockTerr Delphi component for various system parameters blocking.

Code: Select all

CODE:0047FDCC TForm1_Button3Click proc near           
CODE:0047FDCC
CODE:0047FDCC var_4           = dword ptr -4
CODE:0047FDCC
CODE:0047FDCC                 push    ebp
CODE:0047FDCD                 mov     ebp, esp
CODE:0047FDCF                 push    0
CODE:0047FDD1                 push    ebx
CODE:0047FDD2                 mov     ebx, eax
CODE:0047FDD4                 xor     eax, eax
CODE:0047FDD6                 push    ebp
CODE:0047FDD7                 push    offset loc_47FE2B
CODE:0047FDDC                 push    dword ptr fs:[eax]
CODE:0047FDDF                 mov     fs:[eax], esp
CODE:0047FDE2                 lea     edx, [ebp+var_4]
CODE:0047FDE5                 mov     eax, [ebx+358h]
CODE:0047FDEB                 call    ControlGetText
CODE:0047FDF0                 mov     eax, [ebp+var_4]
CODE:0047FDF3                 mov     edx, offset _str_9109101313.DelphiString
CODE:0047FDF8                 call    LStrCmp
CODE:0047FDFD                 jnz     short loc_47FE0B
CODE:0047FDFF                 call    pRestoreShell
CODE:0047FE04                 call    pSelfDelete

VT Original
https://www.virustotal.com/file/c2ce0db ... /analysis/

Unpacked
https://www.virustotal.com/file/91e0a27 ... /analysis/

Both in attach.

[EP_X0FF]

Landing hxxp://masvideo1hd.ru/
Unlock code: 44629

SHA1: 1957d8e51b4e36085af50d6635f452b0ccb73c1b
https://www.virustotal.com/file/e44e243 ... /analysis/

Original + decrypted in attach.

[Xylitol]

I'm redirected to 7xtube.
websniffer have the same problem:

And seem ok for urlquery: http://urlquery.net/report.php?id=870061

[EP_X0FF]

The actual payload downloads from as hxxp://dasfanvid.ru/codfullhdxavi.exe

icq 34568623 if u need to speak

:)

Do not work without referer

Code: Select all

15:37:42	28.1.2013	GET http://dasfanvid.ru/codfullhdxavi.exe HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17
Accept: */*
Referer: http://masvideo1hd.ru/
Host: dasfanvid.ru
15:37:45	28.1.2013	HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Mon, 28 Jan 2013 14:37:44 GMT
Content-Type: application/x-msdos-program
Content-Length: 1728512
Connection: close
Last-Modified: Mon, 28 Jan 2013 11:02:24 GMT
ETag: "d803f3-1a6000-4d457363c3000"
Accept-Ranges: bytes

Btw, file updated, unlock code the same.

[EP_X0FF]

Landing at masvideo1hd.ru.

However we already knocked out payload part.

From: CISHost.ru <mail@cishost.ru>
Hello. User blocked

On Wed, 06 Feb 2013 15:54:30 +0800

>
> Hello,
>
> the following site
>
> devki-traxbest.ru
> masvideo1hd.ru
>
> IP address: 5.9.59.109 (g4.cishost.ru)
> Host name: masvideo1hd.ru
> Alias: masvideo1hd.ru
>
>
> host and distributes malicious software known as Trojan Winlock.
> Direct link to malware hxxp://masvideo1hd.ru/avik/vidok1x1.avi (resolves to hxxp://devki-traxbest.ru/codfullhdxavi.exe, referrer "masvideo1hd.ru" is required for access).
>
> Please take a measures against this rogue customer.
>
> Thank you.

Attached sample downloaded before server block.
codfullhdxavi.exe is now detected as Trojan:Win32/LockScreen.AO