Trojan Ransom / FakePoliceAlert

Forum for analysis and discussion about malware.

Re: Trojan Winlock / Ransom / ScreenLocker

Postby markusg » Mon Jun 20, 2011 8:56 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Xylitol » Mon Jun 20, 2011 10:30 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Trojan Ransom / FakePoliceAlert

Postby markusg » Wed Oct 05, 2011 5:32 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby EP_X0FF » Wed Oct 05, 2011 5:46 pm



Trojan ransom

posts moved.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan Winlock / Ransom / ScreenLocker

Postby markusg » Thu Oct 20, 2011 2:15 pm

explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/rep ... 1319118846
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Thu Oct 20, 2011 2:53 pm

markusg wrote:explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846


Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.

W:\locker\locker\Release\locker.pdb
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Maxstar » Fri Nov 18, 2011 2:09 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Maxstar
 
Posts: 88
Joined: Wed Jan 26, 2011 10:20 am
Reputation point: 39

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Fri Nov 18, 2011 2:29 pm

Interesting. Internally this sample looks equal to those posted by markusg earlier.

y:\src\_cpp\bwin_nl\Release\bwin3.pdb


Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan Ransom / FakePoliceAlert

Postby S!Ri » Mon Nov 21, 2011 8:37 am

Didn't see this spanish version (or I miss it):

Image
You do not have the required permissions to view the files attached to this post.
User avatar
S!Ri
 
Posts: 5
Joined: Fri Sep 02, 2011 7:36 am
Reputation point: 6

Re: Trojan Ransom / FakePoliceAlert

Postby Xylitol » Tue Nov 22, 2011 6:06 pm

Image

Switzerland version
it do a GET req and call tools.ip2location.com as usual later
Code: Select all
GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


Following url was found on the server:
Code: Select all
http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests