Win32/Loktrom (aka WindowsSecurity, LokoMoTo)

Forum for analysis and discussion about malware.

Win32/Loktrom (aka WindowsSecurity, LokoMoTo)

Postby rkhunter » Tue Dec 20, 2011 10:38 am

Image

Unlock code: 9786775
Code: Select all
CODE:004170E0 37 38 36+                    db '9786775',0   


Original
4/43 (9.3%)
VT

Unpacked
1/43 (2.3%)
VT

In attach orig and unpacked.

Edit: unlock code was added.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Winlock / Ransom / ScreenLocker

Postby GMax » Sat Dec 24, 2011 7:39 pm

Image

FileName: xxx_porno.exe
Size: 116 Kb (119296 byte)
Data/Time compile: 08.01.2008 / 15:43:37 UTC
MD5: 41789c704a0eecfdd0048b4b4193e752
SHA1: fb1e8385691fa3293b7cbfb9b2656cf09f20e722
PEiD: ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']
www.virustotal.com

Call number:
79091516876
79670416917
79096507761
79036688774
79096507761


Unlock code: 123123123

url: hxxp://pornoxnx-freex2f.ru/c/
You do not have the required permissions to view the files attached to this post.
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Winlock / Ransom / ScreenLocker

Postby GMax » Sun Dec 25, 2011 8:27 am

GMax wrote:Image


VT (11/ 41)

Call number:
79037310486
79091558385
79645312790
79091559768
79653979782
79091559768


Unlock code: 333358896

Url: hxxp://vidosxcx-conline1f.ru/a/
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby GMax » Sun Dec 25, 2011 1:43 pm

Number to call:
79091573472
79031626958
79670417054
79653751922
79091616156
79653768834


Unlock code: 203333258
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby GMax » Mon Dec 26, 2011 4:20 am

Number to call:
79653883959
79099857659
79647794075
79037310711
79091558696
79037310711


Unlock code: 802225889
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby GMax » Mon Dec 26, 2011 10:29 am

Number to call:
79091515636
79067977604
79636617491
79091575826
79031627026
79091575826


Unlock code: 338744522
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby EP_X0FF » Mon Dec 26, 2011 11:36 am

Some info about this new ransom that now replaced LockEmAll.

Runs from:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell


Terminates Explorer while execution, prevents user work - usual ransomware behavior.

File is dropped through Blackhole Exploit Kit, so on vulnerable systems it may autostart right after user visited compromised site.

Malware repacks everyday, probably few time per day - nothing changes, except obfuscation.

Quick unpack, code/tel extract information for these who are lazy.

This ransom is as always nothing special and authors using combination with well-known packers and custom made obfuscation. This one is UPX->Obfuscator->UPX->Delphi. Warning: since malware obfuscation layer may change in any time, do all this in protected environment, for example on masqueraded (in case of possible vm-detections on obfuscation level that can be added in future) virtual machine.

Unpack, deobfuscate.

1. Load malware in OllyDbg, set break on NtWriteVirtualMemory
2. Once break is hit, see malware memory regions map (with what ever, I use internal tool) as on figure below (sorted by Allocation Protect)

Image

take region that has greater size (or you can simple locate image signatures in region - whatever).

3. Dump it on disk, cut garbage if it has it on the beginning. Now you have original malware stub.
4. Remove UPX to get clean Delphi code.

Extracting unblock code

1. Load in disassembler and locate GetWindowTextA call. Because this is Delphi compiler actual call to WinAPI will be represented as stub, see figure below

Image

2. Look-up place from where this stub is called. In example case it is CODE:0040660C. This is internal routine that used to read text from the given control. Lets call it GetControlText.
See references to this routine, for example for IDA

Image

3. Jump to reference. You are in main malware handler.
4. When correct code is entered malware kills itself and restart Explorer.exe (which is terminates on ransom start). Ransom doing this by calling WinExec. Locate this function call.
5. Now look above code, there is the unblock code checking code. First it passes valid hardcoded unblock code (stored as ansi string), and then calls internal routine called LStrCmp. Regarding to results of compare malware displays fcuk off message or removes itself.

Image

Extracting tel numbers

While working main window of this ransom is called "windowssecurity". Open unpacked and deobfuscated file and locate this ansi string. Here we go - all numbers will be clearly visible somewhere near this string.

Image

P.S.

This is primitive ransomware coded by script-kiddies, however this does not makes it less dangerous than any other malware and due to blocking nature it is much more annoying, so inexperienced users may be forced to do Windows reinstall. Remember - as always nobody from ransom side will not provide unblock code, even if you pay them. This is pure extortion and fraud.

See attach for sample (+unpacked) I used to write this post.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Ransom / WindowsSecurity

Postby GMax » Mon Dec 26, 2011 12:01 pm

Number to call:
79636615561
79091576703
79091513102
79096504460
79067392968
79096504460


Unlock code: 287448555
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby GMax » Mon Dec 26, 2011 6:50 pm

Number to call:
79645610480
79060971048
79670416973
79037310584
79067981907
79037310584


Unlock code: 203477777
GMax
 
Posts: 79
Joined: Sun Mar 14, 2010 7:53 am
Reputation point: 54

Re: Trojan Ransom / WindowsSecurity

Postby EP_X0FF » Tue Dec 27, 2011 12:03 pm

79653979283
79653766306
79091516865
79091513046
79067982109
79091513046


Unblock code: 304887474

For all this ransom builds works master code 9786775

Take a hint - this ransom does not remove itself from system after entering valid code, so after reboot it will be again set as default system shell instead of Explorer.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests