Win32/Tobfy

Forum for analysis and discussion about malware.

Win32/Tobfy

Postby Win32:Virut » Mon Jun 18, 2012 2:00 pm

Tobfy

MD5: ea8292721a34ca2f1831447868bbe91e

https://www.virustotal.com/file/21c0601 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Trojan:Win32/Tobfy

Postby thisisu » Tue Nov 06, 2012 4:24 am

I believe these are considered Reveton, but of course, correct me if I'm wrong.

One of them was running through HKU\..\Run
The other just in same directory

MD5: a3d8e17f2b046317c86c597038c4e00c
https://www.virustotal.com/file/6f1a2a3 ... /analysis/

MD5: 23a9921941e535db22b6e117cc6f0cdb
https://www.virustotal.com/file/81a3c80 ... /analysis/

Code: Select all
HKU\Owner\...\Run: [] C:\Users\Owner\dildptvfbm.exe [109056 2012-11-04] ()

2012-11-04 07:29 - 2012-11-04 07:29 - 00109056 ____A C:\Users\Owner\dildptvfbm.exe
2012-11-04 07:29 - 2012-11-04 07:29 - 00089600 ____A C:\Users\Owner\rojwxdnhuhitlfbrxmht.exe
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Ransom / FakePoliceAlert

Postby Kafeine » Fri Nov 09, 2012 9:07 pm

MD5: a3d8e17f2b046317c86c597038c4e00c <-- We name it Tobfy (but really similar to Ysreef) https://www.botnets.fr/index.php/Tobfy - https://www.botnets.fr/index.php/Ysreef
It use same design than Urausy https://www.botnets.fr/index.php/Urausy
C&c : jgnmnokkl.sunnytime.info /get.php?id=10 <-- Up right now.
(have updated botnets.fr with that data. Thanks thisisu :)
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Tue Nov 20, 2012 2:49 pm

You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed Nov 21, 2012 8:53 am, edited 1 time in total.
Reason: Rule 3, obfuscate your links if malware related
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby Xylitol » Sun Nov 25, 2012 8:14 pm

Another Multi Locker crap in attach (with unpacked version)
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan Ransom / FakePoliceAlert

Postby Cody Johnston » Mon Dec 03, 2012 6:28 pm

Here is another one.

Asking for $300 and the graphic does not look as good. Seems this one works with the audio drivers as well (recording audio?).

- Kills all safeboot keys
- Places startup key in HKCU/HKLM
- Takes about 15 mins to start up interface
- Connects to: 212.83.40.235

MD5: 54d2ddaa17f101acde32a072410b49c3

VT 13/43

https://www.virustotal.com/file/584b0b333b6a988b0873a31a9a09db354b335fb04153e4ee7ca03d72f425947d/analysis/

Image

EDIT: PLAYS audio, not records. Leaves file named '1.mp3' in %userprofile%
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Trojan Ransom / FakePoliceAlert

Postby RageMachine » Tue Dec 04, 2012 11:08 pm

Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
You do not have the required permissions to view the files attached to this post.
User avatar
RageMachine
 
Posts: 14
Joined: Wed Aug 01, 2012 6:00 pm
Reputation point: 1

Re: Trojan Ransom / FakePoliceAlert

Postby Quads » Wed Dec 05, 2012 2:40 am

RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.


I ran it on my system No VM or Sandbox etc in use, It took awhile to finally load the ransom UI and play the audio message. I also had the system32/spoolsv.exe file get removed.

Quads
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: Trojan Ransom / FakePoliceAlert

Postby EP_X0FF » Wed Dec 05, 2012 4:21 am

RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.


Set break on CreateProcess. Unpacks fine. Same as TeamRocketOps posted.

Code: Select all
Adobe ARM   SOFTWARE\Microsoft\Windows\CurrentVersion\Run   "%s\ifgxpers.exe"   AdobeUpdaters   SOFTWARE\Microsoft\Windows\CurrentVersion   D:\xidpwooedd"  path    %s\ifgxpers.exe System\CurrentControlSet\Control\SafeBoot   SHDeleteKeyA    SHCopyKeyA  Shlwapi.dll System\CurrentControlSet\Control\SafeBoot\%s    net Network mini    Minimal Error HttpSendRequest = %d
    Error HttpOpenReques = %d
 GET Error InternetConnect = %d
    Error InternetOpen = %d
   %s\sound.mp3    %s\1.jpg    URLDownloadToFileA  Urlmon.dll  209.85.229.104      RtlDecodePointer    ntdll   ZwAllocateVirtualMemory close myFile wait   play myFile wait    SetAudio myFile volume to 1000000   mciSendStringA  Winmm.dll   open  "%s" type mpegvideo alias myFile  getunlock.php   picture.php http://62.109.28.231/gtx3d16bv3/upload/img.jpg  http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3  %s\1.bmp    Edit    Button  Pay MoneyPak    You have 72 hours to pay the fine!  Wait! Your request is processed within 24 hours.    picture.php?pin= C:\report.txt


mp3 + jpg in attach

Code: Select all
G:\WORK\WORK_PECEPB\Work_2012 Private\Project L-0-ck_ER\NEW Extern\inject\injc\Release\injc.pdb


Russian origin.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Trojan:Win32/Tobfy.S [Ransomware]

Postby R136a1 » Mon Apr 15, 2013 5:47 pm

Description: http://www.microsoft.com/security/porta ... 32/Tobfy.S

Sample: https://www.virustotal.com/en/file/ecbf ... /analysis/

URLs to Images:
ht*p://194.28.173.218/neo27cah10/upload/img.jpg (US)
ht*p://194.28.173.218/78u8fzo4sd/upload/img.jpg (MX)
...
User avatar
R136a1
 
Posts: 216
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests