Win32/Tobfy

Forum for analysis and discussion about malware.
Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Win32/Tobfy

Post by Win32:Virut » Mon Jun 18, 2012 2:00 pm

Tobfy

MD5: ea8292721a34ca2f1831447868bbe91e

https://www.virustotal.com/file/21c0601 ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Trojan:Win32/Tobfy

Post by thisisu » Tue Nov 06, 2012 4:24 am

I believe these are considered Reveton, but of course, correct me if I'm wrong.

One of them was running through HKU\..\Run
The other just in same directory

MD5: a3d8e17f2b046317c86c597038c4e00c
https://www.virustotal.com/file/6f1a2a3 ... /analysis/

MD5: 23a9921941e535db22b6e117cc6f0cdb
https://www.virustotal.com/file/81a3c80 ... /analysis/

Code: Select all

HKU\Owner\...\Run: [] C:\Users\Owner\dildptvfbm.exe [109056 2012-11-04] ()

2012-11-04 07:29 - 2012-11-04 07:29 - 00109056 ____A C:\Users\Owner\dildptvfbm.exe
2012-11-04 07:29 - 2012-11-04 07:29 - 00089600 ____A C:\Users\Owner\rojwxdnhuhitlfbrxmht.exe
You do not have the required permissions to view the files attached to this post.

Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Kafeine » Fri Nov 09, 2012 9:07 pm

MD5: a3d8e17f2b046317c86c597038c4e00c <-- We name it Tobfy (but really similar to Ysreef) https://www.botnets.fr/index.php/Tobfy - https://www.botnets.fr/index.php/Ysreef
It use same design than Urausy https://www.botnets.fr/index.php/Urausy
C&c : jgnmnokkl.sunnytime.info /get.php?id=10 <-- Up right now.
(have updated botnets.fr with that data. Thanks thisisu :)

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Tue Nov 20, 2012 2:49 pm

Image
Click to enlarge

hxxp://clexphoto300.com/web700/lending/EN.php
hxxp://clexphoto300.com/web700/
hxxp://clexphoto300.com/web700/lending/

https://www.virustotal.com/file/65da159 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed Nov 21, 2012 8:53 am, edited 1 time in total.
Reason: Rule 3, obfuscate your links if malware related

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Xylitol » Sun Nov 25, 2012 8:14 pm

Another Multi Locker crap in attach (with unpacked version)
You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Cody Johnston » Mon Dec 03, 2012 6:28 pm

Here is another one.

Asking for $300 and the graphic does not look as good. Seems this one works with the audio drivers as well (recording audio?).

- Kills all safeboot keys
- Places startup key in HKCU/HKLM
- Takes about 15 mins to start up interface
- Connects to: 212.83.40.235

MD5: 54d2ddaa17f101acde32a072410b49c3

VT 13/43

https://www.virustotal.com/file/584b0b3 ... /analysis/

Image

EDIT: PLAYS audio, not records. Leaves file named '1.mp3' in %userprofile%
You do not have the required permissions to view the files attached to this post.

User avatar
RageMachine
Posts: 14
Joined: Wed Aug 01, 2012 6:00 pm

Re: Trojan Ransom / FakePoliceAlert

Post by RageMachine » Tue Dec 04, 2012 11:08 pm

Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
You do not have the required permissions to view the files attached to this post.

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: Trojan Ransom / FakePoliceAlert

Post by Quads » Wed Dec 05, 2012 2:40 am

RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
I ran it on my system No VM or Sandbox etc in use, It took awhile to finally load the ransom UI and play the audio message. I also had the system32/spoolsv.exe file get removed.

Quads

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by EP_X0FF » Wed Dec 05, 2012 4:21 am

RageMachine wrote:Interesting one here. Appears to modify SVCHOST, but I couldn't get much further information on it or unpack it without it deleting itself.
Set break on CreateProcess. Unpacks fine. Same as TeamRocketOps posted.

Code: Select all

Adobe ARM   SOFTWARE\Microsoft\Windows\CurrentVersion\Run   "%s\ifgxpers.exe"   AdobeUpdaters   SOFTWARE\Microsoft\Windows\CurrentVersion   D:\xidpwooedd"  path    %s\ifgxpers.exe System\CurrentControlSet\Control\SafeBoot   SHDeleteKeyA    SHCopyKeyA  Shlwapi.dll System\CurrentControlSet\Control\SafeBoot\%s    net Network mini    Minimal Error HttpSendRequest = %d
    Error HttpOpenReques = %d
 GET Error InternetConnect = %d
    Error InternetOpen = %d
   %s\sound.mp3    %s\1.jpg    URLDownloadToFileA  Urlmon.dll  209.85.229.104      RtlDecodePointer    ntdll   ZwAllocateVirtualMemory close myFile wait   play myFile wait    SetAudio myFile volume to 1000000   mciSendStringA  Winmm.dll   open  "%s" type mpegvideo alias myFile  getunlock.php   picture.php http://62.109.28.231/gtx3d16bv3/upload/img.jpg  http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3  %s\1.bmp    Edit    Button  Pay MoneyPak    You have 72 hours to pay the fine!  Wait! Your request is processed within 24 hours.    picture.php?pin= C:\report.txt 
mp3 + jpg in attach

Code: Select all

G:\WORK\WORK_PECEPB\Work_2012 Private\Project L-0-ck_ER\NEW Extern\inject\injc\Release\injc.pdb 
Russian origin.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Trojan:Win32/Tobfy.S [Ransomware]

Post by R136a1 » Mon Apr 15, 2013 5:47 pm

Description: http://www.microsoft.com/security/porta ... 32/Tobfy.S

Sample: https://www.virustotal.com/en/file/ecbf ... /analysis/

URLs to Images:
ht*p://194.28.173.218/neo27cah10/upload/img.jpg (US)
ht*p://194.28.173.218/78u8fzo4sd/upload/img.jpg (MX)
...

Post Reply