Ransom Weelsof

Forum for analysis and discussion about malware.
User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Ransom Weelsof

Post by Blaze » Wed May 16, 2012 8:07 am

MD5: 327cea8d93ff1094fe1ba9008e8c5657
https://www.virustotal.com/file/d2164cd ... /analysis/

Belgium ransomware.
You do not have the required permissions to view the files attached to this post.

User avatar
tachion
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am

Re: Trojan Ransom / FakePoliceAlert

Post by tachion » Wed May 16, 2012 8:39 pm

Blaze

NIce,Ransom Polish police :D

Image

User avatar
tachion
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am

Re: Trojan Ransom / FakePoliceAlert

Post by tachion » Tue May 22, 2012 7:05 pm

Ransomware - FakePoliceAlert
9cd87975bfd230a767d497a1f5dfbf4d
https://www.virustotal.com/file/3e3f980 ... /analysis/

Detailed report of suspicious malware actions:

Created a mutex named: Local\!IETld!Mutex
Defined file type created in Windows folder: C:\Windows\explorer_new.exe
Defined file type created in Windows folder: C:\Windows\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\ugjuzuaefophikn\jquery.main.js
Defined file type created: C:\ProgramData\ugjuzuaefophikn\main.html
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer_new.exe
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Deleted activity traces
Detected process privilege elevation
File copied itself
Got computer name
Internet connection: Connects to "62.76.47.158" on port 80.
Internet connection: Connects to "euro-police.in" on port 80.


Image
You do not have the required permissions to view the files attached to this post.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by thisisu » Wed May 23, 2012 3:24 am

Metropolitan Police - UK
MD5: 1303adf0a0aa3ff3b4a7c818c452853c
https://www.virustotal.com/file/425c42d ... /analysis/
Some details / removal tips

Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Trojan:Win32/Weelsof

Post by Xylitol » Fri May 25, 2012 7:38 am

Weelsof package + unpacked and some old design.
I've used the TDS for determine the winlock history:
[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Xylitol » Wed May 30, 2012 2:36 pm

Weelsof ransom themes (AT,FI,DE,BE,FR,GR,IT,NL,PL,PT,ES,SW,SH) and sample in attach.
also some news... they moved, previous machine hosted on clodo.ru shutdown.

Code: Select all

• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM
still same shit dolores.cursopersona.com/cp.php

packed bin tds: 4FC0D14D - 12:49:17, 26 may
dumped version: 4FBF2E76 - 07:02:14, 25 may 2012

edit: 62.76.41.126 is back.
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed May 30, 2012 3:38 pm, edited 1 time in total.

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by thisisu » Tue Jun 05, 2012 7:58 am

Gimemo - France - "Gendarmerie Nationale" v2
MD5: 1e3711818e1c1474ef24c4a59843be74
https://www.virustotal.com/file/9ccd219 ... /analysis/

Code: Select all

C:\sOxs5YdeJvsd\sOxs5YdeJvsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sOxs5YdeJvsd
Additional info here.
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Xylitol » Thu Jun 07, 2012 8:57 am

thisisu wrote:Gimemo - France - "Gendarmerie Nationale" v2
Not Gimemo, and not a 'v2'
just some lame shit made by kids, panel and even the ransom is clearly unprofessional work.

In attach last weelsof dump.
You do not have the required permissions to view the files attached to this post.

User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Trojan Ransom / FakePoliceAlert

Post by Blaze » Fri Jun 08, 2012 2:03 pm

Another one.
You do not have the required permissions to view the files attached to this post.

User avatar
tachion
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am

Re: Trojan Ransom / FakePoliceAlert

Post by tachion » Tue Jun 12, 2012 9:39 pm

Ransomware FakePoliceAlert - Weelsof
266c9d0777c36e74e95edd60e903a95b
https://www.virustotal.com/file/a71c0d0 ... 339529596/
You do not have the required permissions to view the files attached to this post.

Post Reply