Ransom Weelsof

Forum for analysis and discussion about malware.

Ransom Weelsof

Postby Blaze » Wed May 16, 2012 8:07 am

MD5: 327cea8d93ff1094fe1ba9008e8c5657
https://www.virustotal.com/file/d2164cd ... /analysis/

Belgium ransomware.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Trojan Ransom / FakePoliceAlert

Postby tachion » Wed May 16, 2012 8:39 pm

Blaze

NIce,Ransom Polish police :D

Image
User avatar
tachion
 
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am
Reputation point: 14

Re: Trojan Ransom / FakePoliceAlert

Postby tachion » Tue May 22, 2012 7:05 pm

Ransomware - FakePoliceAlert
9cd87975bfd230a767d497a1f5dfbf4d
https://www.virustotal.com/file/3e3f980 ... /analysis/

Detailed report of suspicious malware actions:

Created a mutex named: Local\!IETld!Mutex
Defined file type created in Windows folder: C:\Windows\explorer_new.exe
Defined file type created in Windows folder: C:\Windows\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\ugjuzuaefophikn\jquery.main.js
Defined file type created: C:\ProgramData\ugjuzuaefophikn\main.html
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer_new.exe
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Deleted activity traces
Detected process privilege elevation
File copied itself
Got computer name
Internet connection: Connects to "62.76.47.158" on port 80.
Internet connection: Connects to "euro-police.in" on port 80.


Image
You do not have the required permissions to view the files attached to this post.
User avatar
tachion
 
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am
Reputation point: 14

Re: Trojan Ransom / FakePoliceAlert

Postby thisisu » Wed May 23, 2012 3:24 am

Metropolitan Police - UK
MD5: 1303adf0a0aa3ff3b4a7c818c452853c
https://www.virustotal.com/file/425c42d ... /analysis/
Some details / removal tips

Image
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Trojan:Win32/Weelsof

Postby Xylitol » Fri May 25, 2012 7:38 am

Weelsof package + unpacked and some old design.
I've used the TDS for determine the winlock history:
[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Trojan Ransom / FakePoliceAlert

Postby Xylitol » Wed May 30, 2012 2:36 pm

Weelsof ransom themes (AT,FI,DE,BE,FR,GR,IT,NL,PL,PT,ES,SW,SH) and sample in attach.
also some news... they moved, previous machine hosted on clodo.ru shutdown.
Code: Select all
• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM

still same shit dolores.cursopersona.com/cp.php

packed bin tds: 4FC0D14D - 12:49:17, 26 may
dumped version: 4FBF2E76 - 07:02:14, 25 may 2012

edit: 62.76.41.126 is back.
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed May 30, 2012 3:38 pm, edited 1 time in total.
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Trojan Ransom / FakePoliceAlert

Postby thisisu » Tue Jun 05, 2012 7:58 am

Gimemo - France - "Gendarmerie Nationale" v2
MD5: 1e3711818e1c1474ef24c4a59843be74
https://www.virustotal.com/file/9ccd219 ... /analysis/
Code: Select all
C:\sOxs5YdeJvsd\sOxs5YdeJvsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sOxs5YdeJvsd

Additional info here.
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Trojan Ransom / FakePoliceAlert

Postby Xylitol » Thu Jun 07, 2012 8:57 am

thisisu wrote:Gimemo - France - "Gendarmerie Nationale" v2

Not Gimemo, and not a 'v2'
just some lame shit made by kids, panel and even the ransom is clearly unprofessional work.

In attach last weelsof dump.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1635
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 494

Re: Trojan Ransom / FakePoliceAlert

Postby Blaze » Fri Jun 08, 2012 2:03 pm

Another one.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Trojan Ransom / FakePoliceAlert

Postby tachion » Tue Jun 12, 2012 9:39 pm

Ransomware FakePoliceAlert - Weelsof
266c9d0777c36e74e95edd60e903a95b
https://www.virustotal.com/file/a71c0d0 ... 339529596/
You do not have the required permissions to view the files attached to this post.
User avatar
tachion
 
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am
Reputation point: 14

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests