Ransom.TechSupportScam.PCCleaner

Forum for analysis and discussion about malware.
Post Reply
slipstream-
Posts: 17
Joined: Tue Sep 23, 2014 7:42 pm

Ransom.TechSupportScam.PCCleaner

Post by slipstream- » Tue May 03, 2016 6:33 pm

This is a winlocker of Indian origin. (used to try to get people to call tech support scams)

Using any one of hardcoded serials "h7c9-7c67-jb" "g6r-qrp6-h2" "yt-mq-6w" starts explorer and appwiz, probably so whoever is remoted in can remove the winlocker.

Also, ctrl+shift+S just kills the winlocker, and does nothing else.

Also, ctrl+shift+T starts a bundled teamviewer setup (seems to be legitimate, judging by signature)

Attached: "PC Cleaner.exe" (installer, .msi in resources), plus deobfuscated versions of the three binaries included that are obfuscated with .NET Reactor + native wrapper. (Which, for the record, makes the detection rate of the packed files higher than the unpacked files.)

VT analyses:
Installer: https://www.virustotal.com/en-gb/file/b ... 462299202/
MSI: https://www.virustotal.com/en-gb/file/9 ... 462299262/
MicrosoftTool.exe (does half of the job of setting up the winlocker, it gets added to the GAC by the .msi which runs its MicrosoftInstaller.Install() function): https://www.virustotal.com/en-gb/file/0 ... 462299550/
microsoft.exe (main winlocker, packed): https://www.virustotal.com/en-gb/file/d ... 462299752/
microsoft.exe (main winlocker, unpacked): https://www.virustotal.com/en-gb/file/0 ... 462299768/
PC_cleaner_database.exe (checks for a number to call, runs the main winlocker if found, packed): https://www.virustotal.com/en-gb/file/b ... 462299862/
PC_cleaner_database.exe (unpacked): https://www.virustotal.com/en-gb/file/3 ... 462299870/
You do not have the required permissions to view the files attached to this post.

Post Reply