Trojan Ransom / FakePoliceAlert

Forum for analysis and discussion about malware.
Post Reply
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Mon Jun 20, 2011 8:56 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Mon Jun 20, 2011 10:30 am

Hello, in attach unpacked sample

Image

20/41 >> 48.8%
http://www.virustotal.com/file-scan/rep ... 1308565159
You do not have the required permissions to view the files attached to this post.
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Wed Oct 05, 2011 5:32 pm

You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Oct 05, 2011 5:46 pm

Trojan ransom

posts moved.
Ring0 - the source of inspiration
markusg
Posts: 736
Joined: Mon Mar 15, 2010 2:53 pm

Thu Oct 20, 2011 2:15 pm

explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/rep ... 1319118846
You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Oct 20, 2011 2:53 pm

markusg wrote:explorer.exe
MD5   : 412cc709170aff1a15e895e16c397244
http://www.virustotal.com/file-scan/report.html?id=73f1f147380c03dad7fccfb5639e9d784d53f6a971821a772908d7aeb7f600f0-1319118846
Calls home hxxp://91.228.160.157/de/2/gate.php?cmd=ul&id=gpo5fv71j6hfh3x2

Replaces explorer.exe with malware copy.

Terminates taskmanager and process explorer.

In attach decrypted.
W:\locker\locker\Release\locker.pdb
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
Maxstar
Posts: 88
Joined: Wed Jan 26, 2011 10:20 am

Fri Nov 18, 2011 2:09 pm

You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Fri Nov 18, 2011 2:29 pm

Interesting. Internally this sample looks equal to those posted by markusg earlier.
y:\src\_cpp\bwin_nl\Release\bwin3.pdb
Take a look on debug path string, bwin_nl.

Also the same call home address hxxp://89.248.165.131

The only difference is in resources part. Different HTML and images.

Fully decrypted workable sample in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
S!Ri
Posts: 5
Joined: Fri Sep 02, 2011 7:36 am

Mon Nov 21, 2011 8:37 am

Didn't see this spanish version (or I miss it):

Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Tue Nov 22, 2011 6:06 pm

Image

Switzerland version
it do a GET req and call tools.ip2location.com as usual later

Code: Select all

GET /i.php?a=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: 89.248.165.131
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 22 Nov 2011 17:22:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Following url was found on the server:

Code: Select all

http://89.248.165.131:80/cgi-bin/
http://89.248.165.131:80/icons/
http://89.248.165.131:80/webmail/
http://89.248.165.131:80/error/
http://89.248.165.131:80/manager/
http://89.248.165.131:80/disabled/
You do not have the required permissions to view the files attached to this post.
Post Reply