DMA Locker 4.0

Forum for analysis and discussion about malware.
Post Reply
rootjacker
Posts: 6
Joined: Wed Jun 01, 2011 8:06 pm

Tue May 24, 2016 1:09 pm

DMA Locker 4.0 found at hxxp://80.87.205.115/2/bbv.exe
You do not have the required permissions to view the files attached to this post.
User avatar
xors
Posts: 164
Joined: Mon May 23, 2016 2:01 am

Fri May 27, 2016 10:09 pm

Here is the unpacked file.
You do not have the required permissions to view the files attached to this post.
patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Sat May 28, 2016 1:08 pm

Active C&C - abuse/NOC have been notified.
mem_dump_cnc.png
Notes:

Code: Select all

dma2004@zerobit.email
http://5.8.63.54/crypto/gate?action=0
http://5.8.63.54/crypto/client_payment_instructions?botId=B1B1E7A41C5F49889DD195303392CB5D
Apparently they leave the encryption key in plain text on the "original" binary - not sure about that, I did not see it.. good luck.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Fri Jun 03, 2016 10:09 pm

Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt
The PE downloader (downloaded by vbs) is downloading payloads, are x32 & x64 loader, with the ransomware binary bbv.exe all fours are attached.
Image
Identification:
Image
VT detection is VERY bad for these:
https://virustotal.com/en/file/37194a9a ... /analysis/
https://virustotal.com/en/file/fa389e42 ... /analysis/
cc: @EP_X0FF @Xylit0l you both must see the loader part..
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sat Jun 04, 2016 9:44 am

Forensics data of :
Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt
Finally could run it well : <Screenshot> <Screenshot> <Screenshot>
Info:

Code: Select all

Domains :  actioncompass.online
BTC: 16hHkyuzCDRFzoejVuqajqrnbmKHSmEfQM
Emails: dma4004@zerobit.email and team4004@gmx.com
CNC:

Code: Select all

{
  "ip": "5.8.63.31",
  "hostname": "No Hostname",
  "city": "Saint Petersburg",
  "region": "St.-Petersburg",
  "country": "RU",
  "loc": "59.8944,30.2642",
  "org": "AS29182 JSC ISPsystem",
  "postal": "190808"
}
You do not have the required permissions to view the files attached to this post.
sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Sat Jun 04, 2016 1:29 pm

Was also seeing cerber from these but the actor switched to DMA locker it seems?

hxxp://avtomatika-dv[.]ru/image/data/avatars/.../log.php?f=404
hxxp://www[.]harmanhouse[.]com/catalog/language/english/error/.../log.php?f=404

Has a pretty large list of file extension targets

Strings for traffic:

Code: Select all

http://actioncompass.online/crypto/client_payment_instructions?botId=%s
http://%s/crypto/client_free_decrypt?botId=%s
http://%s/crypto/client_payment_instructions?botId=%s
GET /crypto/gate?action=0 HTTP/1.1
GET /crypto/gate?action=1&botId=%s HTTP/1.1
GET /crypto/gate?action=5&botId=%s HTTP/1.1
GET /crypto/gate?action=2&botId=%s HTTP/1.1
GET /crypto/gate?action=3&botId=%s HTTP/1.1
GET /crypto/gate?action=4&botId=%s&transactionId=%s HTTP/1.1
GET /crypto/gate?action=6&botId=%s HTTP/1.1
User avatar
EP_X0FF
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Jun 05, 2016 6:05 am

unixfreaxjp wrote: cc: @EP_X0FF @Xylit0l you both must see the loader part..
Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash.
Ring0 - the source of inspiration
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sun Jun 05, 2016 5:35 pm

EP_X0FF wrote:Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash.
Thank you.
sysopfb wrote: Was also seeing cerber from these but the actor switched to DMA locker it seems?
hxxp://avtomatika-dv[.]ru/image/data/avatars/.../log.php?f=404
hxxp://www[.]harmanhouse[.]com/catalog/language/english/error/.../log.php?f=404
Yes, I was informed also It switched also to Cerber in the DMA initial url(below), the actor played double version of ransomware:

Code: Select all

h00p://irinahair.ru/.../log.php=404
sample: https://www.virustotal.com/en/file/02a6 ... /analysis/
xref: https://www.reddit.com/r/Malware/commen ... 16/d3vckhv
^ credit: @rootjacker
Post Reply