A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32966  by R136a1
 Thu May 30, 2019 11:42 am
Hi,

brief analysis of an extortion mailer module spread via Phorpiex botnet.

Background is this tweet: https://twitter.com/P3pperP0tts/status/ ... 8402564096

Initial sample: https://www.virustotal.com/#/file/9e76d ... fc7c33248/

Initial sample is an obfuscated loader for the actual mailer payload. The usual techniques are used. Payload gets decrypted, loaded as memory module and executed.

Payload: https://www.virustotal.com/#/file/85b59 ... 0b892e3e3/

Payload strings:
Code: Select all
%u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
yahoo.com
%sp.txt
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
I know your password - 
Your password - 
You dirty pervert - 
Pervert - 
I hacked you - 
You got owned - 
You better read this - 
You better pay me - 
Video of you - 
I recorded you - 
Stop watching porn - 
Dirty pervert - 
You got hacked - 
I know everything - 
You got infected - 
I infected your pc - 
Take care - 
Better pay me - 
Safe your life - 
Safe your privacy - 
I can ruin your life - 
Read carefully - 
I give you one chance - 
Recorded you mastrubating - 
I seen everything - 
Videos of you - 
You got recorded - 
Infected your computer - 
Your life can be ruined - 
Take care next time - 
Pay - 
Few days time - 
Don't wait too long - 
I won't wait too long - 
Everyone will know - 
No longer private - 
Better read - 
Read - 
Your private data - 
Your privacy - 
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
http://icanhazip.com/
[0.0.0.0]
[0.0.0.0]
%s.com
ESMTP
EHLO 
HELO 
<YourPrivacy%s@%s>
MAIL FROM: 
RCPT TO: <
%s.com
Received: from %s ([%d.%d.%d.%d]) by %s with MailEnable ESMTP; %s
Received: (qmail %s invoked by uid %s); %s
From: Your Privacy
Subject: 
Date: 
Message-ID: <
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8;
I know that: 
 - is your password!
Your computer was infected with my private malware, RAT, (Remote Administration Tool).
The malware gave me full access and control over your computer, I got access to all your accounts (see password above) and it was even possible for me to turn your webcam and microphone on and you didn't even notice about it.
For a long time I was spying on you through your webcam and recorded MANY EMBARASSING VIDEOS OF YOU!!! Hahaha... you know what I mean!
I collected all your private data, pictures, documents, videos, absolutly everything and I know about your family!
After that I removed my malware, to not leave any traces.
I can send the videos to all your contacts (email, social network) and publish all your private data everywhere!!!
Only you can prevent me from doing this!
To stop me, pay 1400$ in bitcoin (BTC).
If you don't know how to buy bitcoin, go to: www.paxful.com ( there are over 300 ways to do it ).
Or Google - "How to buy Bitcoin?"
If you want to create your own wallet to receive and send bitcoin, register here: www.login.blockchain.com/en/#/signup/
Or send direct to my wallet from www.paxful.com
My bitcoin wallet is: 12ZyXPMJBAFCfpyYTYo8V6QcG653Lcs9oj
Copy and paste my wallet, it's (cAsE-sensetive)
I give you 4 days to get the bitcoins and pay.
After receiving the payment, I will delete the video and everything else and we will forget everything, you will never hear from me again...BUT if you don't pay and simply ignore this email, I promise, I will turn your life and the life of your family into HELL and you will remember me for THE REST OF YOUR LIFE!
Since I already have access to your account, I will know if this email has been already read.
To make sure you don't miss this email, I sent it multiple times.
Don't share this email with anyone, it just will make everything worse, only I can help you out in this situation and this should stay our little secret!
MailClientID: 
%sn.txt
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
@4848499494
http://193.32.161.77/en/
open
%temp%
%ls%d.txt
%ls\%d%d%d%d.jpg
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Windows Update 7080607400
%windir%
%userprofile%
%systemdrive%
%temp%
%ls:Zone.Iduentifier
win%ls%ls%ls%ls.exe
%ls\%d%d%d%d
%ls\%ls
%ls:*:Enabled:%s
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
What is does is to download a list of compromised email addresses + passwords (in cleartext!) from the hardcoded C&C server. The email addresses + passwords are then used to send the extortion email to the other addresses in the list. Code and structure is similar to GandCrab downloaders spread via Phorpiex botnet, e.g. PDB path is partly overwritten with spaces.

C&C server:
Code: Select all
193.32.161.77
The email addresses + passwords seem to be used from already known breaches. Checking a few via https://haveibeenpwned.com had a 100% success rate. Therefore, the claim "Your computer was infected with my private malware, RAT, (Remote Administration Tool)." is most likely false, though not impossible.

Unfortunately, a few victims seem to have fallen for this extortion scam: https://www.blockchain.com/de/btc/addre ... G653Lcs9oj
You do not have the required permissions to view the files attached to this post.