A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13366  by tachion
 Tue May 22, 2012 7:05 pm
Ransomware - FakePoliceAlert
9cd87975bfd230a767d497a1f5dfbf4d
https://www.virustotal.com/file/3e3f980 ... /analysis/

Detailed report of suspicious malware actions:

Created a mutex named: Local\!IETld!Mutex
Defined file type created in Windows folder: C:\Windows\explorer_new.exe
Defined file type created in Windows folder: C:\Windows\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined file type created: C:\ProgramData\ugjuzuaefophikn\jquery.main.js
Defined file type created: C:\ProgramData\ugjuzuaefophikn\main.html
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows NT\CurrentVersion\Winlogon\Shell = explorer_new.exe
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\jdnmpqrzkxwacfn = C:\ProgramData\jdnmpqrzkxwacfnypbbv.exe
Deleted activity traces
Detected process privilege elevation
File copied itself
Got computer name
Internet connection: Connects to "62.76.47.158" on port 80.
Internet connection: Connects to "euro-police.in" on port 80.


Image
You do not have the required permissions to view the files attached to this post.
 #13415  by Xylitol
 Fri May 25, 2012 7:38 am
Weelsof package + unpacked and some old design.
I've used the TDS for determine the winlock history:
[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)
You do not have the required permissions to view the files attached to this post.
 #13542  by Xylitol
 Wed May 30, 2012 2:36 pm
Weelsof ransom themes (AT,FI,DE,BE,FR,GR,IT,NL,PL,PT,ES,SW,SH) and sample in attach.
also some news... they moved, previous machine hosted on clodo.ru shutdown.
Code: Select all
• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM
still same shit dolores.cursopersona.com/cp.php

packed bin tds: 4FC0D14D - 12:49:17, 26 may
dumped version: 4FBF2E76 - 07:02:14, 25 may 2012

edit: 62.76.41.126 is back.
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Wed May 30, 2012 3:38 pm, edited 1 time in total.
 #13716  by thisisu
 Tue Jun 05, 2012 7:58 am
Gimemo - France - "Gendarmerie Nationale" v2
MD5: 1e3711818e1c1474ef24c4a59843be74
https://www.virustotal.com/file/9ccd219 ... /analysis/
Code: Select all
C:\sOxs5YdeJvsd\sOxs5YdeJvsd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sOxs5YdeJvsd
Additional info here.
You do not have the required permissions to view the files attached to this post.
 #13790  by Xylitol
 Thu Jun 07, 2012 8:57 am
thisisu wrote:Gimemo - France - "Gendarmerie Nationale" v2
Not Gimemo, and not a 'v2'
just some lame shit made by kids, panel and even the ransom is clearly unprofessional work.

In attach last weelsof dump.
You do not have the required permissions to view the files attached to this post.