A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13355  by rkhunter
 Tue May 22, 2012 6:47 am
EP_X0FF wrote:It is still Pliqpay_monexy but design is different + RunPE.
I didn't understand. For me it so similar to WindowsSecurity. Can you say a little more about differences?
Thx.
 #13401  by Aleksandra
 Thu May 24, 2012 6:56 pm
RomaNNN wrote:Winlock Collection (22 samples):
root@slax:~/Desktop/Winlock_Collection(22)# md5sum ./*.*
d3df180cacd8e1671b3f49117e84fd3f ./video (1).scr
3c3c0a29923ee617ed7cfe83ae97e770 ./xxx_porno (1).exe
7a2dc0eeb57d43652664b37f769b6c62 ./xxx_porno (2).exe
0e2517c05b6208790f5e1307a5cb3887 ./xxx_video (1).com
005a2b0e9ac6311d7f095f6e7918ed65 ./xxx_video (1).scr
576a793ccacc0ba50be80472c5300ec6 ./xxx_video (2).com
521fe64902e04d978cf72d4fb76de865 ./xxx_video2.com
64677981bf659ffbe0eef63716d6448d ./xxx_video (2).scr
a2045f1fd0bd584de4232d3e26a6735e ./xxx_video (3).com
d75be31fb0ac3b3492f198adf147341a ./xxx_video3.com
55d45fe539b3ab9ead7a296ea11fe5c2 ./xxx_video (3).scr
001531dccf5d0762b2de9cfc79b7672c ./xxx_video (4).com
d4ce10842eeed74d6c6593f541321737 ./xxx_video4.exe
181df374bd532fa42ac01b724796eafd ./xxx_video (4).scr
305c34ec03fd03cbf0194965944d63d5 ./xxx_video (5).scr
efa17295a90888a9362dc7451642305e ./xxx_video (6).scr
dbea25cc52cefc20556660beda1a47c4 ./xxx_video (7).scr
b8437f57772cc7133863d03b3df4747a ./xxx_video (8).scr
885bd15a8a72d4feca5bf5c547d7b3c5 ./xxx_video (9).scr
576a793ccacc0ba50be80472c5300ec6 ./xxx_video.com
d4ce10842eeed74d6c6593f541321737 ./xxx_video.exe
ab3a670cebfa2e54734994fd0aca89b8 ./xxx_video.scr
 #13409  by EP_X0FF
 Fri May 25, 2012 1:39 am
rkhunter wrote:
EP_X0FF wrote:It is still Pliqpay_monexy but design is different + RunPE.
I didn't understand. For me it so similar to WindowsSecurity. Can you say a little more about differences?
Thx.
They have:

a) different design (see bellow)
b) different crypter (see bellow)
c) probably different distribution site

they have both the same project configuration making believe - they are created from the same source by simple redesign of some part.

All stuff in attach.

Windows Security
Image

This locker
Image

WS project details
Image

This locker project details
Image
Attachments
pass: malware
(77.89 KiB) Downloaded 66 times
 #13423  by EP_X0FF
 Fri May 25, 2012 1:07 pm
Ransom WindowsSecurity (some files maybe broken or already posted here), 159 unique hashes.
April - May 2012.
Attachments
pass: infected
(6.5 MiB) Downloaded 80 times
 #15011  by EP_X0FF
 Sat Aug 04, 2012 11:18 am
Some art work from Pliqpay_monexy.

Image

Nothing really impressive, except mad skillz part.

As you know there are two types of blockers - those who can be unblocked with code, and those who don't have any codes. This ransom calculate unblock code in runtime from user input, however then it still compares it with hardcoded value which makes it overall nonsense. Mad skills part - as calculation feature, authors ripped hashing algo http://www.koders.com/c/fid71C3D609511C ... E1B7F.aspx (whole procedures copy-pasted). Also there is mad skills probably self-implemented ByteToChar routine inside. I LOL'D. In attach both original and unpacked.
Attachments
pass: malware
(77.83 KiB) Downloaded 79 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7