A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21835  by Xylitol
 Wed Jan 01, 2014 6:08 pm
remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
2013 year FakeAV

remark end

Windows Accelerator Pro
https://www.virustotal.com/en/file/6946 ... 388598425/ > 6/46
http://web-sniffer.net/index.php?url=ht ... =GET&uak=0
Image Image Image
Network activities:
Code: Select all
http://zocrxiyds.freetzi.com/1.php
• dns: 1 ›› ip: 69.162.82.253 - adresse: ZOCRXIYDS.FREETZI.COM
http://c3913c6c.webantiviruslk.pl/index.html
• dns: 1 ›› ip: 109.236.86.172 - adresse: C3913C6C.WEBANTIVIRUSLK.PL
---
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=2600&5=1&6=1111&7=obqrhutjgv
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
http://94.185.80.155/customgate2/?callback=jQuery17203112214965869417_1388599195453&name=Xylibox+Labs&email=xylitol%40malwareint.com&num=4111111111111111&cvv=147&year=2017&month=05&phone=3-478-856-54-05&address=123+winlocker+street&country=FRA&state=XX&zip=75000&option=0&support=false&id=1&sub_id=1&install_id=obqrhutjgv&project_id=9&serial=EWBWF-QYHBS-XGTGK-EH0A&_=1388599353015
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195454&transaction_id=646959059412b4308a4c613844951708&_=1388599356453
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195455&transaction_id=646959059412b4308a4c613844951708&_=1388599359469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195456&transaction_id=646959059412b4308a4c613844951708&_=1388599362469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195457&transaction_id=646959059412b4308a4c613844951708&_=1388599365469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195458&transaction_id=646959059412b4308a4c613844951708&_=1388599368469
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
--
Code: Select all
fakeav://payandsec.com/p/?group=sgp&nid=9A93E62D&affid=85700&lid=0040&ver=0040 https://www.virustotal.com/en/ip-address/178.162.199.33/information/
fakeav://sgpsupport.com/
https://www.virustotal.com/en/ip-addres ... formation/
https://www.virustotal.com/en/ip-addres ... formation/
Attachments
infected
(1.05 MiB) Downloaded 336 times
 #21837  by dairu87
 Wed Jan 01, 2014 11:13 pm
Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
 #21855  by patriq
 Fri Jan 03, 2014 10:21 pm
dairu87 wrote:Ran across a reallllly nasty Fake AV today... I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
no sample or hash of the file?

don't think you will find much without those details.. good luck anyways.
 #21861  by Cody Johnston
 Sat Jan 04, 2014 4:19 pm
malwareMD wrote:thanks for sharing, we have also seen similar variants in past week.
dairu87 wrote:It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory.
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)
 #21895  by Cody Johnston
 Wed Jan 08, 2014 12:25 am
dairu87 wrote:Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
Attached the dropper, it was in %localappdata% in random named folder. Looks like Cidox.B was the bootkit on this one.

Publisher BitMefender S.R.L.

MD5 204806d51d301a99be49b8882a791cfc
https://www.virustotal.com/en/file/10cc ... 389139839/
Attachments
Password: infected
(206.79 KiB) Downloaded 156 times