A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24547  by EP_X0FF
 Mon Dec 08, 2014 9:11 am
Malware that infects executable files on victim computer and ask to pay ransom in BTC.

Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.

Runs via

Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit

Capable of infecting removal drives.


Example of infected file -> https://www.virustotal.com/en/file/113c ... /analysis/ (used gmer found on infected computer)

One of the VT reports for sample in archive
https://www.virustotal.com/en/file/4183 ... /analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
pass: infected
(941.28 KiB) Downloaded 180 times
 #28897  by Mosh
 Sun Jul 17, 2016 3:01 am

I don't know if this Ransomware is active again, looks like that nothing has changed in his functionality.

805.0 KB
https://www.virustotal.com/es/file/a95f ... /analysis/

(729.33 KiB) Downloaded 62 times