A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18867  by Fabian Wosar
 Sun Apr 07, 2013 8:47 pm
New Reveton variant:
https://www.virustotal.com/en/file/32bd ... /analysis/

If I remember correctly there are a few changes to the way it works:
  • Multiple new autoruns are used (winmgmt service is hijacked as well as a new autorun in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with name ctfmon.exe), in addition to the shortcut in the Startup folder
  • RunDLL32.exe executable is copied to the common appdata folder now and an obfuscated JavaScript is created there to run the Reveton malware DLL using the local RunDll32 copy, at least on my system I didn't observe that JavaScript being used in any way though, but I didn't look into it in much detail
Take these information with a grain of salt. I haven't looked at Reveton in a while, so if the additional autoruns have been introduced a while ago please apologize. At least I haven't seen them yet :).
Attachments
Password: infected
(90.75 KiB) Downloaded 110 times
 #18893  by Blaze
 Wed Apr 10, 2013 8:41 am
Hi Fabian

I haven't seen the winmgmt service being hijacked yet. The autorun key & ctfmon.lnk in Startup folder is being used for a while.
Example:
Code: Select all
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
Thought the .js and .pad files it created are just dummy files though? Do you have a copy of the .js file you encountered?

Cheers :) !
 #19284  by thisisu
 Wed May 15, 2013 8:19 pm
From customer laptop.

MD5: cea0f6e822522a5d221a16d08786fac6

https://www.virustotal.com/en/file/615b ... 368647810/

I moved the ransomware file first before running Farbar Recovery Scan Tool. That's why the main file shows up as missing ([x])
Code: Select all
HKU\Flexi\...\Run: [ctfmon.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\3jelori.dat,FG00 [x]
Startup: C:\Users\Flexi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\3jelori.dat (No File)
Also, what is this? I don't think it's related to Reveton, just wondering
Code: Select all
Tcpip\..\Interfaces\{F359DE43-7CFB-41C3-8AD7-204DFFE88DFC}: [NameServer]0.0.0.0
EDIT: I believe it belonged to "Hotspot Shield".

Inside archive is:
  1. 3jelori.dat
    irolej3.bat
    irolej3.js (previously requested)
    irolej3.reg
Did not include
  1. 3rrt.pad (92,797KB // too big to attach)
    trr3.dat (copy of 3jelori.dat in same directory)
Attachments
pass: infected
(84.72 KiB) Downloaded 89 times
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 16