A forum for reverse engineering, OS internals and malware analysis 

German Ransom (GEMA, GVU, InetAccelerator)

Forum for analysis and discussion about malware.

Re: Trojan Winlock / Ransom / ScreenLocker

 #9839  by Striker
 Tue Nov 22, 2011 11:21 pm
GMax wrote: Image

Image
I've used a real Paysafecard ( 0,00€ credit ), so it works. The serials will be locked after activating, unfortunately you cannot use it again..


Image

Image

or try it self..


0971570170772327
0445332279725611

Re: Trojan Winlock / Ransom / ScreenLocker

 #9944  by EP_X0FF
 Mon Nov 28, 2011 6:32 am
markusg wrote:sx5u7frt55.exe
MD5   : f76e3c6d194cf1f4002c417e020e7c0b
https://www.virustotal.com/file-scan/re ... 1322421186
gema ransom ware
In attach fully decrypted and unpacked sample. Crap is written on Delphi 7 with using of special TdWinlock component that provides blocking features such as:

noCtrlAltDel - FALSE
noAltTab - TRUE
noAltEsc - TRUE
noAltF4 - TRUE
noCtrlEsc - TRUE
noWinkeys - TRUE
noAppkey - TRUE
noRButton - TRUE
noTaskbar - TRUE
noTaskLinks - TRUE
noTaskTray - TRUE
noAltReturn - TRUE
noAccessibilityShortcuts - TRUE
noShutdown - TRUE
noDesktop - TRUE
noStartbutton - TRUE
noStartMenu - TRUE
Version - 3.2
Attachments
pass: malware
(215.74 KiB) Downloaded 56 times

Re: Trojan Winlock / Ransom / ScreenLocker

 #9982  by EP_X0FF
 Tue Nov 29, 2011 3:12 am
markusg wrote:svhcost.exe
MD5   : 316a119d9c4ba46a1ffdd01bc8de2a4a
https://www.virustotal.com/file-scan/re ... 1322507937
Equal to this

In attach decrypted working sample. Posts moved.
Attachments
pass: malware
(27.02 KiB) Downloaded 54 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12
 Return to “Malware”