A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10573  by GMax
 Sat Dec 24, 2011 7:39 pm
Image

FileName: xxx_porno.exe
Size: 116 Kb (119296 byte)
Data/Time compile: 08.01.2008 / 15:43:37 UTC
MD5: 41789c704a0eecfdd0048b4b4193e752
SHA1: fb1e8385691fa3293b7cbfb9b2656cf09f20e722
PEiD: ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']
www.virustotal.com

Call number:
79091516876
79670416917
79096507761
79036688774
79096507761
Unlock code: 123123123

url: hxxp://pornoxnx-freex2f.ru/c/
Attachments
pass: malware
(172.26 KiB) Downloaded 129 times
 #10582  by GMax
 Sun Dec 25, 2011 1:43 pm
Number to call:
79091573472
79031626958
79670417054
79653751922
79091616156
79653768834
Unlock code: 203333258
 #10587  by GMax
 Mon Dec 26, 2011 4:20 am
Number to call:
79653883959
79099857659
79647794075
79037310711
79091558696
79037310711
Unlock code: 802225889
 #10592  by GMax
 Mon Dec 26, 2011 10:29 am
Number to call:
79091515636
79067977604
79636617491
79091575826
79031627026
79091575826
Unlock code: 338744522
 #10593  by EP_X0FF
 Mon Dec 26, 2011 11:36 am
Some info about this new ransom that now replaced LockEmAll.

Runs from:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell


Terminates Explorer while execution, prevents user work - usual ransomware behavior.

File is dropped through Blackhole Exploit Kit, so on vulnerable systems it may autostart right after user visited compromised site.

Malware repacks everyday, probably few time per day - nothing changes, except obfuscation.

Quick unpack, code/tel extract information for these who are lazy.

This ransom is as always nothing special and authors using combination with well-known packers and custom made obfuscation. This one is UPX->Obfuscator->UPX->Delphi. Warning: since malware obfuscation layer may change in any time, do all this in protected environment, for example on masqueraded (in case of possible vm-detections on obfuscation level that can be added in future) virtual machine.

Unpack, deobfuscate.

1. Load malware in OllyDbg, set break on NtWriteVirtualMemory
2. Once break is hit, see malware memory regions map (with what ever, I use internal tool) as on figure below (sorted by Allocation Protect)

Image

take region that has greater size (or you can simple locate image signatures in region - whatever).

3. Dump it on disk, cut garbage if it has it on the beginning. Now you have original malware stub.
4. Remove UPX to get clean Delphi code.

Extracting unblock code

1. Load in disassembler and locate GetWindowTextA call. Because this is Delphi compiler actual call to WinAPI will be represented as stub, see figure below

Image

2. Look-up place from where this stub is called. In example case it is CODE:0040660C. This is internal routine that used to read text from the given control. Lets call it GetControlText.
See references to this routine, for example for IDA

Image

3. Jump to reference. You are in main malware handler.
4. When correct code is entered malware kills itself and restart Explorer.exe (which is terminates on ransom start). Ransom doing this by calling WinExec. Locate this function call.
5. Now look above code, there is the unblock code checking code. First it passes valid hardcoded unblock code (stored as ansi string), and then calls internal routine called LStrCmp. Regarding to results of compare malware displays fcuk off message or removes itself.

Image

Extracting tel numbers

While working main window of this ransom is called "windowssecurity". Open unpacked and deobfuscated file and locate this ansi string. Here we go - all numbers will be clearly visible somewhere near this string.

Image

P.S.

This is primitive ransomware coded by script-kiddies, however this does not makes it less dangerous than any other malware and due to blocking nature it is much more annoying, so inexperienced users may be forced to do Windows reinstall. Remember - as always nobody from ransom side will not provide unblock code, even if you pay them. This is pure extortion and fraud.

See attach for sample (+unpacked) I used to write this post.
Attachments
pass: malware
(78.89 KiB) Downloaded 98 times
 #10595  by GMax
 Mon Dec 26, 2011 12:01 pm
Number to call:
79636615561
79091576703
79091513102
79096504460
79067392968
79096504460
Unlock code: 287448555
 #10611  by GMax
 Mon Dec 26, 2011 6:50 pm
Number to call:
79645610480
79060971048
79670416973
79037310584
79067981907
79037310584
Unlock code: 203477777
 #10621  by EP_X0FF
 Tue Dec 27, 2011 12:03 pm
79653979283
79653766306
79091516865
79091513046
79067982109
79091513046
Unblock code: 304887474

For all this ransom builds works master code 9786775

Take a hint - this ransom does not remove itself from system after entering valid code, so after reboot it will be again set as default system shell instead of Explorer.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7