A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28841  by xors
 Fri Jul 08, 2016 8:39 am
This ransom has been active for a month at least. In the attachment, the unpacked and a sample from June (unpacked)

https://malwr.com/analysis/MDAxODE5ZjYx ... c1YTU3ZWQ/ (the unpacked)

More info for it http://www.malware-traffic-analysis.net ... ndex2.html
Attachments
Password:infected
(53.17 KiB) Downloaded 65 times
Password:infected
(52.59 KiB) Downloaded 65 times
 #28842  by benkow_
 Fri Jul 08, 2016 9:29 am
Callback part
Code: Select all
http://avtoship.com/123/index.php
(POST r=data)
logs available at
Code: Select all
http://avtoship.com/123/tmp/
pass.txt:
Code: Select all
id-4104339464||69642D343130343333393436345F336F6237743273747177416E7A4A4B6779753169784B5954564146653136797A6D374C636C5A4E316F31764B73397851436D59456E464C4F6753586400||JIM-79798990729||Windows XP||x32||220.135.36.37||07.08.2016 08:28:07||Taiwan||
id-2099905216||69642D323039393930353231365F4E7167577061724870316F425455676543524455506A334C633430516359386C4A38346641566E5649676E6B62586F5966524A5163756E484E37746800||JZH-66013BBA03F||Windows XP||x32||220.181.171.88||07.08.2016 08:28:07||China||
id-526283865||69642D3532363238333836355F7647576F476A326C5A4F33444C315561524C764F33353845656C71617A6B775345434258696C5975483936536273645376703337785642505741386F00||ARTHUS-11C5D791||Windows XP||x32||220.181.171.88||07.08.2016 08:28:14||China||
id-1713469098||69642D313731333436393039385F4A68443971706331454B5648667670734D6451747246346D7543376852365843595A436D4131343369314672396D59706162505664504B456744654A00||JOHN-PC||Windows 7||x64||198.50.200.138||07.08.2016 08:41:07||Canada||
id-4199142932||69642D343139393134323933325F4F62504F684A386938555A5444626F4F496348314F584D4C6462564B437A3667665242476D4F6C386167476E615A5348476C75474F7267436D437A3800||PLACEHOL-6F699A||Windows XP||x32||185.100.85.236||07.08.2016 08:41:13||Romania||
id-3393493194||69642D333339333439333139345F724A734265577371794A346149786851364533686F326B576B645A64707A587861536E50716E787478417A5762705458595134506839507A574D743300||KLONE-PC||Windows 7||x32||202.56.255.50||07.08.2016 08:42:41||India||
id-1418384705||69642D313431383338343730355F75676C494F39307132396E506C43746D514732597658424C75704F4671584669447572664A757242337776504F6F4A655776575A49664B7642596A4D00||KLONE_X64-PC||Windows 7||x64||202.56.255.50||07.08.2016 08:44:23||India||
id-216759949||69642D3231363735393934395F533549774779444752677533794A37734D3837307949384C6C343631664E4F39334D62636B72644E5751423935477A5472564E7631796E544D5A4A4100||XPTEST||Windows XP||x32||95.211.168.97||07.08.2016 09:16:44||Netherlands||
id-216759949||69642D3231363735393934395F66494E39663746674F7A68764A5A30556C61684657796C72586A654339706339693250446C5A59686B4B76516949773533506E5143446468766E437300||XPTEST||Windows XP||x32||95.211.168.97||07.08.2016 09:26:44||Netherlands||
report.txt
Code: Select all
id-526283865||10142||433||220.181.171.88||07.08.2016 08:29:31||
id-2099905216||6890||978||220.181.171.88||07.08.2016 08:31:07||
id-4199142932||141||279||185.100.85.236||07.08.2016 08:41:15||
id-1713469098||178||944||198.50.200.138||07.08.2016 08:41:27||
id-3393493194||7726||1375||202.56.255.50||07.08.2016 08:43:57||
id-216759949||222||5||95.211.168.97||07.08.2016 09:17:30||
id-216759949||205||3||95.211.168.97||07.08.2016 09:27:29||
 #28894  by ea56f45e66e2c
 Fri Jul 15, 2016 3:13 pm
The dropper uses RunPE technique : spanws another pizzacrypts suspended process, unmaps the sections and writes the upx-packed payload inside, then terminates the current process.

Some weird anti-debug behaviors in the unpacked payload.
It compares running processes with this list :
Code: Select all
ollydbg.exe
idag.exe
idag64.exe
idaw.exe
idaw64.exe
scylla.exe
scylla_x64.exe
scylla_x86.exe
protection_id.exe
x64_dbg.exe
windbg.exe
reshacker.exe
ImportREC.exe
IMMUNITYDEBUGGER.EXE
Then calls DbgPrint("fuck") (despite being user mode) when a name matches and after each process name comparison.

Also contains the following strings :
Code: Select all
sbiedll.dll
dbghelp.dll
api_log.dll
dir_watch.dll
pstorec.dll
vmcheck.dll
wpespy.dll
vboxhook.dll
vboxmrxnp.dll
but only checks for vboxhook.dll and vboxmrxnp.dll, tries to load them, then calls ExitProcess() if loading was successful.

Then, like Satana but in a more subtle way, the payload triggers the UAC and tries to fool users into re-executing itself with admin rights by calling and looping on :
Code: Select all
"C:\Windows\SysWOW64\wberm\WMIC.exe" process call create "C:\Pizzacrypts.exe"
avtoship.com has been taken down, any new sample or is this crap fading away ?