A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27366  by l0wlevel
 Sun Dec 06, 2015 12:03 pm
I'll just say one thing. If both Ross Ulbricht and Variety Jones were caught, the operators of these ransomwares are not safe either, they will be caught.
 #27402  by p1nk
 Sat Dec 12, 2015 3:25 pm
l0wlevel wrote:I'll just say one thing. If both Ross Ulbricht and Variety Jones were caught, the operators of these ransomwares are not safe either, they will be caught.
Ulbricht had made quite a few OPSEC failures. Are you suggesting the use of BTC may lead to arrest?
 #27636  by sysopfb
 Wed Jan 13, 2016 2:27 pm
version=3.0.0 is attached

.xxx extensions

C2 list:
Code: Select all
hxxp://dawnlogistics.com/wp-content/themes/sketch/dbsys.php
hxxp://yavuzturk.com/wp-includes/dbsys.php
hxxp://thevictorianmotel.com/wp-content/themes/sketch/dbsys.php
hxxp://elle-ectric.com/wp-content/themes/sketch/dbsys.php
hxxp://nicasitios.com/dbsys.php
hxxp://f1autobody.com/wp-content/themes/sketch/dbsys.php 
Targetted file extensions:
Code: Select all
.sql
.mp4
.7z
.rar
.m4a
.wma
.avi
.wmv
.csv
.d3dbsp
.upk
.das
.iwi
.litemod
.asset
.forge
.ltx
.bsa
.apk
.re4
.sav
.lbf
.slm
.bik
.epk
.rgss3a
.pak
.big
wallet
.wotreplay
.xxx
.desc
.py
.m3u
.flv
.js
.css
.rb
.png
.jpeg
.txt
.p7c
.p7b
.p12
.pfx
.wb2
.rtf
.wpd
.dxg
.xf
.dwg
.pst
.accdb
.mdb
.pptm
.pptx
.ppt
.xlk
.xlsb
.xlsm
.xlsx
.xls
.wps
.docm
.icxs
.hvpl
.hplg
.hkdb
.mdbackup
.syncdb
.gho
.cas
.svg
.sb
.wmo
.map
.itm
.wmo
.itm
.sb
.fos
.mov
.vdf
.ztmp
.sis
.sid
.ncf
.menu
.layout
.dmp
.blob
.esm
.vcf
.vtf
.dazip
.fpk
.mlx
.kf
.iwd
.vpk
.tor
.psk
.rim
.w3x
.zip
.sie
.sum
.ibank
.t13
.t12
.qdf
.gdb
.tax
.pkpass
.bc6
.bc7
.bkp
.qic
.bkf
.sidn
.sidd
.mddata
.itl
.itdb
.fsh
.ntl
.arch00
.lvl
.snx
.cfr
.ff
.vpp_pc
.lrf
.m2
.mcmeta
.vfs0
.mpqge
.kdb
.db0
.dba
.rofl
.raf
.hkx
.bar
.erf
.cdr
.indd
.ai
.dcr
.cr2
.crw
.bay
.sr2
.srf
.arw
.3fr
.dng
.jpe
.jpg
.eps
.pdf
.pdd
.psd
.dbf
.mdf
.rw2
.rwl
.raw
.orf
.nrw
.mrwref
.mef
.kdc
.docx
.doc
.odb
.odc
.odm
.odp
.ods
.odt
.pem
.crt
.cer
.der
.x3f
.srw
.pef
.ptx
.r3d
Hardcoded reg keys:
HKCU\Software\xxxsys
"ID" which is the inst_id from the decrypted traffic
HKCU\software\<string of inst_id>
"data"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"meryHmas"
Attachments
pw: infected
(187.54 KiB) Downloaded 83 times
Last edited by sysopfb on Wed Jan 13, 2016 5:17 pm, edited 1 time in total.
 #27648  by sysopfb
 Thu Jan 14, 2016 8:46 pm
Previous versions for me would always check into the C2 first before encrypting the files. It appears they now encrypt the files before checking in with this new version.
 #27751  by ccm290
 Wed Jan 27, 2016 12:40 am
Hello,

I am new to malware analysis, as I am studying reverse engineering this semester at my university. I was interested in choosing this as my malware sample for my project, but I am having issues with it. Is the attachments given contain encrypted versions of the malware? Its not an executable when I download it, which is what I need for my project. Thanks for any advice.
 #27754  by EP_X0FF
 Wed Jan 27, 2016 4:45 am
ccm290 wrote:Hello,

I am new to malware analysis, as I am studying reverse engineering this semester at my university. I was interested in choosing this as my malware sample for my project, but I am having issues with it. Is the attachments given contain encrypted versions of the malware? Its not an executable when I download it, which is what I need for my project. Thanks for any advice.
They are encrypted executables, add *.exe extension and use.
 #27808  by sysopfb
 Tue Feb 02, 2016 6:55 pm
ver=3.0.0a in attached

Came from piglyeleutqq.com/80.exe

unpack on rtldecompressbuffer

C2 encryption key changed to 0324532423723948572379453249857

Lots of recrypted versions of the same build and some old ones on there as well:
Code: Select all
# md5sum *.exe
5993e0215948ab25054cc87a7af7d411  23.exe
1cdb1cd3d4242d3e2a50ca87fcdc5638  24.exe
735c75f840ba2e20eae53fad6482e355  25.exe
9bf713e8a5e8884de865c461cf360a3d  26.exe
b70833aa66de4c27376f444f05408a76  29.exe
70c66ead40e95701bce2bb8e34806b4b  30.exe
6e1cae591e93164153741ec30f3d2ccb  33.exe
566a29fc5bd4c4efaa992a319a972343  51.exe
b8a65ca1b8f56aebb88e1e1f2874de08  53.exe
2a2710322dc401e65b809e808dd1fe2c  59.exe
48176dc6ce2447d74dae94445f4a38b2  65.exe
0e329f787ada49f66c93d05fe9d0e378  80.exe
88b486433546c6796a4f84edf030f0c8  85.exe
c48ad3dff9f7de9a1fca3eda356dd240  87.exe
c60a921527b7fcd06e6b0c092275bfa1  89.exe
89e4231d57f531fbaf9e396aa468deaa  90.exe
244d8ff62cb2e35983a88899c05d00d1  91.exe
1680835ab6998271127b9d172cf1c691  93.exe
23248f93533e61875c91fd6845b7869b  94.exe
f3585b95b8c1407435f8af0fdde7d7c2  97.exe
Attachments
pw:infected
(390.65 KiB) Downloaded 78 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7