A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7208  by gjf
 Mon Jul 11, 2011 11:09 am
rkhunter wrote:Ok, But i test MSE on detection/remove Mayachok.2 and not detect it with last update. Actually, I making quick scan.
What is Mayachok.2? If it is Rootkit.CiDox it could be caused by non-standard mechanism of infection. IPL is not MBR and it is a problem now for not only Microsoft.

BTW it can be cured by simple fixboot under console.
 #7209  by EP_X0FF
 Mon Jul 11, 2011 12:19 pm
New domain.

hxxp://ebemnayaziki.ru/xxxvideo.avi.exe
hxxp://valenkirusporno.ru/xxxvideo.avi.exe

Unblock code like previous, H701630.
 #7218  by EP_X0FF
 Mon Jul 11, 2011 5:07 pm
Source

hxxp://hammanshamanxxx.ru/xxxvideo.avi.exe

Numbers to call:
89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459
Unblock code: K91732109

In attach dropper and decrypted.

hxxp://kseksporno.ru/xxxvideo.avi.exe
hxxp://yurpornoxxxxx.ru/xxxvideo.avi.exe

Number to call:
89859612064
Unblock code: 70093112

Number to call:
89645912917
89645617404
89645617374
89645617262
89645617259
89645617210
89645619795
89645619741
89645619648
89645619492
Unblock code: Z0907419

EDIT:

hxxp://vazneunitazxxx.ru/xxxvideo.avi.exe

Number to call:
89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459
Unblock code: T610381D

EDIT2:

hxxp://mitsubishierotica.ru/xxxvideo.avi.exe

Unblock code like previous

EDIT3:

hxxp://toyotasexix.ru/xxxvideo.avi.exe

Unblock code the same

EDIT4:

hxxp://mazdayayci.ru/xxxvideo.avi.exe

Num to call:
89162886186
Unblock code: 651073RD

EDIT5:

hxxp://pornodetall.ru/xxxvideo.avi.exe

Number to call:
89645917027
89645917026
89629880436
89091621297
89091621260
89091621308
89099967905
89629900734
89629901098
89629880459
Unblock code: M103917D

EDIT6:

hxxp://migapilossex.ru/xxxvideo.avi.exe
hxxp://futuresexxx.ru/xxxvideo.avi.exe

Unblock code the same as previous

EDIT7:

hxxp://linamuilavski.ru/xxxvideo.avi.exe

Number to call:
89672692932
89672692931
89672692930
89672692928
89672692927
89672692921
Unblock code: Q103912D

EDIT8:

hxxp://misstuberux.ru/xxxvideo.avi.exe
hxxp://ssssaniedirki.ru/xxxvideo.avi.exe

Number to call:
89670627530
89652276281
89652276300
89671068927
89671071205
89671068912
Unblock code: V710482D
Attachments
pass: malware
(31.59 KiB) Downloaded 83 times
 #7224  by EP_X0FF
 Tue Jul 12, 2011 9:43 am
kseksporno.ru and it alias yurpornoxxxxx.ru blocked by hoster due to abuse.
 #7279  by Xylitol
 Thu Jul 14, 2011 4:24 pm
How to debug MBR Ransomware.
(taken from my blog)

Image

I received several questions about previously posted MBRLock, the idea here to resume all: a tiny tutorial for pwned these lockers.
Image

Firstly get infected (lol) you have two options, browsing a fake porn site and get exe or visit an infected webpage who lead to MBRlock execution.
Image

Image

The xxxvideo.avi.exe file have generally a ~61Kb size and most of time use a VB crypter.
It spawns new copy of process, decrypts data and writes them to new process ImageBaseAddress and then resumes main thread.
A quick way to unpack it is to set breaks on CreateProcess/WriteProcessMemory, but here the unpacking is not really important (We want just the MBR right?)
Image

A fast way is to use HideToolz by Fyyre and enable the reboot protection, then you can infect your machine, HideToolz will block ExitWindowsEx done by the MBRLock.

The MBR is infected... what's now ?
For make a dump personally I know two way: Hiew and HDHacker.

HDHacker is really handy:
Image

Hiew is fastest (and used by most of malware researcher?)
Image

For make a dump with Hiew, load it like this: hiew32 \\.\PhysicalDrive0

Then in hex mode press * for select the infected block and * again for finish,
Then, F2 to save the dump.
Image

Now we have a copy of our infected MBR
To debug it, we will use IDA Pro, but firstly you need the good packages.
- Bochs
- Python 2.6
- IDAPython
- MBR package of Elias

Install 'em all, then build your image file with mbr.py
Or just open command prompt, make sure IDA is in the path Set path=%path%;"C:\Program Files\IDA 6" for example and run ida.bat, it will take care of the rest.
Image

Drag 'n' drop your bochsrc file on IDA, and you can start to debug, if everything load properly :þ
Image

For do it fast with these lame lockers:
Image

Image

Nj0y ~
Image
 #7287  by EP_X0FF
 Fri Jul 15, 2011 3:46 am
New domain name. Previous annihilated.
Crypter change.

hxxp://govnobakovkaxxx.ru/xxxvideo.avi.exe

Number to call:
89639710397
89096698355
89639710524
89639710699
89670621885
89670621896
Unblock code: F710382D

hxxp://vaginudetrhr.ru/xxxvideo.avi.exe
hxxp://fatrmutrfaker.ru/xxxvideo.avi.exe

Number to call:
89036261519
89036641227
89036638831
89036277841
89036277968
89036299720
89036642904
89036631902
89036279647
89036602893
Unblock code: K105103D

hxxp://utubexxxvideo.ru/xxxvideo.avi.exe

Number to call:
89672695844
89036265004
89036264319
89036265319
89672695834
89672695833
89645076098
89096698344
Unblock code: Q120102D

hxxp://gigosporno.ru/xxxvideo.avi.exe

Number to call:
89645680274
89645681824
89645681894
89645682649
89645675422
89645675936
89645676219
89645675394
89645676093
89645631569
89645681824
89645675394
89645675422
89645675936
89645680274
Unblock code D403873D
Attachments
pass: malware
(34.54 KiB) Downloaded 81 times
 #7324  by EP_X0FF
 Sat Jul 16, 2011 2:34 pm
This time script-kiddies put on it some new vb crap, method mentioned in Xylitol blog post not work for this one. They generated over 150 Kb of sh*t. But it is not a problem.

In attach original and unpacked.

Unblock code, tel numbers and source -> see previous post.
C:\DocumentsandSettings\Admin\Рабочий стол\VBCrypter\VBCrypter\Payload\Project1_Generated-1\ObfuscatedNr-1\nomrc_Generated-1\nomrc.vbp
Attachments
pass: malware
(50.98 KiB) Downloaded 85 times
 #7342  by EP_X0FF
 Sun Jul 17, 2011 2:20 am
mc0blck wrote:hxxp://dikiesu4ki.ru/xxxvideo.avi.exe
Skiddies packed it UPX additionally to reduce size from 200 Kb.

Number to call:
89645630966
89645630631
89645631125
89645631261
89645631392
89645630966
89645630631
89645631125
89645631261
89645631392
89645630966
89645630631
89645631125
89645631261
89645631392
Unblock code: W100278D
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 10