Had not enough time to analyze this deeper, shared what I got here. Pls help to break it down deeper.
VT: https://www.virustotal.com/en/file/f509 ... 410205927/
Image of three infection:
Memory dump :
VT: https://www.virustotal.com/en/file/f509 ... 410205927/
Image of three infection:
Memory dump :
Code: Select all
// hash: 8028ee3776ac68bb5789575e5a904465
// Locking timer Forensics.
// Env: WinVista | @unixfreaxjp - 20:53 Mon Sep 8 20:53:33 JST 2014
1. Window created
Window Name: +vgC>=_~!s_b0$>-TG)wIrh&8T*)Yg+t*5)Qwl%
7zD{DVL3gRfDq~=(I(fNe}3{lSxJ[zD=mTN*}s^oj1%aOXo-6tKfE~64
}T>B3lH+xdLOsOjLNUV&Porz[8s>m~[D6L_d<[7I[C#GP-3BZ_S]9TgV
Siqr$_Z]gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<
()HaZz^3&MEXw=l5xxNWAgW~*7wgPbZtOo3QJ]XI[ZCiZG<p Class N
ame: +vgC>=_~!s_b0$>-TG)wIrh&8T*)Yg+t*5)Qwl%7zD{DVL3
gRfDq~=(I(fNe}3{lSxJ[zD=mTN*}s^oj1%aOXo-6tKfE~64}T>B3lH+
xdLOsOjLNUV&Porz[8s>m~[D6L_d<[7I[C#GP-3BZ_S]9TgVSiqr$_Z]
gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<()HaZz^3
&MEXw=l5xxNWAgW~*7wgPbZtOo3QJ]XI[ZCiZG<p
HWND: 50116
2. Input blocked On or Off: true | Mem Dmp Addr: 0x0403105 NtUserBlockInput
3. Malicious activity Calls (Memory Dump))
KillTimer.USER32 ref: 0x402EC3
PostQuitMessage.USER32(00000000) ref: 0x402EDB
DefWindowProcW.USER32 ref: 0x402EED
Part of subcall function 0x40223C: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00000000) ref: 0x40226E
Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022A5
Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022CA
Part of subcall function 0x40223C: RegFlushKey.ADVAPI32 ref: 0x4022CF
Part of subcall function 0x40223C: RegCloseKey.ADVAPI32 ref: 0x4022D8
SetTimer.USER32(00000002,00000001,00000000) ref: 0x402F0F
Part of subcall function 0x40532D: IsBadWritePtr.KERNEL32(00000000,00000000) ref: 0x405344
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,0x410AA8) ref: 0x402F3A
lstrcatW.KERNEL32(0x410AA8) ref: 0x402F57
Part of subcall function 0x405B82: inet_addr.WSOCK32(0x410AA8,0x402FBA) ref: 0x405B87
Part of subcall function 0x405B82: gethostbyname.WSOCK32 ref: 0x405B98
Part of subcall function 0x402B25: memset.NTDLL(00000000) ref: 0x402B4C
Part of subcall function 0x402B25: GetVersionExW.KERNEL32 ref: 0x402B65
Part of subcall function 0x402B25: GlobalMemoryStatusEx.KERNEL32 ref: 0x402B7D
Part of subcall function 0x402B25: GetSystemInfo.KERNEL32 ref: 0x402B87
Part of subcall function 0x402B25: GetCurrentProcess.KERNEL32 ref: 0x402BB8
Part of subcall function 0x4053FE: PathSkipRootW.SHLWAPI ref: 0x40541D
Part of subcall function 0x4053FE: GetFileAttributesW.KERNEL32 ref: 0x405445
Part of subcall function 0x4053FE: CreateDirectoryW.KERNEL32(00000000) ref: 0x405453
Part of subcall function 0x405EBA: lstrcpynA.KERNEL32(00000032,0x410AA8,00000000) ref: 0x405F14
GetModuleHandleW.KERNEL32 ref: 0x403022
GetModuleFileNameW.KERNEL32(00000104) ref: 0x403029
GetFileAttributesW.KERNEL32(0x410AA8) ref: 0x403030
SetFileAttributesW.KERNEL32(0x410AA8) ref: 0x40303B
Part of subcall function 0x404A47: CreateFileW.KERNEL32(80000000,00000001,00000000,00000003,02000000,00000000) ref: 0x404A99
Part of subcall function 0x404A47: GetFileTime.KERNEL32(0x401E0B) ref: 0x404AAF
Part of subcall function 0x404A47: CreateFileW.KERNEL32(00000100,00000000,00000000,00000003,02000000,00000000) ref: 0x404ACA
Part of subcall function 0x404A47: SetFileTime.KERNEL32(0x401E0B) ref: 0x404AE0
memset.NTDLL(00000000) ref: 0x403069
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,01000000,00000000,00000000) ref: 0x4030C6
BlockInput.USER32(00000001) ref: 0x4030FF
ShowWindow.USER32(00000005) ref: 0x40310A
BeginPaint.USER32 ref: 0x40311D
GetClientRect.USER32 ref: 0x403135
FillRect.USER32(00000006) ref: 0x403143
SetBkMode.GDI32(00000001) ref: 0x40314C
lstrlenW.KERNEL32 ref: 0x403188
DrawTextW.USER32 ref: 0x403194
Part of subcall function 0x40A2EF: GetLastError.KERNEL32(0x403C58) ref: 0x40A2FA
Part of subcall function 0x40A2EF: HeapFree.KERNEL32(00000000,0x403C58) ref: 0x40A32B
Part of subcall function 0x40A2EF: SetLastError.KERNEL32(0x403C58) ref: 0x40A332
Part of subcall function 0x40349C: GetHandleInformation.KERNEL32(00000000) ref: 0x4034B2
Part of subcall function 0x40349C: CloseHandle.KERNEL32 ref: 0x4034C3
EndPage.GDI32 ref: 0x4031A5
Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x40378D
Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x4037A8
lstrlenW.KERNEL32 ref: 0x4031D8
Part of subcall function 0x4013F2: SetErrorMode.KERNEL32(00008000) ref: 0x401400
Part of subcall function 0x4013F2: GetSystemWindowsDirectoryW.KERNEL32(00000104) ref: 0x401412
Part of subcall function 0x4013F2: lstrcatW.KERNEL32 ref: 0x40143F
SetTimer.USER32(00000001,00000000) ref: 0x403207
4. Malicious Activity Disassembly (Memory Dump)
0x402E8C push ebp
0x402E8D mov ebp, esp
0x402E8F and esp, FFFFFFF8h
0x402E92 mov eax, dword ptr [ebp+0Ch]
0x402E95 sub esp, 00000274h
0x402E9B push ebx
0x402E9C push esi
0x402E9D xor ebx, ebx
0x402E9F dec eax
0x402EA0 push edi
0x402EA1 je 0x4031B0h target: 0x4031B0
0x402EA7 dec eax
0x402EA8 je 0x402EF5h target: 0x402EF5
0x402EAA sub eax, 0Dh
0x402EAD je 0x403115h target: 0x403115
0x402EB3 dec eax
0x402EB4 je 0x402EF5h target: 0x402EF5
0x402EB6 sub eax, 00000103h
0x402EBB jne 0x402EE1h target: 0x402EE1
0x402EBD push dword ptr [ebp+10h]
0x402EC0 push dword ptr [ebp+08h]
0x402EC3 call dword ptr [0x40D200h] KillTimer@USER32.DLL (Import, 2 Params)
0x402EC9 mov eax, dword ptr [ebp+10h]
0x402ECC sub eax, ebx xref: 0x40308B
0x402ECE je 0x4030FDh target: 0x4030FD
0x402ED4 dec eax
0x402ED5 je 0x402F00h target: 0x402F00
0x402ED7 dec eax
0x402ED8 jne 0x402EE1h target: 0x402EE1
0x402EDA push ebx
0x402EDB call dword ptr [0x40D22Ch] PostQuitMessage@USER32.DLL (Import, 1 Params)
0x402EE1 push dword ptr [ebp+14h] xref: 0x403127 0x4031AB 0x402EBB 0x403110 0x402F1C 0x402FF6 0x4030F8 0x402F80 0x402ED8
0x402EE4 push dword ptr [ebp+10h]
0x402EE7 push dword ptr [ebp+0Ch]
0x402EEA push dword ptr [ebp+08h]
0x402EED call dword ptr [0x40D230h] DefWindowProcW@USER32.DLL (Import, 4 Params)
0x402EF3 mov ebx, eax ; <==== executed
0x402EF5 pop edi xref: 0x402EA8 0x402EB4
0x402EF6 pop esi
0x402EF7 mov eax, ebx
0x402EF9 pop ebx
0x402EFA mov esp, ebp
0x402EFC pop ebp
0x402EFD retn 0010h function end
0x402F00 call 0x40223Ch xref: 0x402ED5 target: 0x40223C
0x402F05 push ebx
0x402F06 xor edi, edi
0x402F08 inc edi
0x402F09 push edi
0x402F0A push 00000002h
0x402F0C push dword ptr [ebp+08h]
0x402F0F call dword ptr [0x40D1F0h] SetTimer@USER32.DLL (Import, 4 Params)
0x402F15 call 0x402E34h target: 0x402E34
0x402F1A test al, al
0x402F1C je 0x402EE1h target: 0x402EE1
0x402F1E push 00000208h
0x402F23 mov esi, 0x410AA8h
0x402F28 push esi
0x402F29 call 0x40532Dh target: 0x40532D
0x402F2E pop ecx
0x402F2F pop ecx
0x402F30 test al, al
0x402F32 je 0x402F40h target: 0x402F40
0x402F34 push esi
0x402F35 push ebx
0x402F36 push ebx
0x402F37 push 0000001Ah
0x402F39 push ebx
0x402F3A call dword ptr [0x40D1B8h] SHGetFolderPathW@SHELL32.DLL (Import, 5 Params)
0x402F40 push edi xref: 0x402F32
0x402F41 push D2B37023h
0x402F46 push 0000001Bh
0x402F48 push 0x40DD2Ch
0x402F4D call 0x403763h target: 0x403763
0x402F52 add esp, 10h
0x402F55 push eax
0x402F56 push esi
0x402F57 call dword ptr [0x40D110h] lstrcatW@KERNEL32.DLL (Import, 2 Params)
0x402F5D call 0x401F83h target: 0x401F83
0x402F62 test al, al
0x402F64 je 0x402F85h target: 0x402F85
0x402F66 lea edi, dword ptr [esp+10h]
0x402F6A mov dword ptr [esp+10h], ebx
0x402F6E mov byte ptr [esp+14h], 00000001h
0x402F73 mov dword ptr [esp+18h], 0x402CD1h
0x402F7B call 0x405EBAh target: 0x405EBA
0x402F80 jmp 0x402EE1h target: 0x402EE1
0x402F85 push ebx xref: 0x402F64
0x402F86 push 51A963ABh
0x402F8B push 00000002h
0x402F8D push 0x40DD48h
0x402F92 call 0x403763h target: 0x403763
0x402F97 push ebx
0x402F98 push 349518EAh
0x402F9D push 0000000Fh
0x402F9F push 0x40DD4Ch
0x402FA4 mov dword ptr [esp+4Ch], eax
0x402FA8 call 0x403763h target: 0x403763
0x402FAD add esp, 20h
0x402FB0 push dword ptr [esp+2Ch]
0x402FB4 push eax
0x402FB5 call 0x405B82h target: 0x405B82
0x402FBA pop ecx
0x402FBB push eax
0x402FBC call 0x402B25h target: 0x402B25
0x402FC1 push esi
0x402FC2 call 0x4053FEh target: 0x4053FE
0x402FC7 add esp, 0Ch
0x402FCA push esi
0x402FCB call 0x4023C5h target: 0x4023C5
0x402FD0 pop ecx
0x402FD1 call 0x40295Ah target: 0x40295A
0x402FD6 mov dword ptr [esp+10h], edi
0x402FDA lea edi, dword ptr [esp+10h]
0x402FDE mov byte ptr [esp+14h], 00000001h
0x402FE3 mov dword ptr [esp+18h], 0x402CD1h
0x402FEB call 0x405EBAh target: 0x405EBA
0x402FF0 cmp dword ptr [0x410CB4h], ebx0x00000000
0x402FF6 je 0x402EE1h target: 0x402EE1
0x402FFC call 0x401E15h target: 0x401E15
0x403001 push 00000001h
0x403003 push 2B7588E7h
0x403008 push 0000000Ch
0x40300A push 0x40DD5Ch
0x40300F call 0x403763h target: 0x403763
0x403014 add esp, 10h
0x403017 push 00000104h
0x40301C lea ecx, dword ptr [esp+7Ch]
0x403020 push ecx
0x403021 push eax
0x403022 call dword ptr [0x40D080h] GetModuleHandleW@KERNEL32.DLL (Import, 1 Params)
0x403028 push eax
0x403029 call dword ptr [0x40D108h] GetModuleFileNameW@KERNEL32.DLL (Import, Unknown Params)
0x40302F push esi
0x403030 call dword ptr [0x40D07Ch] GetFileAttributesW@KERNEL32.DLL (Import, 1 Params)
0x403036 or eax, 06h
0x403039 push eax
0x40303A push esi
0x40303B call dword ptr [0x40D08Ch] SetFileAttributesW@KERNEL32.DLL (Import, 2 Params)
0x403041 lea eax, dword ptr [esp+78h]
0x403045 push esi
0x403046 push eax
0x403047 call 0x404A47h target: 0x404A47
0x40304C push dword ptr [0x410CB4h]
0x403052 call 0x4023E6h target: 0x4023E6
0x403057 add esp, 0Ch
0x40305A push esi
0x40305B call 0x4023A4h target: 0x4023A4
0x403060 pop ecx
0x403061 push 00000x40h
0x403063 lea eax, dword ptr [esp+38h]
0x403067 push ebx
0x403068 push eax
0x403069 call 0x40A4E2h memset@NTDLL.DLL (Import, 2 Params) target: 0x40A4E2
0x40306E add esp, 0Ch
0x403071 mov dword ptr [esp+1Ch], ebx
0x403075 xor eax, eax
0x403077 lea edi, dword ptr [esp+20h]
0x40307B stosd
0x40307C push 00000001h
0x40307E push 9F12C8E3h
0x403083 stosd
0x403084 push 00000004h
0x403086 push 0x40DD6Ch
0x40308B mov dword ptr [esp+40h], 00000044h ASCII "D" (Chunk)
0x403093 stosd
0x403094 call 0x403763h target: 0x403763
0x403099 push dword ptr [0x410CB4h]
0x40309F push eax
0x4030A0 lea eax, dword ptr [esp+24h]
0x4030A4 push eax
0x4030A5 call 0x40469Ch target: 0x40469C
0x4030AA add esp, 1Ch
0x4030AD lea eax, dword ptr [esp+1Ch]
0x4030B1 push eax
0x4030B2 lea eax, dword ptr [esp+34h]
0x4030B6 push eax
0x4030B7 push ebx
0x4030B8 push ebx
0x4030B9 push 01000000h
0x4030BE push ebx
0x4030BF push ebx
0x4030C0 push ebx
0x4030C1 push dword ptr [esp+2Ch]
0x4030C5 push ebx
0x4030C6 call dword ptr [0x40D05Ch] CreateProcessW@KERNEL32.DLL (Import, 10 Params)
0x4030CC test eax, eax
0x4030CE je 0x4030E2h target: 0x4030E2
0x4030D0 mov esi, dword ptr [esp+20h]
0x4030D4 call 0x40349Ch target: 0x40349C
0x4030D9 mov esi, dword ptr [esp+1Ch]
0x4030DD call 0x40349Ch target: 0x40349C
0x4030E2 push dword ptr [esp+0Ch] xref: 0x4030CE
0x4030E6 call 0x40A2EFh target: 0x40A2EF
0x4030EB pop ecx
0x4030EC push dword ptr [0x410CB4h]
0x4030F2 call 0x40A2EFh target: 0x40A2EF
0x4030F7 pop ecx
0x4030F8 jmp 0x402EE1h target: 0x402EE1
0x4030FD push 00000001h xref: 0x402ECE
0x4030FF call dword ptr [0x40D210h] BlockInput@USER32.DLL (Import, 1 Params)
0x403105 push 00000005h ; <==== executed
0x403107 push dword ptr [ebp+08h]
0x40310A call dword ptr [0x40D214h] ShowWindow@USER32.DLL (Import, 2 Params)
0x403110 jmp 0x402EE1h target: 0x402EE1 ; <==== executed
0x403115 lea eax, dword ptr [esp+30h] xref: 0x402EAD
0x403119 push eax
0x40311A push dword ptr [ebp+08h]
0x40311D call dword ptr [0x40D208h] BeginPaint@USER32.DLL (Import, 2 Params)
0x403123 mov esi, eax
0x403125 cmp esi, ebx
0x403127 je 0x402EE1h target: 0x402EE1
0x40312D lea eax, dword ptr [esp+1Ch]
0x403131 push eax
0x403132 push dword ptr [ebp+08h]
0x403135 call dword ptr [0x40D204h] GetClientRect@USER32.DLL (Import, 2 Params)
0x40313B push 00000006h
0x40313D lea eax, dword ptr [esp+20h]
0x403141 push eax
0x403142 push esi
0x403143 call dword ptr [0x40D1F8h] FillRect@USER32.DLL (Import, 3 Params)
0x403149 push 00000001h
0x40314B push esi
0x40314C call dword ptr [0x40D048h] SetBkMode@GDI32.DLL (Import, 2 Params)
0x403152 push 00000001h
0x403154 push 8182F0FBh
0x403159 push 00000056h
0x40315B push 0x40DD78h
0x403160 call 0x403763h target: 0x403763
0x403165 push dword ptr [0x410CB0h]
0x40316B push eax
0x40316C lea eax, dword ptr [esp+24h]
0x403170 push eax
0x403171 call 0x40469Ch target: 0x40469C
0x403176 add esp, 1Ch
0x403179 test eax, eax
0x40317B je 0x4031A4h target: 0x4031A4
0x40317D push 00000025h
0x40317F lea eax, dword ptr [esp+20h]
0x403183 push eax
0x403184 push dword ptr [esp+14h]
0x403188 call dword ptr [0x40D0B8h] lstrlenW@KERNEL32.DLL (Import, 1 Params)
0x40318E push eax
0x40318F push dword ptr [esp+18h]
0x403193 push esi
0x403194 call dword ptr [0x40D1FCh] DrawTextW@USER32.DLL (Import, 5 Params)
0x40319A push dword ptr [esp+0Ch]
0x40319E call 0x40A2EFh target: 0x40A2EF
0x4031A3 pop ecx
0x4031A4 push esi xref: 0x40317B
0x4031A5 call dword ptr [0x40D044h] EndPage@GDI32.DLL (Import, 1 Params)
0x4031AB jmp 0x402EE1h target: 0x402EE1
0x4031B0 lea eax, dword ptr [esp+78h] xref: 0x402EA1
0x4031B4 push eax
0x4031B5 push 00000001h
0x4031B7 push E17754ACh
0x4031BC push 0000000Fh
0x4031BE push 0x40DD1Ch
0x4031C3 call 0x403763h target: 0x403763
0x4031C8 add esp, 10h
0x4031CB push eax
0x4031CC call 0x4036EAh target: 0x4036EA
0x4031D1 pop ecx executed
0x4031D2 pop ecx
0x4031D3 lea eax, dword ptr [esp+78h]
0x4031D7 push eax
0x4031D8 call dword ptr [0x40D0B8h] lstrlenW@KERNEL32.DLL (Import, 1 Params)
0x4031DE mov edi, eax
0x4031E0 add edi, edi
0x4031E2 lea eax, dword ptr [esp+78h]
0x4031E6 call 0x405BC4h target: 0x405BC4
0x4031EB mov dword ptr [0x410CB0h], eax
0x4031F0 call 0x4013F2h target: 0x4013F2
0x4031F5 sub dword ptr [0x4109DCh], eax executed
0x4031FB push ebx
0x4031FC push 00000001h
0x4031FE push dword ptr [0x4109DCh]
0x403204 push dword ptr [ebp+08h]
0x403207 call dword ptr [0x40D1F0h] SetTimer@USER32.DLL (Import, 4 Params)
0x40320D jmp 0x402EF5h swap point Attachments
7z, pwd: infected
The bad actor was a known carder, ripped fellow crooks becoming in "wanted" status, and now doing this locker.
(285.18 KiB) Downloaded 94 times
The bad actor was a known carder, ripped fellow crooks becoming in "wanted" status, and now doing this locker.
(285.18 KiB) Downloaded 94 times
