[en] …and another Police Ransomware

Bloqueur de pub détectée - Vous bloquez l'affichage des publicités.
Pour soutenir le site, merci de bien vouloir laisser les publicités s'afficher.

Plus d'informations : Comment désactiver les bloqueurs de publicité sur un site internet.

Just got an Exploit from a malvertising on tubemotion.com

and again and again, from Clicksor network :
then jumps to

and then the iframe to the Exploit Kit :

So we got :



The dropper made some connections and then load an instance of svchost.exe to inject it
After that, the fake warning page is displayed and blocking the session.

The detection is not good : https://www.virustotal.com/latest-report.html?resource=e744d46569e3b5c100edfc4257ac62057bf8fa11

SHA256: 2e6d9ae132af7f20fecfc2c21a0b53175e2a392b857a14b28ededbfc31623850
File name: 274115b4ce90082b65832b777cd12f7f
Detection ratio: 5 / 46
Analysis date: 2012-12-07 21:15:54 UTC ( 49 minutes ago )
ESET-NOD32 a variant of Win32/Kryptik.AQDM 20121207
Fortinet W32/Zbot.MZ!tr 20121207
Kaspersky UDS:DangerousObject.Multi.Generic 20121207
Panda Suspicious file 20121207
Sophos Mal/EncPk-AHX 20121207 

Before displaying the fake warning page, the malware made many POST on the port 35516

and also on the port 80 :
POST http://svictrorymedia.ru/mDo8jp?LarEoGycvALKG=thNcfQGuSRpDFo - DIRECT/ text/html

and the ransom fake police warning fake is downloaded.

The malware is also posting periodically to this server with a fast flux DNS :

1354918384.539 961 TCP_MISS/200 337 POST http://shopgreatvideonax.com/lib.php - DIRECT/ text/html
1354918389.583 1969 TCP_MISS/200 340 POST http://shopgreatvideonax.com/lib.php - DIRECT/ text/html
1354918400.922 1824 TCP_MISS/200 331 POST http://shopgreatvideonax.com/lib.php - DIRECT/ text/html

This variant use the same skin as the Urausy variant.

The Ukash Code is sent by a GET on a page like http://host.tld/rep/save.php?vers=1DB0FD4GH5&cval=100&db=0935ee09;103&pin=Ukash_number&ranstr=IbvdhZHhEhC2SyokSM7qxnIBghepw4Mi9goOsJZqZzAWT6K6wxDeVAIsg0TEuNZZc5UAtTi5WuE6mvfEauhTT


The malware is deployed only the session from where it has been launched and not the entire system.
The malware modified the Shell key  HKEY_USERS hive and not the HKEY_LOCAL_MACHINE hive.
Note that the file ldr.mcb does not seems to be named randomly. No information from Google on it.

then at the boot session, svchost.exe launch a X.tmp file that displays the fake police warning page.
In fact, ldr.mcb and the X.tmp file are the same file.

The detection is not bad : https://www.virustotal.com/file/009d449e202e1ecdef01146ed7049b87da394b02d2a47ca31d3487bd085d24b1/analysis/1354916197/
=> http://malwaredb.malekal.com/index.php?hash=aee4ce9d6f292f5b22e329fd3184f164

SHA256: 009d449e202e1ecdef01146ed7049b87da394b02d2a47ca31d3487bd085d24b1
File name: 1.tmp
Detection ratio: 10 / 46
Analysis date: 2012-12-07 21:36:37 UTC ( 0 minute ago )
Agnitum Packed/PECompact 20121207
BitDefender Gen:Variant.Kazy.124214 20121207
eSafe Suspicious File 20121205
F-Secure Gen:Variant.Kazy.124214 20121207
GData Gen:Variant.Kazy.124214 20121207
Jiangmin Trojan/Blocker.akp 20121207
Kaspersky Trojan-Ransom.Win32.Blocker.uul 20121207
Malwarebytes Trojan.Inject 20121207
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C 20121207
MicroWorld-eScan Gen:Variant.Kazy.124214 20121207

First time, i saw this variant so probably new, may be related to the STOP Piracy variant (Chidol) : https://www.malekal.com/2012/11/29/ransomware-stop-piracy-document-maitre-des-infractions/ (i was unable to make the dropper working).
Also, this malware has maybe some data stealer features.

Anyway, thanks again to Clicksor to spread new shits.

Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] …and another Police Ransomware mais vous n'avez pas trouvé la solution à votre problème...
Suivez ces articles du forum pour trouver une réponse ou demandez à votre tour de l'aide sur le forum