Mi Amigo Raul me envió una muestra de este Ransomware que azota a miles de computadoras en el mundo.Como es común, llega por correos no solicitados con un adjunto .zip y un javascript codificado en su interior.
Emailing: MX62EDO 01.03.2016
En el momento del aviso de Raúl, en VT mostraba que era detectado por solo 3 de 55 Antivirus, ahora ya es detectado por 33.
Icono de la amenaza una ves ejecutado el .js,
La capa del crypter es fácil de quitar con un BP en ResumeThread y luego dumpeamos con PETools
String Interesantes
Text strings referenced in Dumped:.text
Address Disassembly Text string
004019CA MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"
00401B09 PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"
00401B78 PUSH Dumped.004138C4 UNICODE ".tmp"
00401D8D PUSH Dumped.004138D0 UNICODE "0123456789ABCDEF"
00401DF0 PUSH Dumped.004138F4 UNICODE ".locky"
0040253B PUSH Dumped.00413928 ASCII "invalid string position"
0040255A PUSH Dumped.00413918 ASCII "string too long"
00402607 PUSH Dumped.00413918 ASCII "string too long"
00402687 PUSH Dumped.00413918 ASCII "string too long"
00402763 PUSH Dumped.00413904 ASCII "vector too long"
00402832 PUSH Dumped.00413918 ASCII "string too long"
004028C4 PUSH Dumped.00413918 ASCII "string too long"
00402AE8 PUSH Dumped.00413928 ASCII "invalid string position"
00402B64 PUSH Dumped.00413928 ASCII "invalid string position"
00402D2E ASCII "L~",0
00402D85 PUSH Dumped.00413918 ASCII "string too long"
00403174 PUSH Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"
0040326D PUSH Dumped.004139BC ASCII "id="
00403281 PUSH Dumped.004139A8 ASCII "&act=stats&path="
004032A8 PUSH Dumped.0041399C ASCII "&encrypted="
004032D2 PUSH Dumped.00413990 ASCII "&failed="
004032F9 PUSH Dumped.00413984 ASCII "&length="
00403575 MOV EDI,Dumped.004139C0 ASCII "Windows 2000"
00403599 MOV EDI,Dumped.004139D0 ASCII "Windows XP"
004035A7 MOV EDI,Dumped.004139DC ASCII "Windows 2003"
004035B1 MOV EDI,Dumped.004139EC ASCII "Windows 2003 R2"
004035D3 MOV EDI,Dumped.004139FC ASCII "Windows Vista"
004035DA MOV EDI,Dumped.00413A0C ASCII "Windows Server 2008"
004035EA MOV EDI,Dumped.00413A20 ASCII "Windows 7"
004035F1 MOV EDI,Dumped.00413A2C ASCII "Windows Server 2008 R2"
00403602 MOV EDI,Dumped.00413A44 ASCII "Windows 8"
00403609 MOV EDI,Dumped.00413A50 ASCII "Windows Server 2012"
0040361A MOV EDI,Dumped.00413A64 ASCII "Windows 8.1"
00403621 MOV EDI,Dumped.00413A70 ASCII "Windows Server 2012 R2"
0040363E MOV EDI,Dumped.00413A88 ASCII "Windows 10"
00403645 MOV EDI,Dumped.00413A94 ASCII "Windows Server 2016 Technical Preview"
0040364C MOV EDI,Dumped.00413ABC ASCII "unknown"
004036C5 PUSH Dumped.00413CF4 ASCII "IsWow64Process"
004036CA PUSH Dumped.00413CE4 ASCII "kernel32.dll"
0040376F PUSH Dumped.004139BC ASCII "id="
0040377E PUSH Dumped.00413AF4 ASCII "&act=getkey&affid="
004037A5 PUSH Dumped.00413AEC ASCII "&lang="
004037CB PUSH Dumped.00413AE4 ASCII "&corp="
004037F7 PUSH Dumped.00413ADC ASCII "&serv="
00403820 PUSH Dumped.00413AD4 ASCII "&os="
00403847 PUSH Dumped.00413ACC ASCII "&sp="
0040386E PUSH Dumped.00413AC4 ASCII "&x64="
00403A33 PUSH Dumped.00413B08 ASCII "Tahoma"
00403DB4 MOV DWORD PTR SS:[ESP],Dumped.00413940 UNICODE "\_Locky_recover_instructions.txt"
00403DC5 PUSH Dumped.00413B10 UNICODE "\_Locky_recover_instructions.bmp"
00403E75 PUSH Dumped.00413B54 ASCII "Control Panel\Desktop"
00403F17 MOV ECX,Dumped.00413B70 ASCII "WallpaperStyle"
00403F9B MOV ECX,Dumped.00413B80 ASCII "TileWallpaper"
00403FE6 MOV EDI,Dumped.00413B90 UNICODE "open"
004040A9 PUSH Dumped.00413CC4 ASCII "Wow64DisableWow64FsRedirection"
004040AE PUSH Dumped.00413CE4 ASCII "kernel32.dll"
004040DA MOV ESI,Dumped.004137EF ASCII "188.138.88.184,31.184.197.119,51.254.19.227,5.34.183.195,185.14.29.188"
004041E3 PUSH Dumped.00413B9C ASCII "Software\Locky"
0040422D PUSH Dumped.00413BAC ASCII "id"
00404288 MOV EBX,Dumped.00413BB0 ASCII "pubkey"
004042E2 PUSH Dumped.00413BB8 ASCII "paytext"
00404355 PUSH Dumped.00413BC0 ASCII "completed"
004043ED PUSH Dumped.00413BCC UNICODE "svchost.exe"
0040448A MOV ECX,Dumped.00413BAC ASCII "id"
004044E1 PUSH Dumped.00413BE4 UNICODE ":Zone.Identifier"
004045C6 PUSH Dumped.004139BC ASCII "id="
004045DC PUSH Dumped.00413C08 ASCII "&act=gettext&lang="
0040468D PUSH Dumped.00413BB8 ASCII "paytext"
004047B5 PUSH Dumped.00413C20 UNICODE "vssadmin.exe Delete Shadows /All /Quiet"
004047E2 PUSH Dumped.00413C70 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040486B PUSH Dumped.00413BC0 ASCII "completed"
004048AD PUSH Dumped.00413CAC ASCII "Locky"
00404993 PUSH Dumped.00413904 ASCII "vector too long"
00404A78 PUSH Dumped.00413904 ASCII "vector too long"
00404EE1 PUSH Dumped.00413CA0 UNICODE "Locky"
00404F81 PUSH Dumped.00413928 ASCII "invalid string position"
00404FA0 PUSH Dumped.00413918 ASCII "string too long"
00405041 PUSH Dumped.00413918 ASCII "string too long"
004050BB PUSH Dumped.00413918 ASCII "string too long"
004051B4 PUSH Dumped.00413918 ASCII "string too long"
00405409 PUSH Dumped.00413918 ASCII "string too long"
004055C2 PUSH Dumped.00413928 ASCII "invalid string position"
0040563A PUSH Dumped.00413928 ASCII "invalid string position"
004057E6 PUSH Dumped.00413918 ASCII "string too long"
00405AAC MOV EDX,Dumped.00413CB4 UNICODE "/\"
00406393 MOV EDX,Dumped.00413CB4 UNICODE "/\"
004064A2 PUSH Dumped.00413D0C UNICODE "cmd.exe /C del /Q /F ""
004064DE PUSH Dumped.00413D04 UNICODE "sys"
004069CA PUSH Dumped.00413D50 ASCII "HTTP/1.1"
004069D6 PUSH Dumped.00413D8C ASCII "POST"
004071D5 PUSH Dumped.00413D84 ASCII "http://"
004071E5 PUSH Dumped.00413D78 ASCII "/main.php"
0040753F PUSH Dumped.00413904 ASCII "vector too long"
0040759C PUSH Dumped.00413904 ASCII "vector too long"
0040778B PUSH Dumped.00413918 ASCII "string too long"
004078CA PUSH Dumped.00413928 ASCII "invalid string position"
00407CBA PUSH Dumped.004147A0 UNICODE "\*"
004087B9 PUSH Dumped.00413904 ASCII "vector too long"
0040880F PUSH Dumped.00413904 ASCII "vector too long"
00408866 PUSH Dumped.00413904 ASCII "vector too long"
004088C6 PUSH Dumped.00413904 ASCII "vector too long"
004089C4 PUSH Dumped.00413904 ASCII "vector too long"
00408AC0 PUSH Dumped.00413904 ASCII "vector too long"
00409CF7 MOV EAX,Dumped.00411344 ASCII "Unknown exception"
00409E56 MOV DWORD PTR SS:[EBP-4],Dumped.004138B4 ASCII "bad allocation"
0040AB74 CALL Dumped.0040D1F9 (Initial CPU selection)
0040ADAC PUSH Dumped.00411D44 UNICODE "Runtime Error!
Program: "
0040ADED PUSH Dumped.00411D14 UNICODE ""
0040AE2E PUSH Dumped.00411D0C UNICODE "..."
0040AE43 PUSH Dumped.00411D04 UNICODE "
"
0040AE74 PUSH Dumped.00411CB8 UNICODE "Microsoft Visual C++ Runtime Library"
0040B4F9 PUSH Dumped.00411D88 UNICODE "mscoree.dll"
0040B508 PUSH Dumped.00411D78 ASCII "CorExitProcess"
0040C47C PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"
0040C6E9 PUSH Dumped.004120F0 UNICODE "KERNEL32.DLL"
0040C70A PUSH Dumped.0041212C ASCII "FlsAlloc"
0040C712 PUSH Dumped.00412120 ASCII "FlsGetValue"
0040C71F PUSH Dumped.00412114 ASCII "FlsSetValue"
0040C72C PUSH Dumped.0041210C ASCII "FlsFree"
0040D7DD PUSH Dumped.004129E8 UNICODE "USER32.DLL"
0040D7F8 PUSH Dumped.004129DC ASCII "MessageBoxW"
0040D811 PUSH Dumped.004129CC ASCII "GetActiveWindow"
0040D821 PUSH Dumped.004129B8 ASCII "GetLastActivePopup"
0040D831 PUSH Dumped.0041299C ASCII "GetUserObjectInformationW"
0040D84A PUSH Dumped.00412984 ASCII "GetProcessWindowStation"
0040FD27 MOV DWORD PTR SS:[EBP+8],Dumped.004147BC ASCII "bad exception"
Archivos codificados con extension .locky
Comunicación con el C&C
El inesperado mensaje de que somos victimas de este maldito Ransomware.
Si no tenemos BACKUP de nuestros archivos, estamos en el HORNO!!!!!
Muestra: https://www.dropbox.com/s/6jk38tqjxh2qmb1/Locky-2-03-16.zip?dl=0
Pass= infected
Eso es todo por el momento @Dkavalanche 2016
No hay comentarios:
Publicar un comentario