Author Topic: Trojan Ransom  (Read 72220 times)

0 Members and 1 Guest are viewing this topic.

July 17, 2011, 11:08:34 pm
Reply #15

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Tried different countries, UAs and referers here too :(

Cheers for keeping us up to date :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 18, 2011, 01:44:34 am
Reply #16

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
dokoler-w.info suspended by GoDaddy.

No additional configurations I just used simple Internet Explorer with default settings :)

July 18, 2011, 02:33:52 am
Reply #17

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
No problem :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 18, 2011, 03:08:20 am
Reply #18

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon ransom

Quote
hxxp://4youporn.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote
hxxp://venkasexisdeffki.ru/xxxvideo.avi.exe

I don't know if it useful here, but unblock code for this MBRLocker is W887451D :)

July 18, 2011, 11:25:27 am
Reply #19

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon

Quote
hxxp://wq1porm.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote
hxxp://beladesiusconcha.ru/xxxvideo.avi.exe

July 18, 2011, 02:01:57 pm
Reply #20

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon ransom

Quote
hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe

Pornorolik
By changing number from 1 to 10 you can get more samples (except number 4).

Example:

Quote
hxxp://besplatnomegaporno.ru/video/porno-rolik.avi.exe
hxxp://besplatnomegaporno.ru/1/video/porno-rolik1.avi.exe
hxxp://besplatnomegaporno.ru/2/video/porno-rolik2.avi.exe
hxxp://besplatnomegaporno.ru/3/video/porno-rolik3.avi.exe
hxxp://besplatnomegaporno.ru/4/video/porno-rolik4.avi.exe
hxxp://besplatnomegaporno.ru/6/video/porno-rolik6.avi.exe
hxxp://besplatnomegaporno.ru/7/video/porno-rolik7.avi.exe
hxxp://besplatnomegaporno.ru/8/video/porno-rolik8.avi.exe
hxxp://besplatnomegaporno.ru/9/video/porno-rolik9.avi.exe
hxxp://besplatnomegaporno.ru/10/video/porno-rolik10.avi.exe

MBRLocker

Quote
hxxp://FUKINGTHESHITGIRL.ru/xxxvideo.avi.exe
hxxp://xxxxxxxxxmove.ru/xxxvideo.avi.exe


P.S.

Regarding to old links, these following sites and their payload are dead

Quote
hxxp://ffporm.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe DEAD

July 18, 2011, 03:26:28 pm
Reply #21

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Seems this is redirector for Amazon ransom

All path look like this

hxxp://xrvid-porno.com (216.137.41.107) -> hxxp://xrvid-porno.com/video.html (216.137.41.107) -> hxxp://ltizz.com/in.cgi?20 (95.211.111.86) -> hxxp://2tipornn.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

Probably Russian IP required.

Navigation was done from IE with default settings.

Excuse me, I mislabeled 2tipornn.s3.amazonaws.com as dead in previous post :(

July 18, 2011, 06:12:52 pm
Reply #22

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3326
Seems this is redirector for Amazon ransom

All path look like this

hxxp://xrvid-porno.com (216.137.41.107) -> hxxp://xrvid-porno.com/video.html (216.137.41.107) -> hxxp://ltizz.com/in.cgi?20 (95.211.111.86) -> hxxp://2tipornn.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

Probably Russian IP required.

Navigation was done from IE with default settings.

works outside Russia too.  ;)

Excuse me, I mislabeled 2tipornn.s3.amazonaws.com as dead in previous post :(

No problem.
Ruining the bad guy's day

July 19, 2011, 02:48:21 am
Reply #23

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon ransom

Quote
hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote
hxxp://xxxxxxxxxxxxxporno.ru/xxxvideo.avi.exe

Looks like this is redirector for Pornorolik ransom

Quote
hxxp://sdomankor.info/gierqwwn.cgi?13 (88.208.33.155) -> hxxp://pornositeforfree.ru/3/porno.html (46.251.237.240) -> hxxp://pornositeforfree.ru/3/video/porno-rolik3.avi.exe (46.251.237.240)
(currently it points to new domain name that distributes binaries that weren't modified since last pornorolik domains submission to MDL).

July 19, 2011, 10:46:24 am
Reply #24

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
MBRLocker (fresh and new)

Quote
hxxp://youngpornoseks.ru/xxxvideo.avi.exe

This is redirectors to MBRLocker

Quote
hxxp://tdschtotakoetds.ru/in.cgi?6 (212.124.110.134)
hxxp://habrmabrt.ru/in.cgi?4 (212.124.110.134)

July 19, 2011, 01:03:48 pm
Reply #25

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon ransom

Quote
hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe

also after suspending their previous redirector now this site leads to this ransom type

Quote
hxxp://s3.amazonaws.com/freepornx/index.html -> hxxp://s3.amazonaws.com/freepornx/video.htm -> hxxp://pornokiska.com/go.php?sid=1 -> hxxp://sukporn1.s3.amazonaws.com/ -> hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe

Pornorolik updated with new binaries and unlock codes.

Quote
hxxp://megaavivideoporevo.ru/1/video/porno-rolik1.avi.exe
hxxp://megaavivideoporevo.ru/2/video/porno-rolik2.avi.exe
hxxp://megaavivideoporevo.ru/6/video/porno-rolik6.avi.exe
hxxp://megaavivideoporevo.ru/7/video/porno-rolik7.avi.exe
hxxp://megaavivideoporevo.ru/10/video/porno-rolik10.avi.exe

July 19, 2011, 02:23:36 pm
Reply #26

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
MBRLocker (fresh binary with new unblock code) :)

Quote
hxxp://videopornocam.ru/xxxvideo.avi.exe

July 19, 2011, 05:08:23 pm
Reply #27

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
MBRLocker (binary and unlock code new)

Quote
hxxp://habrmabrt.ru/in.cgi?4 (212.124.110.134) -> hxxp://pornyxaavi.ru/xxxvideo.avi.exe (91.220.0.35)

To get this redirector work, probalby required russian IP.

July 19, 2011, 05:41:25 pm
Reply #28

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Any chance you can drop me the samples you've got of these so far please? (can't seem to get any of the redirs to work)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 19, 2011, 05:45:28 pm
Reply #29

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3326
Cleanmx has posted some additional domains. I have inserted all of them into database.

http://www.malwaredomainlist.com/mdl.php?search=porno-rolik&colsearch=All&quantity=50
Ruining the bad guy's day