Author Topic: Trojan Ransom (Read 420739 times)

MysteryFCM · July 17, 2011, 11:08:34 pm

Tried different countries, UAs and referers here too

Cheers for keeping us up to date

EP_X0FF · July 18, 2011, 01:44:34 am

dokoler-w.info suspended by GoDaddy.

No additional configurations I just used simple Internet Explorer with default settings

MysteryFCM · July 18, 2011, 02:33:52 am

No problem

EP_X0FF · July 18, 2011, 03:08:20 am

Amazon ransom

Quote

hxxp://4youporn.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote

hxxp://venkasexisdeffki.ru/xxxvideo.avi.exe

I don't know if it useful here, but unblock code for this MBRLocker is W887451D

EP_X0FF · July 18, 2011, 11:25:27 am

Amazon

Quote

hxxp://wq1porm.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote

hxxp://beladesiusconcha.ru/xxxvideo.avi.exe

EP_X0FF · July 18, 2011, 02:01:57 pm

Amazon ransom

Quote

hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe

Pornorolik
By changing number from 1 to 10 you can get more samples (except number 4).

Example:

Quote

hxxp://besplatnomegaporno.ru/video/porno-rolik.avi.exe
hxxp://besplatnomegaporno.ru/1/video/porno-rolik1.avi.exe
hxxp://besplatnomegaporno.ru/2/video/porno-rolik2.avi.exe
hxxp://besplatnomegaporno.ru/3/video/porno-rolik3.avi.exe
hxxp://besplatnomegaporno.ru/4/video/porno-rolik4.avi.exe
hxxp://besplatnomegaporno.ru/6/video/porno-rolik6.avi.exe
hxxp://besplatnomegaporno.ru/7/video/porno-rolik7.avi.exe
hxxp://besplatnomegaporno.ru/8/video/porno-rolik8.avi.exe
hxxp://besplatnomegaporno.ru/9/video/porno-rolik9.avi.exe
hxxp://besplatnomegaporno.ru/10/video/porno-rolik10.avi.exe

MBRLocker

Quote

hxxp://FUKINGTHESHITGIRL.ru/xxxvideo.avi.exe
hxxp://xxxxxxxxxmove.ru/xxxvideo.avi.exe

P.S.

Regarding to old links, these following sites and their payload are dead

Quote

hxxp://ffporm.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe DEAD
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe DEAD

EP_X0FF · July 18, 2011, 03:26:28 pm

Seems this is redirector for Amazon ransom

All path look like this

hxxp://xrvid-porno.com (216.137.41.107) -> hxxp://xrvid-porno.com/video.html (216.137.41.107) -> hxxp://ltizz.com/in.cgi?20 (95.211.111.86) -> hxxp://2tipornn.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

Probably Russian IP required.

Navigation was done from IE with default settings.

Excuse me, I mislabeled 2tipornn.s3.amazonaws.com as dead in previous post

SysAdMini · July 18, 2011, 06:12:52 pm

Quote from: EP_X0FF on July 18, 2011, 03:26:28 pm

Seems this is redirector for Amazon ransom

All path look like this

hxxp://xrvid-porno.com (216.137.41.107) -> hxxp://xrvid-porno.com/video.html (216.137.41.107) -> hxxp://ltizz.com/in.cgi?20 (95.211.111.86) -> hxxp://2tipornn.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

Probably Russian IP required.

Navigation was done from IE with default settings.

works outside Russia too.

Quote from: EP_X0FF on July 18, 2011, 03:26:28 pm

Excuse me, I mislabeled 2tipornn.s3.amazonaws.com as dead in previous post

No problem.

EP_X0FF · July 19, 2011, 02:48:21 am

Amazon ransom

Quote

hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote

hxxp://xxxxxxxxxxxxxporno.ru/xxxvideo.avi.exe

Looks like this is redirector for Pornorolik ransom

Quote

hxxp://sdomankor.info/gierqwwn.cgi?13 (88.208.33.155) -> hxxp://pornositeforfree.ru/3/porno.html (46.251.237.240) -> hxxp://pornositeforfree.ru/3/video/porno-rolik3.avi.exe (46.251.237.240)

(currently it points to new domain name that distributes binaries that weren't modified since last pornorolik domains submission to MDL).

EP_X0FF · July 19, 2011, 10:46:24 am

MBRLocker (fresh and new)

Quote

hxxp://youngpornoseks.ru/xxxvideo.avi.exe

This is redirectors to MBRLocker

Quote

hxxp://tdschtotakoetds.ru/in.cgi?6 (212.124.110.134)
hxxp://habrmabrt.ru/in.cgi?4 (212.124.110.134)

EP_X0FF · July 19, 2011, 01:03:48 pm

Amazon ransom

Quote

hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe

also after suspending their previous redirector now this site leads to this ransom type

Quote

hxxp://s3.amazonaws.com/freepornx/index.html -> hxxp://s3.amazonaws.com/freepornx/video.htm -> hxxp://pornokiska.com/go.php?sid=1 -> hxxp://sukporn1.s3.amazonaws.com/ -> hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe

Pornorolik updated with new binaries and unlock codes.

Quote

hxxp://megaavivideoporevo.ru/1/video/porno-rolik1.avi.exe
hxxp://megaavivideoporevo.ru/2/video/porno-rolik2.avi.exe
hxxp://megaavivideoporevo.ru/6/video/porno-rolik6.avi.exe
hxxp://megaavivideoporevo.ru/7/video/porno-rolik7.avi.exe
hxxp://megaavivideoporevo.ru/10/video/porno-rolik10.avi.exe

EP_X0FF · July 19, 2011, 02:23:36 pm

MBRLocker (fresh binary with new unblock code)

Quote

hxxp://videopornocam.ru/xxxvideo.avi.exe

EP_X0FF · July 19, 2011, 05:08:23 pm

MBRLocker (binary and unlock code new)

Quote

hxxp://habrmabrt.ru/in.cgi?4 (212.124.110.134) -> hxxp://pornyxaavi.ru/xxxvideo.avi.exe (91.220.0.35)

To get this redirector work, probalby required russian IP.

MysteryFCM · July 19, 2011, 05:41:25 pm

Any chance you can drop me the samples you've got of these so far please? (can't seem to get any of the redirs to work)

SysAdMini · July 19, 2011, 05:45:28 pm

Cleanmx has posted some additional domains. I have inserted all of them into database.

http://www.malwaredomainlist.com/mdl.php?search=porno-rolik&colsearch=All&quantity=50

Author Topic: Trojan Ransom (Read 420739 times)

MysteryFCM

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

MysteryFCM

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

SysAdMini

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

EP_X0FF

Re: Trojan Ransom

MysteryFCM

Re: Trojan Ransom

SysAdMini

Re: Trojan Ransom