The winlock was deployed from
A little 'hello' to Sophos guys ?
Traffic screenshots courtesy of Malekal:
Also not related to this winlock but... lovecamplanet.com
malvertising since April.
So, to get back on our winlock, based on your configuration (GetUserGeoID) this ransomware will download a rar archive who contain the theme:
This winlock is very primitive, it download a archive package, decompress, and load the design
Then it download a Ukash pins blacklist.
http://police-center.in/bbac/arch/design_54000000 (for the french package)
http://police-center.in/bbac/black.dat (Ukash pins blacklist)
And a cool php file "BBAC" statistics of our winlock, with a fopen() error fixed at ~18:00 GMT+1 the same day
17k installs, 65k eurs.
This panel is coded in php and don't use a mysql database, ukash codes are stored on a plaintext file in the server like this:
[IP] [GEOID] [AMOUNT] [PIN]
the php just retrieve and parse.
Found also a Smoke Loader,
The exe distributed via Smoke Loader is know as "Trojan.MBRlock.16" by drWeb but so far according to VirusTotal just one AV on 42 detect it. (And the AV detect it as 'unknown virus' :))
File reported to Vxvault and MDL.
Time/DateStamp of the MBRLock: 4F3BDB61 - 16:20:49 - 15 Feb 2012
Found on May with a low detection rate, did the ransom guys even used the bin ?
Also probably not related but we got a wave of "Trojan.MBRlock.16" (bootkitlock.gen32) in France on Feb.
Smoke Ldr latest bots activity: 26 Feb.
But... there is not only a Smoke Loader....
Statistics: (3480k reports, bbq!)
Search in db:
Search in files:
No Zeus sample found... just some config files and.. the cryptkey found inside doesn't match with configs :(
Zeus reports stopped the 2 April 2012, and first bins of weelsof was found the 10 April.
The 22 may, a new DNS appeared with also a new build of the winlock.
With also a new gate...
The new panel have now a pchart, admin login, and use a MySQL database.
4 days after (approx), more C&C directories was spawn, with the 'blacklist' feature replaced with a 'clear tables' function, pchart was removed, and they added a install date column.
This winlock is identified by Microsoft as "Win32/Weelsof"
I've searched on my dbs all files tagged as *Weelsof* removed/junk unpacked things for finally build a approximate timeline.
The first version of the ransom used a "Windows XP JPEG" icon, latest versions have no icon.
And used the dns weelsoffortune.info, that probably for that AV detect these lockers as "Win32/Weelsof"
Old design download are also based on user configuration:
They also used embarked languages:
Embeds absolute PDB path (found in old and new samples):
Weelsof sample found the 26 May use a new IP/C&C:
They leaved clodo.ru for cursopersona.com or it's just a test ?
Two sample found the 29 may still use the old IP and surprise.. a fresh DNS
Seem they moved definitely on dolores.cursopersona.com, i will continue to watch them for see what's going on.
They have actually 2 C&C, and do the usual business with no new modification on the panel.
Weelsof bins can be downloaded here and here
Ransomware theme here