Thursday 20 January 2011

RansomHelper 1.0 / Malware Auto-downloader

Hello,
A tiny tool i've made for save my time about reversing directly running process.
That make me bored to unpack vb packer or find a way for remove the topmost
I've coded that long time ago for reverse the "Lock Em All" ransomware finaly.. public...
RansomHelper 1.0
He have some bug, but the two main options work...
Overlay/ontop manager and a feature for move all windows (except gdi)
Ctrl+F in the ransomware for lock it then you move it and Ctrl+F again for unlock...
For exemple: xxx_video_5842whatever.avi.exe moved:


Video here: http://www.youtube.com/watch?v=DNM7Ru8HjNw

My second tool is just a simple bot...


Every X time it will download your file in a folder called "Malware"

He write a file "Information.txt" where you can find what's he have done (Date, Time, Name of the File, MD5 of the file)
With that you can see if the malware have changed on the server or not
Exemple of a 48 Hours HomoBlocker tracking:


Time: Paris, France: UTC/GMT+1
18/01/2011 00:02:20 pornoplayer-00-02-19.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 01:02:20 pornoplayer-01-02-19.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 02:02:21 pornoplayer-02-02-20.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 03:02:22 pornoplayer-03-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 04:02:22 pornoplayer-04-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 05:02:22 pornoplayer-05-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 06:02:22 pornoplayer-06-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 07:02:22 pornoplayer-07-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 08:02:25 pornoplayer-08-02-21.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 09:02:23 pornoplayer-09-02-23.eXe.ViR D4FA98955AA18B95B37090D87AEF3C7E
18/01/2011 10:02:25 pornoplayer-10-02-25.eXe.ViR A4EB5DBA8E2777161204CE683A7A3F1D
18/01/2011 11:02:25 pornoplayer-11-02-25.eXe.ViR A4EB5DBA8E2777161204CE683A7A3F1D
18/01/2011 12:02:26 pornoplayer-12-02-25.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 13:02:26 pornoplayer-13-02-25.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 14:02:27 pornoplayer-14-02-26.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 15:02:36 pornoplayer-15-02-31.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 16:02:40 pornoplayer-16-02-39.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 17:02:43 pornoplayer-17-02-42.eXe.ViR 95C1D5023E8EF440DABFF1DF4D7FCF95
18/01/2011 18:02:45 pornoplayer-18-02-44.eXe.ViR 991BF028B6C1750CBEB9E6B66C0F804D
18/01/2011 19:02:49 pornoplayer-19-02-46.eXe.ViR 991BF028B6C1750CBEB9E6B66C0F804D
18/01/2011 20:02:47 pornoplayer-20-02-46.eXe.ViR 991BF028B6C1750CBEB9E6B66C0F804D
18/01/2011 21:02:48 pornoplayer-21-02-46.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
18/01/2011 22:02:49 pornoplayer-22-02-48.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
18/01/2011 23:02:50 pornoplayer-23-02-49.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 00:02:51 pornoplayer-00-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 01:02:50 pornoplayer-01-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 02:02:50 pornoplayer-02-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 03:02:50 pornoplayer-03-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 04:02:50 pornoplayer-04-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 05:02:51 pornoplayer-05-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 06:02:50 pornoplayer-06-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 07:02:51 pornoplayer-07-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 08:02:51 pornoplayer-08-02-50.eXe.ViR B65E9D1330280281A9762BAC4FAA09E7
19/01/2011 09:02:51 pornoplayer-09-02-50.eXe.ViR 1A19CED02377E790F8DD05DC47C720FE
19/01/2011 10:02:51 pornoplayer-10-02-50.eXe.ViR 1A19CED02377E790F8DD05DC47C720FE
19/01/2011 11:02:52 pornoplayer-11-02-52.eXe.ViR 4AA093F72B198EA6A13DF84FD509E562
19/01/2011 12:02:53 pornoplayer-12-02-52.eXe.ViR 4AA093F72B198EA6A13DF84FD509E562
19/01/2011 13:02:53 pornoplayer-13-02-52.eXe.ViR 4AA093F72B198EA6A13DF84FD509E562
19/01/2011 14:02:54 pornoplayer-14-02-53.eXe.ViR 4AA093F72B198EA6A13DF84FD509E562
19/01/2011 15:02:53 pornoplayer-15-02-53.eXe.ViR 3822FA71974A08522CB5FB60F8A7D8EE
19/01/2011 16:02:54 pornoplayer-16-02-53.eXe.ViR 3822FA71974A08522CB5FB60F8A7D8EE
19/01/2011 17:02:57 pornoplayer-17-02-53.eXe.ViR 3822FA71974A08522CB5FB60F8A7D8EE
19/01/2011 18:03:03 pornoplayer-18-03-02.eXe.ViR 3822FA71974A08522CB5FB60F8A7D8EE
19/01/2011 19:03:04 pornoplayer-19-03-02.eXe.ViR 3822FA71974A08522CB5FB60F8A7D8EE
19/01/2011 20:03:04 pornoplayer-20-03-03.eXe.ViR 6B1479E93FA53365D2A0DE7129488D62
19/01/2011 21:03:07 pornoplayer-21-03-05.eXe.ViR 6B1479E93FA53365D2A0DE7129488D62
19/01/2011 22:03:07 pornoplayer-22-03-06.eXe.ViR 6B1479E93FA53365D2A0DE7129488D62
19/01/2011 23:03:08 pornoplayer-23-03-07.eXe.ViR 6B1479E93FA53365D2A0DE7129488D62
20/01/2011 00:03:08 pornoplayer-00-03-07.eXe.ViR 6B1479E93FA53365D2A0DE7129488D62

I've made it in simple version, and in multi version:

With an option for load/save (malcode.txt) a list of malwares.
The information file include on this version the url of downloaded sample

So if you want try:
RansomHelper v1.0
Malware Auto-Downloader v1.0 & 1.1b

4 comments:

  1. Joli boulot, ça pourrait me servir à l'occasion. Merci à toi ;)

    ReplyDelete
  2. When server dies, download stops. :/

    ReplyDelete
  3. Link doesnt work anymore :-(

    ReplyDelete