Saturday, 24 December 2011

Tracking Cyber Crime: Хендехох Affiliate (Ransomware)

Хендехох who mean Hände hoch (Hands up)

I've found this affiliate via a flash banner:


Advert:

Translate
We are offering to you affiliate "Хендехох" which is used to install winlockers by DE (not BKA).
75% of successfull installs.
Size - 60-70kb
Average income - 250 - 1k EUR from 1k installs
The bot does nothing, and will be deleted itself after payment.
Very big conversion percent from adult traffic.
Cryptor is being changed every day.
And so on common phrases like comfortable admin panel and so on...

Jabber:


Login:

Infos:

Bot list:

PIN-Codes:

Frequently Asked Questions:

EXE download:




The EXE was detected by Just one Antivirus and as 'Suspicious' according to VirusTotal:

Unpacked version (UPX + some shit removed) detected by 9 Antivirus:

Mutex:

Good folder check (if not, copy the exe):



Create a regkey:

Create a "clean.bat" and load the ransomware:

Decode strings:



POST /index.php HTTP/1.1
X-Handshake: 2000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: kikvnmc.info
Content-Length: 63
Cache-Control: no-cache

^\..R@...y...n3.p.AH..;...M....%.;461.U.Z.}[k=..:.fJ.Pv.g.4...vHTTP/1.1 200 OK
Date: Wed, 21 Dec 2011 13:40:09 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html

---

• dns: 1 ›› ip: 184.168.204.1 - adresse: KIKVNMC.INFO
Domain Name: KIKVNMC.INFO (184.168.204.1)
Created On: 20-Dec-2011 22:30:45 UTC
Last Updated On: 20-Dec-2011 22:30:46 UTC
Create Date: 20-Dec-2012 22:30:45 UTC
Registrar: GoDaddy.com Inc. (R171-LRMS)

 ID: CR100947519
 Name: Artyom Kazancev
 Street1: 4, Heroev kosmosa str. apt. 467
 City: moskow
 State/Province: moskow
 Postal Code: 127204
 Country: RU
 Phone: +7.957257303
 Email: artyom.kazancev@mail.ru



I've already talked of this ransomware here

1 comment:

  1. can you help me plz:
    my friend is infected by such an virus!
    bu he have the AT (Austria theme).
    How can he delete this?

    ReplyDelete