CatTrade (Ransomware Affiliate)

No advert, seem a private program.
My start point was this winlock found in blackhole

http://91.218.36.236/files/95

OEP:

Language selection:

Images download:

Partner 12:

Winlock:

• dns: 1 ›› ip: 184.22.188.84 - adresse: MICROLSOFT.IN
Registrant Email: alexudakovnah@gmx.de
http://microlsoft.in/zip/gate.php?user=partner_012&uid={9B78231D-7C23-11E0-920B-806D6172696F}&os=2

• dns: 1 ›› ip: 184.22.188.84 - adresse: MEKROSOFT.IN
Registrant Email: alexudakovnah@gmx.de
http://mekrosoft.in/1.bmp
http://mekrosoft.in/2.bmp

• dns: 1 ›› ip: 184.22.188.84 - adresse: CATTRADE.BIZ
Registrant Email: caferencgx9@yahoo.com
http://cattrade.biz/stat/admin.php
http://cattrade.biz/stat/faq.php
http://cattrade.biz/stat/uk.php
http://cattrade.biz/stat/ps.php
http://cattrade.biz/stat/core.php
http://cattrade.biz/stat/mysql.php
http://cattrade.biz/stat/functions.php

• dns: 1 ›› ip: 184.22.188.84 - adresse: MINKOSOFT.IN
• dns: 1 ›› ip: 184.22.188.84 - adresse: MILKOSOFT.IN
• dns: 1 ›› ip: 184.22.188.84 - adresse: MICOLOSOFT.IN
[...]

04-Feb:

Nothing interesting inside Thumbs.db:

Login:

Stats:

Pins:

Malware download:

1328347569_ggg.rar -> 1328347569 -> Sat Feb 04 10:26:09 2012 (timestamp)

Frequently asked question:

The ICQ number found inside the FAQ is to a Ukash/ps exchanger:

Ukash:

paysafecard: