Technical Details
This Trojan simulates the unpacking of a password-protected archive in order to obtain a ransom from the user. It is a Windows application (PE EXE file). It is 722 466 bytes in size. It is written in Delphi.
Payload
Once launched, the Trojan displays a window that simulates the unpacking process:
While unpacking, it displays a message stating that the archive is password protected:
Once the country is selected, it prompts the user to obtain the password by sending a chargeable SMS to a specified short number:
The password entered by the user is then sent in an HTTP request to the following server:
89.***.180
where this password is authenticated.
Žádné komentáře:
Okomentovat