Police Ukash Ransomware Trojan #2 | Joachim De Zutter
September 2012

This ransomware (malware) spreads by malvertising using Clicksor (to which the browser may have been redirected by TrafficRevenue).

1. The following URL was opened: http://[...]/4ff54591df9d0c5f7f00002a/50013fa60d79f2ce6400000b/
Which sent 11329 bytes of gzip content
The corresponding HTML page retrieved from the Firefox cache contained obfuscated Javascript code containing version:"0.7.8",name:"PluginDetect"
Filesize: 30403
MD5: 36538e7f5f0e21b9bcb923ba6e133e28
SHA1: 314d938f1ede0256447658d17dc70b12099f91a1
SHA256: 3c678d4dcb5cb84a552479d854bfa6273f8a1b75657cdd2d77ebc521cdbd720a
2. The following URL was opened: http://[...]/4ff54591df9d0c5f7f00002a/50013fa60d79f2ce6400000b/50491140028177666102053b/1.7.0.5/9.1.0.163
Which sent 3910 bytes of gzip content
The corresponding HTML page retrieved from the Firefox cache contained obfuscated Javascript code containing oAAser.jar
Filesize: 8426
MD5: e82a03a9370bea53f8e8cf73702165fb
SHA1: ba502adab120af2303c8ee9d3cd3e1f30afeebb6
SHA256: 91fb6bf9ab8d07a12da5d5ab7591427ebe4654d6869ba4bebc93582450058703
3. The following URL was opened: http://[...]/4ff54591df9d0c5f7f00002a/50013fa60d79f2ce6400000b/504911410281776661020542/30491834/iAAnseo.pdf
Which gave back a file with a filesize of 44114 bytes
Filename: iAAnseo.pdf
Filesize: 44114
MD5: 1e968cd864187de4938ed266fe14ef13
SHA1: 8a95b320f9ddd91d8e3176ca65caea012287ed86
SHA256: cd105a1a9f482cdc6212d9adec9009cbcf099bece684b9965d2231254fa4082

Filename: 0.7449354888565857.exe
Filesize: 59392
MD5: a27db71e19d3eb0bfdf48c6f8a6849da
SHA1: 383c23be68f3a7796d143522361dd29b64425280
SHA256: 4aa8f03e27787aa3f2bf280f101da87a6b7a5dbba5c53f31aec394f09acd0f90
https://www.virustotal.com/file/4aa8f03e27787aa3f2bf280f101da87a6b7a5dbba5c53f31aec394f09acd0f90/analysis/
Identified by AVG as Generic29.ATGW