skip to Main Content

Analysis of Tobfy (Ransomware)

Tobfy is a ransomware that prevents you from accessing your desktop by covering the desktop with a certain image.

Tobfy

Note: The image contains fake instructions and misleading information about a ransom that you need to pay to regain control of your computer. The image misleadingly invokes legal authorities in an attempt to convince you to pay the ransom.

Download:

Tobfy.rar

PW: evild3ad.com


Tobfy.exe (MD5: E3C0228E50C72531658FACA2D3E0A786)
Submission date: 2012-09-29 14:04:58 UTC
Result: 26/42
Report

Windows 7

Account Name: evild3ad | Account Type : Administrator

File System:
C:\Users\evild3ad\Desktop\Tobfy.exe

Dropped Files:
C:\Documents and Settings\evild3ad\Local Settings\…
…Temporary Internet Files\Content.IE5\3FZRZ9KZ\lightformtop[1].png
…Temporary Internet Files\Content.IE5\3FZRZ9KZ\rightpink[1].png
…Temporary Internet Files\Content.IE5\3FZRZ9KZ\style[1].css
…Temporary Internet Files\Content.IE5\3FZRZ9KZ\ukash[1].png
…Temporary Internet Files\Content.IE5\5B7NHQO2\get[1].htm
…Temporary Internet Files\Content.IE5\5B7NHQO2\leftpink[1].png
…Temporary Internet Files\Content.IE5\5B7NHQO2\lightformbottom[1].png
…Temporary Internet Files\Content.IE5\5B7NHQO2\lightformright[1].png
…Temporary Internet Files\Content.IE5\5B7NHQO2\psk_logos[1].png
…Temporary Internet Files\Content.IE5\L1ZDGPDD\downheader[1].jpg
…Temporary Internet Files\Content.IE5\L1ZDGPDD\epay[1].png
…Temporary Internet Files\Content.IE5\L1ZDGPDD\lightformleft[1].png
…Temporary Internet Files\Content.IE5\L1ZDGPDD\tankstellen[1].png
…Temporary Internet Files\Content.IE5\LLFPAG1G\downborderpink[1].png
…Temporary Internet Files\Content.IE5\LLFPAG1G\logos[1].png
…Temporary Internet Files\Content.IE5\LLFPAG1G\paysafecard[1].png

Registry:
It creates the following registry entry to allow it to automatically run every time Windows starts:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “(default)”
With data: “malware file path”

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\mini
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network is renamed to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\net

DNS Requests:
nutrimedic.com.uy (200.40.50.170:80)

HTTP Requests:
GET /images/get.php
GET /images/first/DE/files/tankstellen.png
GET /images/first/DE/files/style.css
GET /images/first/DE/files/epay.png
GET /images/first/DE/files/logos.png
GET /images/first/DE/files/ukash.png
GET /images/first/DE/img/leftpink.png
GET /images/first/DE/files/paysafecard.png
GET /images/first/DE/files/psk_logos.png
GET /images/first/DE/img/rightpink.png
GET /images/first/DE/img/lightformleft.png
GET /images/first/DE/img/lightformtop.png
GET /images/first/DE/img/lightformright.png
GET /images/first/DE/img/lightformbottom.png
GET /images/first/DE/img/downborderpink.png
GET /images/first/DE/img/downheader.jpg

RDG Packer Detector

Detected: Crypter (MyAvScan)

MyAvScan

Fake-Ukash-Code

POST

Tobfy

Removal

Conclusion:
– There is no encryption of your files
– Enter a Fake Voucher Code to unlock your computer (e.g. Ukash: 633718 + whatever you want – 19 digits!)
– Wait a few minutes (max 10 minutes)
– Restart your computer (when the windows background image appears)


Links:
Malware-lu: Analysis of Ysreef (a variant of Tobfy)
Tobfy – Germany (Ransom Trojan) – 04.07.2012 – Analysis and Removal

Back To Top