CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.

CryptoLocker (Trojan:Win32/Crilock.A)

Postby Fabian Wosar » Tue Sep 10, 2013 9:29 am

Hi everyone,

Looks like there has been a new crypto malware on the loose for the past 2 - 3 days. The malware is referred to by its author as "CryptoLocker". Microsoft adopted the name Crilock. Sample is attached. Here are a few notes that I gathered so far. I am currently sick with the flu so take these information with a grain of salt:

  • Connection with the C&C server is established through either a hardcoded IP (184.164.136.134, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org are both active and point to 173.246.105.23.

  • The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.

  • On first contact the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return it receives a RSA public key. In my case this has been:
    Code: Select all
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQBZgSk3NNo54cxwl3nS
    zZHMhFI4oU0ygX81IFsktcaCAIUrMSnUVQEcFvhcidh/5JuE+piQY5Z3iuDcKqiF
    0yWZ7rck+xC1i/xaY5nNxJnh/clEqO8qRNg9DTe6qDlVO8PAHgr882dUHTzZgdAN
    OWR8+5rWxck9LxtB8+DSE8cWy
    The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on CryptStringtoBinaryA.

  • The malware targets files using the following search masks:
    Code: Select all
    *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
    The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been replaced with "?". I haven't looked into the meaning of the DWORD value yet.
Feel free to add anything you find that I haven't covered in my notes yet. At least from what I can tell so far, decryption without paying the ransom is not feasible.

VirusTotal results:
https://www.virustotal.com/en/file/d765 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 81
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 97

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby doyle_45 » Wed Sep 11, 2013 9:21 pm

Although the malware writers server's are currently not responding to decryption requests, I wish to reinfect one of my client's pcs in case there is a chance of recovery.

I have downloaded the rar file but what is the password please.

Thank you in advance.

Brian
doyle_45
 
Posts: 1
Joined: Wed Sep 11, 2013 2:27 pm
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby The_Major » Thu Sep 12, 2013 10:07 am

I was going to upload the "crilock.rar" file to various on-line Virus Scanning web sites, such as Virus Total (http://www.virustotal.com/) and Jotti (http://virusscan.jotti.org/) to alert them to the problem and make sure the program is flagged as a virus / malware.

Can't do this without the password, because these web sites need to be able to scan the files contained inside compressed archives - and they cannot do this with password protected ZIP, RAR, etc files.

Please email the password to me. :)

Mike
The_Major
 
Posts: 2
Joined: Thu Sep 12, 2013 9:59 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby The_Major » Thu Sep 12, 2013 10:12 am

Can't edit my prior post - it has not appeared yet - waiting moderation . LOL ....

Anyway, the password is of course "infected" - written under the RAR file name. LOLOLOL. :D
The_Major
 
Posts: 2
Joined: Thu Sep 12, 2013 9:59 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby g@isisit.com » Thu Sep 12, 2013 7:15 pm

Is this the $300 version or $100 version? I assume those are variants and I want to reinfect my computer to pay the ransom...but need the $100 version.

Thanks.

Graham
g@isisit.com
 
Posts: 2
Joined: Thu Sep 12, 2013 1:04 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby markusg » Fri Sep 13, 2013 10:58 am

do not pay them, this are criminals, do you realy think they help to decrypt files?
markusg
 
Posts: 686
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 113

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Xylitol » Fri Sep 13, 2013 12:21 pm

g@isisit.com wrote:I want to reinfect my computer to pay the ransom...but need the $100 version.

This is totally a stupid idea.
User avatar
Xylitol
Global Moderator
 
Posts: 1417
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 424

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby r3shl4k1sh » Fri Sep 13, 2013 12:29 pm

g@isisit.com wrote:Is this the $300 version or $100 version? I assume those are variants and I want to reinfect my computer to pay the ransom...but need the $100 version.

Thanks.

Graham


if you reinfect your computer you will need to pay $200 since the encryption key is generated uniquely each time it first run, so it encrypt the files 2 times.
User avatar
r3shl4k1sh
 
Posts: 83
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 16

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby EP_X0FF » Fri Sep 13, 2013 4:31 pm

g@isisit.com wrote:I assume those are variants and I want to reinfect my computer to pay the ransom...but need the $100 version.


Unless this is kinda joke, you are one of the reasons why this bussiness is still here and it is so profitable.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 472

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby g@isisit.com » Fri Sep 13, 2013 4:55 pm

I suppose so. I don't want to pay a ransom for the data, but this customer did not have backups when they called and had all their files encrypted. I have never asked to do anything like this, it's a strange issue, but if you look more into this, people who do not have backups have to pay the ransom, there is no choice if you need your files.
g@isisit.com
 
Posts: 2
Joined: Thu Sep 12, 2013 1:04 am
Reputation point: 0

Next

Return to Malware

Who is online

Users browsing this forum: angel_killah and 4 guests