CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.
Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Grinler » Fri Sep 13, 2013 6:42 pm

To be fair, without backups and without getting into the fact that they should have them, some people are just desperate. Definitely sucks to lose years of work, pictures, and documents.
BleepingComputer.com

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by forty-six » Mon Sep 16, 2013 10:14 pm

Standard Pass.
You do not have the required permissions to view the files attached to this post.

donnyharps
Posts: 2
Joined: Thu Sep 19, 2013 1:36 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by donnyharps » Thu Sep 19, 2013 5:36 am

Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Fabian Wosar » Thu Sep 19, 2013 8:04 am

donnyharps wrote:Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!
If the timer is up, you can't. The malware will instantly uninstall itself as soon as the server signals the timer has expired.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

donnyharps
Posts: 2
Joined: Thu Sep 19, 2013 1:36 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by donnyharps » Fri Sep 20, 2013 5:53 pm

If I download the virus to another one of my workstations on my network, do you guys think I will be able to pay the ransom and it would decrypt my shared files that got encrypted the first time?

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Fabian Wosar » Fri Sep 20, 2013 7:45 pm

No, it won't. The new installation will use a different key.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Mon Oct 07, 2013 11:38 pm

Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163 ... /analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjcz ... JiMzYwYzI/
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by rough_spear » Tue Oct 08, 2013 6:08 am

Hi All,

Here is the download link.

hxxp://feyrckkwwjymeo.org/1002.exe

Cody Johnston wrote:Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163 ... /analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjcz ... JiMzYwYzI/
Regards,

rough_spear.

krazylary
Posts: 2
Joined: Tue Jun 12, 2012 8:02 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by krazylary » Wed Oct 09, 2013 4:36 am

Here is a list of all domains that the virus calls out to untill it finds a live one.

Code: Select all

Object URL	# Requests	
wqvnkgtquoixx.com/home/	
jbkoqywkqjpjji.net/home/	
keqrmonphudew.net/home/	
miuongoruxtuhy.biz/home/	
qipixdjsccnyc.biz/home/	
pfasmsxcpsfkle.biz/home/	
evkmaldroiifk.ru/home/	
saallnwetwuac.org/home/	
ygvnalgjbukky.info/home/	
aiqyntcdnvfyy.com/home/	
bxgqnvtusprlg.net/home/	
cabcbepofqmaw.biz/home/	
upalbsjwadwmy.ru/home/	
qtnwayrgotgvf.info/home/	
trusflrovxooa.ru/home/	
vruwobfqmerby.org/home/	
nqjfxvpobfgss.net/home/	
otauuhgyfkeyx.info/home/	
xjfaclsceyycp.info/home/	
rjydbnflxdqfo.com/home/	
fyafqsphgcwpn.net/home/	
sejfjeaeybkcf.biz/home/	
suiqcimovbpqnc.info/home/	
gtkhyjkahaqmn.ru/home/	
pyduriwnnvmyh.org/home/	
hjivfvfffwnskq.net/home/	
ejoypeccwsmgn.com/home/	
aejmsdjdnlxpo.net/home/	
ligpryhpqpdwne.com/home/	
bikasivqvqovf.biz/home/	
bytobtevojrmf.ru/home/	
uycjwfvptmknld.com/home/	
cducbyqjwoisf.org/home/	
yxorjdnsljkpj.info/home/	
yoxgrovxecngq.com/home/	
ottxtmpqbfivg.biz/home/	
vvopcjmnxbhbwc.ru/home/	
asytrtilmhemq.net/home/	
gctqpdxpmfmir.biz/home/	
juuquupfwkohs.biz/home/	
bryjvxpmikgjtg.ru/home/	
itetdtsollwar.org/home/	
rspqurslksuqf.info/home/	
kdfwnedtksawjy.biz/home/	
etrwsvkcdukdlg.ru/home/	
erxigxprcxick.info/home/	
rhykvgjqlqkis.com/home/	
gjiltokqbestr.net/home/	
tyjnjwepkwuaq.biz/home/	
oweahscscnpoo.ru/home/	
taesdijrndsatw.org/home/	
pbfnhbxmlmkyo.org/home/	
mmirxnturglis.com/home/	
oesuleotqmvaa.biz/home/	
pitilmknalqkq.ru/home/	
iigcbmauiqvfba.ru/home/	
fuoxdmpthwgih.org/home/	
gpyalwdsbfdvf.info/home/	
tfacbcnojejgn.com/home/	
besvehfusgclh.net/home/	
cydxmrstmoyyx.ru/home/	
poeacwdpunfjg.org/home/	
qydbouvxduubsr.ru/home/	
okjjdmhkqnkgf.com/home/	
pokwdrtxysbmf.net/home/	
yeiviemnuxabpv.com/home/	
ooltxrisjwradh.org/home/	
jydfvwjmiojvs.biz/home/	
kdesvcvaqtacj.ru/home/	
ktnhehwlcwgjj.org/home/	
tnjlrciuvwfam.info/home/	
hdknhkctfphgu.com/home/	
vftofmvgnrmbt.net/home/	
pwnjswxvhgbdm.ru/home/	
lyooqnqqhotjju.biz/home/	
lohwjyiyqkwfqi.info/home/	
mclqdpsghdjqje.ru/home/	
dmolifruqydju.org/home/	
feyovpfgitkkl.info/home/	
citujrmxlfigj.com/home/	
dmuijairuedqj.net/home/	
eaexwcajdaphq.biz/home/	
feflwkvdmykrh.ru/home/	
xrxskmcywoeju.org/home/	
ajivxwpkojlku.info/home/	
odfkpkipydkslh.net/home/	
bnjjxflexigul.com/home/	
ryyyyfgfvtsnct.info/home/	
mnfdfpdotefros.net/home/	
uwdykbjtyjnkje.biz/home/	
vvbfgrejcdvwje.org/home/	
ggltstdpfixlmg.com/home/	
ttgwxyheyuxdud.net/home/	
laqigkmwntydsb.biz/home/	
xarbteoehyyaik.net/home/	
myoocbhmqnhpjy.org/home/	
opalnungbnmmot.org/home/	
jxvaxrprklbjlm.info/home/	
kaqiuwvbeulwci.com/home/	
yvbswhukhiskve.net/home/	
kwtgtikhnfjvjl.net/home/	
nkbxareutxbqjc.ru/home/	
bxvbfarpkqqerj.org/home/	
dttreqmrlsedie.info/home/	
neegqpcrrrqvut.biz/home/	
tspwdnloqrybym.com/home/	
rbjkbglbcucwua.org/home/	
ksxfginiuiagub.info/home/	
twhbawgddwpvuw.info/home/	
fkccpkpsimeybd.com/home/	
pyocsnovymedni.net/home/	
qbjkpveipcyunx.biz/home/	
kmwxovbjqgjmad.com/home/	
rumsrejxaorcum.ru/home/	
ffbxddujmmpsxl.biz/home/	
swhbomykqemtll.org/home/	
sxwfupthcyeqjh.net/home/	
cpgpwafuancriy.org/home/	
adjkrhdkuxysov.biz/home/	
nqenwmhyokyknc.ru/home/	
bxjlbrafmvaobr.ru/home/	
bchqnrqmbdkvfl.org/home/	
icmiuojikeeglw.info/home/	
jehqrtprenotca.com/home/	
fvmfpbqlweuqcc.org/home/	
lwfhkayvijlhld.info/home/	
guklllendjgtct.info/home/	
avprsocmlqjigs.ru/home/	
gecmmdcdjwpjlp.org/home/	
iaadlnplnoarlk.info/home/	
rpayeuhoyexfpe.net/home/	
vnugqvdgehpfkw.com/home/	
rbxjldlktkpsjx.org/home/	
mqipmcwrvlbxlw.com/home/	
nsdxjkmembvpcv.net/home/	
gkdtedfdjppeuj.ru/home/	
nqcfresqxteaxk.biz/home/	
bgdeqjwfchhvwq.ru/home/	
tvelvheabunfpq.biz/home/	
adgceuhdxrinww.biz/home/	
vukflsvgxbgvui.ru/home/	
wylroxcpcqgjle.org/home/	
xxjxkowffkovlp.info/home/	
uwqjgsrxuhyopp.net/home/	
jdtwkyaduxkmve.com/home/	
erbxffpmhwjmwq.com/home/	
urndyegetlhnwl.biz/home/	
truhmarggnfawj.org/home/	
vnsxlqmihpsywr.info/home/	
tlxpdlcqaglewt.ru/home/	
hbyoctplnodrvn.org/home/	
daetjwkwtfhjwj.info/home/	
fvckinfyuhuinp.net/home/	
atiyxjksylosbu.biz/home/	
xiyefnrwyvdcth.com/home/	
lrvlcsbkbnljsx.net/home/	
yhwkbxfyfbofbu.biz/home/	
uycyyswttiedtd.info/home/	
swgfawqxupccrf.com/home/	
tbhrdcwhyfcpib.net/home/	
uafxymkjfknspa.ru/home/	
pnjatcvupcddtl.info/home/	
qrkmwhcetrdqtc.com/home/	
qtqhbembdaeyrl.net/home/	


Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Fri Oct 11, 2013 4:12 am

Moved to here for now:

hxxp://odxrjkgnahebp.biz/1002.exe (194.28.174.119)

same MD5 as above sample

Post Reply