CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Fri Sep 13, 2013 6:42 pm

To be fair, without backups and without getting into the fact that they should have them, some people are just desperate. Definitely sucks to lose years of work, pictures, and documents.
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby forty-six » Mon Sep 16, 2013 10:14 pm

Standard Pass.
You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby donnyharps » Thu Sep 19, 2013 5:36 am

Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!
donnyharps
 
Posts: 2
Joined: Thu Sep 19, 2013 1:36 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Fabian Wosar » Thu Sep 19, 2013 8:04 am

donnyharps wrote:Fabian,
I tried to recreate the virus using your .rar file. The ransom note only popped up for a second and then it disappeared. It did reinstall on the workstation, it did not double encrypt my files.(which is great) But what am I doing wrong? I need the ransom note popup to pay the ransom. Please help!

If the timer is up, you can't. The malware will instantly uninstall itself as soon as the server signals the timer has expired.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby donnyharps » Fri Sep 20, 2013 5:53 pm

If I download the virus to another one of my workstations on my network, do you guys think I will be able to pay the ransom and it would decrypt my shared files that got encrypted the first time?
donnyharps
 
Posts: 2
Joined: Thu Sep 19, 2013 1:36 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Fabian Wosar » Fri Sep 20, 2013 7:45 pm

No, it won't. The new installation will use a different key.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 102

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Cody Johnston » Mon Oct 07, 2013 11:38 pm

Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8/analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjczMTYwNDY4MWIxZWY1N2I1Y2JiMzYwYzI/
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby rough_spear » Tue Oct 08, 2013 6:08 am

Hi All,

Here is the download link.

hxxp://feyrckkwwjymeo.org/1002.exe


Cody Johnston wrote:Dropper collected today low detection on VT (1/47 as of this post)

SHA256: 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8
SHA1: a4c60f419c5aa760db9904a59c8d79fce2636d68
MD5: 0204332754da5975b6947294b2d64c92
Detection ratio: 1 / 47

https://www.virustotal.com/en/file/2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8/analysis/

Malwr:

https://malwr.com/analysis/OGM4M2IyNjczMTYwNDY4MWIxZWY1N2I1Y2JiMzYwYzI/


Regards,

rough_spear.
rough_spear
 
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India
Reputation point: 61

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby krazylary » Wed Oct 09, 2013 4:36 am

Here is a list of all domains that the virus calls out to untill it finds a live one.

Code: Select all
Object URL   # Requests   
wqvnkgtquoixx.com/home/   
jbkoqywkqjpjji.net/home/   
keqrmonphudew.net/home/   
miuongoruxtuhy.biz/home/   
qipixdjsccnyc.biz/home/   
pfasmsxcpsfkle.biz/home/   
evkmaldroiifk.ru/home/   
saallnwetwuac.org/home/   
ygvnalgjbukky.info/home/   
aiqyntcdnvfyy.com/home/   
bxgqnvtusprlg.net/home/   
cabcbepofqmaw.biz/home/   
upalbsjwadwmy.ru/home/   
qtnwayrgotgvf.info/home/   
trusflrovxooa.ru/home/   
vruwobfqmerby.org/home/   
nqjfxvpobfgss.net/home/   
otauuhgyfkeyx.info/home/   
xjfaclsceyycp.info/home/   
rjydbnflxdqfo.com/home/   
fyafqsphgcwpn.net/home/   
sejfjeaeybkcf.biz/home/   
suiqcimovbpqnc.info/home/   
gtkhyjkahaqmn.ru/home/   
pyduriwnnvmyh.org/home/   
hjivfvfffwnskq.net/home/   
ejoypeccwsmgn.com/home/   
aejmsdjdnlxpo.net/home/   
ligpryhpqpdwne.com/home/   
bikasivqvqovf.biz/home/   
bytobtevojrmf.ru/home/   
uycjwfvptmknld.com/home/   
cducbyqjwoisf.org/home/   
yxorjdnsljkpj.info/home/   
yoxgrovxecngq.com/home/   
ottxtmpqbfivg.biz/home/   
vvopcjmnxbhbwc.ru/home/   
asytrtilmhemq.net/home/   
gctqpdxpmfmir.biz/home/   
juuquupfwkohs.biz/home/   
bryjvxpmikgjtg.ru/home/   
itetdtsollwar.org/home/   
rspqurslksuqf.info/home/   
kdfwnedtksawjy.biz/home/   
etrwsvkcdukdlg.ru/home/   
erxigxprcxick.info/home/   
rhykvgjqlqkis.com/home/   
gjiltokqbestr.net/home/   
tyjnjwepkwuaq.biz/home/   
oweahscscnpoo.ru/home/   
taesdijrndsatw.org/home/   
pbfnhbxmlmkyo.org/home/   
mmirxnturglis.com/home/   
oesuleotqmvaa.biz/home/   
pitilmknalqkq.ru/home/   
iigcbmauiqvfba.ru/home/   
fuoxdmpthwgih.org/home/   
gpyalwdsbfdvf.info/home/   
tfacbcnojejgn.com/home/   
besvehfusgclh.net/home/   
cydxmrstmoyyx.ru/home/   
poeacwdpunfjg.org/home/   
qydbouvxduubsr.ru/home/   
okjjdmhkqnkgf.com/home/   
pokwdrtxysbmf.net/home/   
yeiviemnuxabpv.com/home/   
ooltxrisjwradh.org/home/   
jydfvwjmiojvs.biz/home/   
kdesvcvaqtacj.ru/home/   
ktnhehwlcwgjj.org/home/   
tnjlrciuvwfam.info/home/   
hdknhkctfphgu.com/home/   
vftofmvgnrmbt.net/home/   
pwnjswxvhgbdm.ru/home/   
lyooqnqqhotjju.biz/home/   
lohwjyiyqkwfqi.info/home/   
mclqdpsghdjqje.ru/home/   
dmolifruqydju.org/home/   
feyovpfgitkkl.info/home/   
citujrmxlfigj.com/home/   
dmuijairuedqj.net/home/   
eaexwcajdaphq.biz/home/   
feflwkvdmykrh.ru/home/   
xrxskmcywoeju.org/home/   
ajivxwpkojlku.info/home/   
odfkpkipydkslh.net/home/   
bnjjxflexigul.com/home/   
ryyyyfgfvtsnct.info/home/   
mnfdfpdotefros.net/home/   
uwdykbjtyjnkje.biz/home/   
vvbfgrejcdvwje.org/home/   
ggltstdpfixlmg.com/home/   
ttgwxyheyuxdud.net/home/   
laqigkmwntydsb.biz/home/   
xarbteoehyyaik.net/home/   
myoocbhmqnhpjy.org/home/   
opalnungbnmmot.org/home/   
jxvaxrprklbjlm.info/home/   
kaqiuwvbeulwci.com/home/   
yvbswhukhiskve.net/home/   
kwtgtikhnfjvjl.net/home/   
nkbxareutxbqjc.ru/home/   
bxvbfarpkqqerj.org/home/   
dttreqmrlsedie.info/home/   
neegqpcrrrqvut.biz/home/   
tspwdnloqrybym.com/home/   
rbjkbglbcucwua.org/home/   
ksxfginiuiagub.info/home/   
twhbawgddwpvuw.info/home/   
fkccpkpsimeybd.com/home/   
pyocsnovymedni.net/home/   
qbjkpveipcyunx.biz/home/   
kmwxovbjqgjmad.com/home/   
rumsrejxaorcum.ru/home/   
ffbxddujmmpsxl.biz/home/   
swhbomykqemtll.org/home/   
sxwfupthcyeqjh.net/home/   
cpgpwafuancriy.org/home/   
adjkrhdkuxysov.biz/home/   
nqenwmhyokyknc.ru/home/   
bxjlbrafmvaobr.ru/home/   
bchqnrqmbdkvfl.org/home/   
icmiuojikeeglw.info/home/   
jehqrtprenotca.com/home/   
fvmfpbqlweuqcc.org/home/   
lwfhkayvijlhld.info/home/   
guklllendjgtct.info/home/   
avprsocmlqjigs.ru/home/   
gecmmdcdjwpjlp.org/home/   
iaadlnplnoarlk.info/home/   
rpayeuhoyexfpe.net/home/   
vnugqvdgehpfkw.com/home/   
rbxjldlktkpsjx.org/home/   
mqipmcwrvlbxlw.com/home/   
nsdxjkmembvpcv.net/home/   
gkdtedfdjppeuj.ru/home/   
nqcfresqxteaxk.biz/home/   
bgdeqjwfchhvwq.ru/home/   
tvelvheabunfpq.biz/home/   
adgceuhdxrinww.biz/home/   
vukflsvgxbgvui.ru/home/   
wylroxcpcqgjle.org/home/   
xxjxkowffkovlp.info/home/   
uwqjgsrxuhyopp.net/home/   
jdtwkyaduxkmve.com/home/   
erbxffpmhwjmwq.com/home/   
urndyegetlhnwl.biz/home/   
truhmarggnfawj.org/home/   
vnsxlqmihpsywr.info/home/   
tlxpdlcqaglewt.ru/home/   
hbyoctplnodrvn.org/home/   
daetjwkwtfhjwj.info/home/   
fvckinfyuhuinp.net/home/   
atiyxjksylosbu.biz/home/   
xiyefnrwyvdcth.com/home/   
lrvlcsbkbnljsx.net/home/   
yhwkbxfyfbofbu.biz/home/   
uycyyswttiedtd.info/home/   
swgfawqxupccrf.com/home/   
tbhrdcwhyfcpib.net/home/   
uafxymkjfknspa.ru/home/   
pnjatcvupcddtl.info/home/   
qrkmwhcetrdqtc.com/home/   
qtqhbembdaeyrl.net/home/   

krazylary
 
Posts: 2
Joined: Tue Jun 12, 2012 8:02 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Cody Johnston » Fri Oct 11, 2013 4:12 am

Moved to here for now:

hxxp://odxrjkgnahebp.biz/1002.exe (194.28.174.119)

same MD5 as above sample
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 16 guests