CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.
Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Wed Oct 23, 2013 4:20 am

emc74 wrote:Can a more recent file be posted so that I can download and attempt a recovery? Can I check that following the download I just execute the file?
It does not work that way, same question answered here:

http://www.kernelmode.info/forum/viewto ... =10#p20878

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Wed Oct 23, 2013 6:27 pm

SHA256: ed95b1a888710f3ca4acacb49250fb6c21722e2882e31784bd2049d15f97d4de
SHA1: 48146b81b85e41b67489f2c20a4e38cb10d1c778
MD5: bbb445901d3ec280951ac12132afd87c
Detection ratio: 29 / 47

https://www.virustotal.com/en/file/ed95 ... /analysis/

hxxp://194.28.174.119/0388.exe
You do not have the required permissions to view the files attached to this post.

Every1is=
Posts: 36
Joined: Tue Aug 03, 2010 11:27 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Every1is= » Wed Oct 30, 2013 8:40 am

Maybe a dumb question, but I assume it will: does it search for the mask system wide?

A lot of people will backup (ie: just make a copy) to a permanently attached USB drive or network drive. Be it via a network path or a windows mapped drive letter or IP/dirname etc.

Are those in danger as well?

Also, what does it do to the location on disk where the files were stored? As I understand it, it picks them up, encrypts them, puts them in an encrypted blob and it puts that blob on a new location on the drive. If the originals are gone, it must have deleted them. What does it do to that drivespace? Does it scrub it? If not, will recovery software work on the "deleted" files?

I could go and get myself infected and check it out, but I am to big of a n00b to try and do that. Better leave that to the guys that have the knowledge and time for it. I might get myself in trouble more than I can handle right now... ;)

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Grinler » Wed Oct 30, 2013 3:49 pm

Lot's of AV vendors are reporting that this is being spread via exploit kits as well. Anyone ever seen a sample from an exploit kit?

I have only seen it from Zbot spams.
Every1is= wrote:Maybe a dumb question, but I assume it will: does it search for the mask system wide?

A lot of people will backup (ie: just make a copy) to a permanently attached USB drive or network drive. Be it via a network path or a windows mapped drive letter or IP/dirname etc.

Are those in danger as well?
If the backup drive is mounted as a drive letter, then yes, CryptoLocker will scan it for files to encrypt. As for the encrypted files, I can tell you that people have tried to recover using a file recovery program and were unable to do so. Not sure if they are scrubbing or other method being used.
BleepingComputer.com

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by markusg » Wed Oct 30, 2013 4:06 pm

i personaly see it as spam, not via exploits.
@decryption.
whats about shadow explorer (vista /win7 also not working?
i was not able to get an working copy of this ransom, but perhaps you will find also some usefull tools ther.
http://www.trojaner-board.de/116851-dat ... post851585
in the past we have problems in germany with ransomware encrypt files too, and collect there some tools.

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Grinler » Wed Oct 30, 2013 4:19 pm

Shadow Explorer and Previous Versions definitely works.
BleepingComputer.com

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Cody Johnston » Wed Oct 30, 2013 7:27 pm

Grinler wrote:Lot's of AV vendors are reporting that this is being spread via exploit kits as well. Anyone ever seen a sample from an exploit kit?
0388.exe was recovered from a PC that was infected via Neutrino EK, it is only sometimes that I can recover the history though so it is hard to know for sure how often. Most of them that we find have ZeroAccess so I suspect sometimes PPI via ZeroAccess and sometimes through EK, though I could be wrong here.

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Grinler » Wed Oct 30, 2013 9:03 pm

Thanks Cody. If you run into anything definitive let me know. The only time I have seen the version executables are when people download directly from the C2 server. All the other times the Crilock executable has been randomly named.
BleepingComputer.com

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by markusg » Wed Oct 30, 2013 10:04 pm

On infected pcs its instaled via clickfraud (Medfos)

noone
Posts: 1
Joined: Fri Nov 01, 2013 8:09 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by noone » Fri Nov 01, 2013 8:13 pm

Hmmm, this thing looks really nasty.
Also, It's funny, they don't have captchas on file upload...

Some nmap scans:

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:34
Nmap scan report for 93.189.44.187

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp

---

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:34
Nmap scan report for dedic.dc.besthosting.ua (194.28.174.119)

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
111/tcp open rpcbind
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp

---

Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-01 21:33
Nmap scan report for li450-191.members.linode.com (50.116.8.191)

PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp

Post Reply