CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Fabian Wosar » Sun Dec 15, 2013 12:09 am

Not directly related to CryptoLocker, but a US company is currently creating a lot of PR buzz around a different crypto malware, calling it a CryptoLocker copycat. Based on the little technical information they shared, the malware they describe sounds suspiciously like the CryFile crypto malware family which has been around since at least July 2013. I have attached one of the most recent samples.

The crypto component the malware uses can be found here:
http://sourceforge.net/projects/tplockbox/

The group behind the malware seems to call itself "No Problem Bro" and they have been around for a while. Their web presence (noproblembro.com) is pretty much empty. Just hints here and there what they are up to.

The malware is VM aware, checking user names used, running processes, as well as various registry locations. The checks are located at 0x57F47C, 0x57FC9C, and 0x57FB28. Once it was made sure that the malware isn't running inside a VM, it will create an autorun key inside HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce as AdobeUpdate, pointing towards an AdobeSystem.exe file located inside the user profile directory. At least on my systems however, the malware doesn't copy itself there. I didn't look into whether or not that's a bug inside the malware. It is also possible that the sample is part of a larger dropper that actually takes care of placing the file inside that directory under the correct name.

The only other interesting aspect is the fact that crypto malware authors seem to pick up on the existence of shadow volumes. It is quite common for crypto malware authors to add shadow volume snapshot deletion in one of the later revisions of their malware, as that is usually one of the first things admins or malware removal techs try, but this particular sample shipped with some code to delete shadow copies right from the get go back in July.

I haven't looked into the encryption details yet but from the first look it seems to be reversible. Will take a closer look at it after a couple of hours of sleep.
You do not have the required permissions to view the files attached to this post.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 81
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 97

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Sun Dec 15, 2013 1:41 am

Thanks for the sample Fabian. Have had a few people hit by this at BC.
BleepingComputer.com
Grinler
 
Posts: 27
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 3

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Fabian Wosar » Sun Dec 15, 2013 2:25 pm

As promised yesterday, I took a closer look at the malware today. To be more precise I looked into the AES password generation to figure out whether or not decryption is feasible. Password generation takes place inside the function located at 0x0058072C. The password generation is done using the stock Delphi random number generation functions. Essentially the Delphi RNG is seeded using QueryPerformanceCounter or GetTickCount if the former is unavailable. The Random function itself is a simple linear congruential generator using the factor 0x08088405. The password generation algorithm looks like this:

Code: Select all
for i := 0 to 249 do
begin
  if Random(2) = 1
    then Password := Password + Char(Random(93) + 33)
    else Password := Password + IntToStr(Random(10));
end;


The randomly generated key is then sent via email to "specialist2@noproblembro.com". Emails look like this:

Code: Select all
From: "informator@noproblembro.com" <informator@noproblembro.com>
Subject: Locked:WORKSTATION(2966044196)
To: specialist2@noproblembro.com
Date: Sun, 15 Dec 2013 12:06:18 -0200

PC: WORKSTATION
ID: 2966044196A
Password: 2/-5=EC,94=,yebt;0303L9Y0=W7dD3;8r)1682Rz5A2P>a{1'D8n`(78q59|f4e#171176381i0%Q4c1s&v53')7"z7t+Q4909(57?8166)9\R97UO>y4W,2Gux0834@6029lx5A6;1078`X403895J2wqA278l}H7-9<524"7441C37137120957506620$/4I66F8b*3Z[35A53<220]776kl47-88h315U0`44Y87/{6;D{{5*822&
Expire: 12/17/2013
IP: 127.0.0.1
TS: 12:06:18 AM


The 250 character key may look intimidating at first, but based on how the key is generated, decryption should be possible as a brute force attack against all possible 4294967296 keys seems feasible within a couple of hours or days depending on your processor. Maybe a mathematician or cryptographer with more experience in LCGs may find a more efficient attack.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com
Fabian Wosar
 
Posts: 81
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Reputation point: 97

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby CloneRanger » Mon Dec 16, 2013 5:49 am

@ Fabian Wosar

Thanx for the new info.

More details here -

No problem bro – ransom decryption service

August 20th, 2013

http://blog.avast.com/2013/08/20/no-pro ... on-service
Malware = If your names not down, you're Not coming in !
User avatar
CloneRanger
 
Posts: 116
Joined: Sat Aug 14, 2010 11:54 pm
Reputation point: 12

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Mon Dec 16, 2013 4:58 pm

Fabian, any chance you have a copy of this with the anti-vm protection bypassed?
BleepingComputer.com
Grinler
 
Posts: 27
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 3

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Cody Johnston » Mon Dec 16, 2013 10:21 pm

Grinler wrote:Fabian, any chance you have a copy of this with the anti-vm protection bypassed?


All you need to do is change the following registry key:

Code: Select all
HKLM\Hardware\ACPI\DSDT\VBOX__


Rename the VBOX__ key to anything other than VBOX and the sample Fabian posted will run.
Cody Johnston
 
Posts: 136
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 60

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Mon Dec 16, 2013 10:53 pm

Terrific. Thanks!
BleepingComputer.com
Grinler
 
Posts: 27
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 3

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Cody Johnston » Fri Dec 20, 2013 7:19 pm

CryptoLocker 2.0 Cleaned up and mostly deobfuscated

http://www.welivesecurity.com/2013/12/1 ... r-copycat/

Image

MD5 4f6011ff98c257441ed388c607c5c7fe

Only ESET detects :) (1/47):
https://www.virustotal.com/en/file/3d9a ... 387566697/

This one gets more file extensions:

Code: Select all
this.string_0 = "3fr, accdb, txt, ai, arw, bay, cdr, cer, cr2, eps, erf, indd, mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf";


Also has DDoS functionality as well:

Code: Select all
str1 = "Error: DDoS failed due to invalid URL";
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 136
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 60

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby TwinHeadedEagle » Thu Dec 26, 2013 9:33 pm

TwinHeadedEagle
 
Posts: 71
Joined: Mon Aug 27, 2012 6:59 am
Reputation point: 5

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Thu Dec 26, 2013 11:17 pm



I am pretty sure this CryptoLocker 2.0 posted above.
BleepingComputer.com
Grinler
 
Posts: 27
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 3

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron