Win32/Critroni (CTB-Locker)

Forum for analysis and discussion about malware.

Win32/Critroni (CTB-Locker)

Postby forty-six » Mon Jul 21, 2014 7:38 pm

Sample is courtesy kafeine blog.

http://malware.dontneedcoffee.com/2014/ ... ocker.html

Removed VB trash in partial unpack.
You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Critroni (CBT-Locker)

Postby EP_X0FF » Tue Jul 22, 2014 3:38 pm

You can catch it decrypted data when in the second stage in copy of dropper process it calls NtFreeVirtualMemory. Nothing really impressive, actual malware data is about ~600 Kb, where ~500 Kb are BMP images and ransomware text to display and TOR linked object files -> https://doxygen.torproject.org/files.html, seems used for communication mechanisms, zlib 1.2.8 library etc

Code: Select all
Your personal files are encrypted.%f0%%c0%


Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files.

1. Type the address %c1%http://torproject.org%c0% in your Internet browser. It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.

3. Now you have Tor Browser. In the Tor Browser open the %c1%http://%onion%/%c0%
   Note that this server is available via Tor Browser only
   Retry in 1 hour if site is not reachable.

4. Write in the following public key in the input form on server. Avoid missprints.
%f1%%c1%%key%%f0%%c0%

5. Follow the instructions on the server.

These instructions are also saved to file named DecryptAllFiles.txt in Documents folder. You can open it and use copy-paste for address and key.


Malware BMP's in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Critroni (CBT-Locker)

Postby forty-six » Wed Jul 23, 2014 8:52 pm

Thanks for the assist EP.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Critroni (CBT-Locker)

Postby Cody Johnston » Tue Sep 02, 2014 4:51 pm

Recent sample from a few days ago. Marks files now as .ctb2

Interesting that the original packed exe is written using pcode (http://en.wikipedia.org/wiki/P-code_machine)

latest.exe:

https://www.virustotal.com/en/file/554b22e4765856527e2fee6b9edfa8d323e5350bb447d872b07e905d15185145/analysis/1409227700/

unpacked.exe:

https://www.virustotal.com/en/file/ab3180e2785309ee9ab559e694592064846273716bc854509f54d18f38b1cf8b/analysis/1409368968/

Also dumped memory from after unpacked.exe last allocation. (CBTv2.mem)

Seems it uses the same communication mechanism as before.

Thanks to decrypterfixer from BleepingComputer for the sample.
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Win32/Critroni (CBT-Locker)

Postby EP_X0FF » Wed Sep 03, 2014 11:50 am

Cody Johnston wrote:Recent sample from a few days ago. Marks files now as .ctb2

Interesting that the original packed exe is written using pcode (http://en.wikipedia.org/wiki/P-code_machine)


Probably you mean PIC, position-independent code.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Critroni (CBT-Locker)

Postby Cody Johnston » Wed Sep 03, 2014 4:03 pm

EP_X0FF wrote:Probably you mean PIC, position-independent code.


I meant P-Code, but gave the wrong link initially. Here is a PDF that explains a little better what I am talking about: http://www.decompiler-vb.net/documentation/Native%20Code%20VS%20PCode.pdf
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Win32/Critroni (CBT-Locker)

Postby DecrypterFixer » Wed Sep 03, 2014 6:36 pm

Yep, VB6 Pcode at that. Its quite rare to see at all. As i was telling Cody in the past, i had to bust out a debugger from 2001 to figure out what was going on in it because IDA and olly are about useless with pcode. Of course you can still dump the unpacked exe from processhacker, But its torn all apart that way. The old debugger i used was able to dump it without any type of rebuilding, it was nice for a change.
DecrypterFixer
 
Posts: 3
Joined: Tue Apr 22, 2014 1:55 am
Reputation point: 0

Re: Win32/Critroni (CBT-Locker)

Postby DecrypterFixer » Thu Sep 04, 2014 1:54 am

My apologizes for the double post, But i also wanted to point out that this infection has the capability to Encrypt, and do its Test 5 file Decrypt Offline with no network adapter in my VM. Just thought it was rather interesting
DecrypterFixer
 
Posts: 3
Joined: Tue Apr 22, 2014 1:55 am
Reputation point: 0

Win32/Onion (CTB-Locker)

Postby r3shl4k1sh » Mon Dec 29, 2014 2:16 pm

Ransomware that uses Tor in order to contact the C2.

Image

Article:
http://securelist.com/analysis/publications/64608/a-new-generation-of-ransomware/

VT 20/56

In attach:
MD5: 10f0eaa794f48ad0b15034e0683cb15f
You do not have the required permissions to view the files attached to this post.
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Win32/Critroni (CBT-Locker)

Postby Kafeine » Mon Dec 29, 2014 6:23 pm

Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 5 guests