Ransom:Win32/Simlosap (alias Cryakl)

Forum for analysis and discussion about malware.

Ransom:Win32/Simlosap (alias Cryakl)

Postby EP_X0FF » Tue Jun 09, 2015 4:39 am

Cryptographic ransom. Delivered via email.

Smart install maker -> Delphi. In attach dropper and extracted ransom. Installs to %Program Files%, runs via HKLM Run key.

Used https://github.com/SnakeDoctor/FGInt

Changing desktop wallpaper to it own with ransom message. Wallpaper can be found inside ransom resources.

Email: trojanencoder@aol.com

C&C list

hxxp://decimallightness.com/root/inst.php
hxxp://craigslistlasvegascars.com/wp-includes/admin/inst.php
hxxp://deenislam.org/img/inst.php
hxxp://dentistinnicaragua.com/php/inst.php
hxxp://dedhamfoodpantry.org/news/inst.php


Target extensions

qic:wps:r3d:rwl:rx2:p12:sbs:sldasm:wps:sldprt:odc:odb:old:nbd:nx1:nrw:orf:ppt:mov:mpeg:csv:mdb:cer:arj:ods:mkv:avi:odt:pdf:docx:gzip:m2v:cpt:raw:cdr:3gp:7z:rar:db3:zip:xlsx:xls:rtf:doc:jpeg:jpg:
accdb:abf:a3d:asm:fbx:fbw:fbk:fdb:fbf:max:m3d:ldf:keystore:iv2i:gbk:gho:sn1:sna:spf:sr2:srf:srw:tis:tbl:x3f:ods:pef:pptm:txt:pst:ptx:pz3:odp:


Autoelevate in loop

Code: Select all
  pExecInfo.cbSize = 60;
  pExecInfo.hwnd = GetFocus();
  pExecInfo.fMask = 1280;
  pExecInfo.lpVerb = "runas";
  pExecInfo.lpFile = (LPCSTR)sub_404E98();
  pExecInfo.lpParameters = (LPCSTR)sub_404E98();
  pExecInfo.nShow = 1;
  while ( !ShellExecuteExA(&pExecInfo) )
    Sleep_0(0x7D0u);


VT
https://www.virustotal.com/en/file/add92cb6047f2fb412dcbcb5a2d8ee7fad56091ccd6667105d977b010a33b561/analysis/1433824692/
https://www.virustotal.com/en/file/94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd/analysis/1433824702/

Derivative of this https://securelist.ru/blog/issledovaniya/24070/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/ (use google translate)
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Return to Malware

Who is online

Users browsing this forum: nadia and 8 guests