A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20765  by Fabian Wosar
 Tue Sep 10, 2013 9:29 am
Hi everyone,

Looks like there has been a new crypto malware on the loose for the past 2 - 3 days. The malware is referred to by its author as "CryptoLocker". Microsoft adopted the name Crilock. Sample is attached. Here are a few notes that I gathered so far. I am currently sick with the flu so take these information with a grain of salt:
  • Connection with the C&C server is established through either a hardcoded IP (184.164.136.134, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org are both active and point to 173.246.105.23.
  • The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.
  • On first contact the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return it receives a RSA public key. In my case this has been:
    Code: Select all
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQBZgSk3NNo54cxwl3nS
    zZHMhFI4oU0ygX81IFsktcaCAIUrMSnUVQEcFvhcidh/5JuE+piQY5Z3iuDcKqiF
    0yWZ7rck+xC1i/xaY5nNxJnh/clEqO8qRNg9DTe6qDlVO8PAHgr882dUHTzZgdAN
    OWR8+5rWxck9LxtB8+DSE8cWy
    The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on CryptStringtoBinaryA.
  • The malware targets files using the following search masks:
    Code: Select all
    *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
    The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been replaced with "?". I haven't looked into the meaning of the DWORD value yet.
Feel free to add anything you find that I haven't covered in my notes yet. At least from what I can tell so far, decryption without paying the ransom is not feasible.

VirusTotal results:
https://www.virustotal.com/en/file/d765 ... /analysis/
Attachments
infected
(278.71 KiB) Downloaded 952 times
 #20780  by doyle_45
 Wed Sep 11, 2013 9:21 pm
Although the malware writers server's are currently not responding to decryption requests, I wish to reinfect one of my client's pcs in case there is a chance of recovery.

I have downloaded the rar file but what is the password please.

Thank you in advance.

Brian
 #20786  by The_Major
 Thu Sep 12, 2013 10:07 am
I was going to upload the "crilock.rar" file to various on-line Virus Scanning web sites, such as Virus Total (http://www.virustotal.com/) and Jotti (http://virusscan.jotti.org/) to alert them to the problem and make sure the program is flagged as a virus / malware.

Can't do this without the password, because these web sites need to be able to scan the files contained inside compressed archives - and they cannot do this with password protected ZIP, RAR, etc files.

Please email the password to me. :)

Mike
 #20787  by The_Major
 Thu Sep 12, 2013 10:12 am
Can't edit my prior post - it has not appeared yet - waiting moderation . LOL ....

Anyway, the password is of course "infected" - written under the RAR file name. LOLOLOL. :D
 #20818  by r3shl4k1sh
 Fri Sep 13, 2013 12:29 pm
g@isisit.com wrote:Is this the $300 version or $100 version? I assume those are variants and I want to reinfect my computer to pay the ransom...but need the $100 version.

Thanks.

Graham
if you reinfect your computer you will need to pay $200 since the encryption key is generated uniquely each time it first run, so it encrypt the files 2 times.
 #20823  by EP_X0FF
 Fri Sep 13, 2013 4:31 pm
g@isisit.com wrote:I assume those are variants and I want to reinfect my computer to pay the ransom...but need the $100 version.
Unless this is kinda joke, you are one of the reasons why this bussiness is still here and it is so profitable.
 #20824  by g@isisit.com
 Fri Sep 13, 2013 4:55 pm
I suppose so. I don't want to pay a ransom for the data, but this customer did not have backups when they called and had all their files encrypted. I have never asked to do anything like this, it's a strange issue, but if you look more into this, people who do not have backups have to pay the ransom, there is no choice if you need your files.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12