06/12/2013
15:33

Bad news with CryptoLocker


New variant of Trojan.Win32.CryptoLocker.B that encrypt all documents and ask to pay a ransom in order to unlock their files.
On December 3, 2013, there has been a new variant of ransomware CryptoLocker, classified as Trojan.Win32.CryptoLocker.B
The CryptoLocker is a ransomware that encrypts documents all drives (local and remote) connected to your computer, demanding a ransom of 300 $ / EUR or in equivalent currency.

The CRAM (Anti-Malware Research Center of TG Soft) team has analyzed this new variant of CryptoLocker.

Name: Trojan.Win32.CryptoLocker.B
Size: 761856 byte
MD5: 7f3cc059ffc6c11fe42695e5f19553ab

The Trojan.Win32.CryptoLocker.B is downloaded and installed in the computer of victim by a trojan dropper, that arrives via email with attachment a false PDF document of invoice, order or payment.

When the dropper is executed, this has downloaded in the computer of victim other malwares.
In this case, the trojan dropper has downloaded and executed the Trojan.Win32.CryptoLocker.B.

When running the Trojan.Win32.CryptoLocker.B, starts 2 processes of himself, and copies itself in:
%userprofile%\%local settings%\%appdata%\<random>.exe

example:
c:\Documents and Settings\luigi\Local Settings\Application Data\SSFVRXKYWGOTRL.EXE

Inside the .EXE file of Trojan.Win32.CryptoLocker.B the "Time Date Stamp" is : 12/03/2013 14:50:58

The threat adds itself to the registry to start when Windows starts:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
[*CryptoLocker] = %userprofile%\%local settings%\%appdata%\<random>.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[CryptoLocker] =  %userprofile%\%local settings%\%appdata%\<random>.exe

When executed the Trojan.Win32.CryptoLocker.B connects to one of the following sites:
  •  lobrtucswpyeajq.net
  •  nrtroiauihtcmys.org
  •  opunyapqmiavvtg.co.uk
  •  pjrinsnwctgotet.info
  •  qhsexkdsgumitmp.com
  •  usyusdoctfpnee.org
  •  ybcgtpgmkqlxrrr.biz
In our case, the Trojan.Win32.CryptoLocker.B sends the following encrypted request (POST):

usyusdoctfpnee.org/home/
   
sends an encrypt packet of 192 bytes.

The site of CryptoLocker reply with an encrypted packet of 200 bytes.

At this point the Trojan.Win32.CryptoLocker.B starts to search all documents  (doc, cer, pdf, xls, rtf, etc) inside the computer to encrypt with the RSA-2048 algorithm.

The Trojan.Win32.CryptoLocker.B creates the following key of registry:

HKEY_CURRENT_USER\Software\CryptoLocker_####

[PublicKey] = hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00,00,01,00,01,00,8b [..]
[VersionInfo] = hex:26,30,9c,81,21,b3,3d,d3,ae,33,9c,81,ae,33,e9,f2,d7,46,ef,e5, [..]
[WallPaper] = hex:00,00,37,82 [..]

where #### is a number.

In our case: HKEY_CURRENT_USER\Software\CryptoLocker_0388

The data of value of  "PublicKey" is a RSA key.

Inside to HKEY_CURRENT_USER\Software\CryptoLocker_0388, there is a subkey  "Files":

HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files

here there is the list of encrypted files:
[name of encrypted file] = <number dword>

After that has been encrypted files, the Trojan.Win32.CryptoLocker.B changes the image of desktop with:




and shows the following windows for the document's ransom:



The ransom can be made with the following payment methods:
  • MoneyPak
  • Bitcoin






Geolocation:

Url: usyusdoctfpnee.org  
 
     
IP address: 188.65.211.137
Host: host-188.65.211.137.knopp.ru
Contry: Russian Federation
City:  -
Organization / ISP: Limited Liability Company KNOPP
Latitude: 60°00'00" North
Longitude: 100°00'00" East

Other urls:
 lobrtucswpyeajq.net  non raggiungibile  -
 nrtroiauihtcmys.org  non raggiungibile  -
 opunyapqmiavvtg.co.uk  212.71.250.4  United Kingdom
 pjrinsnwctgotet.info  non raggiungibile  -
 qhsexkdsgumitmp.com  non raggiungibile  -
 ybcgtpgmkqlxrrr.biz  non raggiungibile  -


Other:

Inside the body of malware is visible the following string:
sell03-12

Info payment: Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt the files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files...

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.

Click «Next» to select the method of payment.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
Bitcoin: Bitcoin is a cryptocurrency where the creation and transfer of bitcoins is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution.

You have to send 0.5 BTC to Bitcoin address 1PXmJCPHfYqNZf5utMmPZBBQzAJK5xS1oP and specify the Transaction ID on the next page, which will be verified and confirmed.

Home Page
Getting started with Bitcoin
MoneyPak MoneyPak is an easy and convenient way to send money to where you need it. The MoneyPak works as a ‘cash top-up card’.

You have to purchase MoneyPak card, load it with $300 and enter the MoneyPak number on the next page.

Where can I purchase a MoneyPak?
MoneyPak can be purchased at thousands of stores nationwide, including major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart and Kroger. Click here to find a store near you.

How do I buy a MoneyPak at the store?
Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and take it to the register. The cashier will collect your cash and load it onto the MoneyPak.

Home Page
MoneyPak Store Locator

Information on RU-KNOPP:
Inetnum :     188.65.211.0 - 188.65.211.255
Netname :     RU-KNOPP
Mnt-domains :     MNT-KNOPP
Descr :     KNOPP datacenter network 2
Country :     RU
Admin-c :     VLEF2009-RIPE
Tech-c :     DMGR2009-RIPE
Status :     ASSIGNED PA
Mnt-by :     MNT-KNOPP
Mnt-lower :     MNT-KNOPP
Mnt-routes :     MNT-KNOPP
   
Person :     Vladimir Efremov
Address :     4/1, Kolpachny per., 101000 Moscow, RUSSIAN FEDERATION
Phone :     +74956410410
Nic-hdl :     VLEF2009-RIPE
Mnt-by :     MNT-KNOPP
   
Person :     Dmitriy Grishin
Address :     4/1, Kolpachny per., 101000 Moscow, RUSSIAN FEDERATION
Phone :     +74956410410
Nic-hdl :     DMGR2009-RIPE
Mnt-by :     MNT-KNOPP
   
Route :     188.65.208.0/21
Descr :     RU-KNOPP route object
Origin :     AS6719
Mnt-by :     MNT-KNOPP


Clean:
VirIT version 7.5.52 and later.
The encrypted document can not be recovered

Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center)
by TG Soft

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: