search

TROJ_CRYPWALL.YH

October 23, 2014
 ALIASES:

Win32/Filecoder.CO (ESET)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: Yes

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

253,952 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

23 Oct 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

  • %System Root%\{7 characters from UID}

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It drops the following files:

  • %User Startup%\DECRYPT_INSTRUCTION.TXT
  • %User Startup%\DECRYPT_INSTRUCTION.HTML
  • %User Startup%\INSTALL_TOR.URL

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops and executes the following files:

  • %Desktop%\DECRYPT_INSTRUCTION.TXT
  • %Desktop%\DECRYPT_INSTRUCTION.HTML
  • %Desktop%\INSTALL_TOR.URL

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %System Root%\{7 characters from UID}\{7 characters from UID}.exe
  • %Application Data%\{7 characters from UID}.exe
  • %User Startup%\{7 characters from UID}.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{7characters from UID} = "%Application Data%\{7 characters from UID}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{6 characters from UID} = "%System Root%\{7 characters from UID}\{7 characters from UID}.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Vocal AppWizard-Generated Applications

HKEY_CURRENT_USER\Software\Vocal AppWizard-Generated Applications\
{random}

HKEY_CURRENT_USER\Software\Vocal AppWizard-Generated Applications\
{random}\Recent File List

HKEY_CURRENT_USER\Software\Vocal AppWizard-Generated Applications\
{random}\Settings

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://www.{BLOCKED}nterburg.ch/wordpress/f0k1ats
  • http://www.{BLOCKED}etorideal.com.br/site/hr38xc4
  • http://www.{BLOCKED}-times.com/l449jbc0
  • http://www.{BLOCKED}tantiques.co.uk/blog/c8w5kp1
  • http://www.{BLOCKED}kyapmak.com/kf4bv
  • http://{BLOCKED}partner.cz/o5l5ujx2f
  • http://{BLOCKED}folio.ccpullman.ca/blog/eo7ycomyy
  • http://www.{BLOCKED}verda.com/blog-trabajos/n65dj17i1836
  • http://www.{BLOCKED}singcruising.co.uk/blog/wp-content/themes/the-beach-house/6k8elm10.bin
  • http://www.{BLOCKED}neumann.de/z6lub76lz295x
  • http://www.{BLOCKED}wettringen.de/wordpress/3uh2e
  • http://www.{BLOCKED}aue-schwarzenberg.de/wp-content/themes/fdp-asz/vrf8iu
  • http://www.{BLOCKED}xwoman.com/wp-content/themes/s431_Blue/bh7u09cpppg5h
  • http://www.{BLOCKED}stepsphotography.co.uk/blog/f040z4d5d21z5rd
  • http://www.{BLOCKED}iskaforeningen.com/wp-content/themes/jarrah/ghd4vowtha0s.bin
  • http://www.{BLOCKED}elifesupport.com/5gr4hl2tvv
  • http://www.{BLOCKED}or.at/jesneu/wp-content/themes/Girl/0l9u4lc6che
  • http://www.{BLOCKED}ole.be/s5eroewr
  • http://www.{BLOCKED}wnguild.com/u2m8bbkln3fqpe
  • http://www.{BLOCKED}uainfo.com/wp-content/themes/mh/3sbgwh

NOTES:

It encrypts files and drops DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and INSTALL_TOR.URL to all folders where files are encrypted.