TROJ_CRYPCTB.TVQ
Trojan.Cryptolocker.E (Symantec); Troj/Ransom-AXN (Sophos); Ransom:Win32/Critroni.B (Microsoft); Trojan-Ransom.NSIS.Onion.ahn (Kaspersky); Win32/Filecoder.DA (ESET-NOD32)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
752,612 bytes
EXE
29 Jun 2015
Connects to URLs/IPs, Encrypts files, Displays graphics/image, Displays message/message boxes
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %User Temp%\{random filename}.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %ProgramData%\{randomly selected folder}\{random filename} (for Windows Vista and above)
- %All Users Profile%\Application Data\{randomly selected folder}\{random filename} (for Windows XP and below)
- %All Users profile%\{random filename}.html (for Windows Vista and above)
- %ProgramData%\{random filename}.html (for Windows Vista and above)
- %All Users Profile%\Application Data\{random filename}.html (for Windows XP and below)
- %User Profile%\Documents\!Decrypt-All-Files-{random letters}.bmp (for Windows Vista and above)
- %User Profile%\Documents\!Decrypt-All-Files-{random letters}.txt (for Windows Vista and above)
- %User Profile%\My Documents\!Decrypt-All-Files-{random letters}.bmp (for Windows XP and below)
- %User Profile%\My Documents\!Decrypt-All-Files-{random letters}.txt (for Windows XP and below)
- %User Temp%\icn-cir-cheggstudy-48x48.png
- %User Temp%\tinagundakelaeka.jpg
- %User Temp%\17 Under The Influence.mp3
- %User Temp%\ns{random characters}.tmp
- %User Temp%\ns{random characters}.tmp\catalogues.dll
- %Temp%\icn-cir-cheggstudy-48x48.png
- %Temp%\tinagundakelaeka.jpg
- %Temp%\17 Under The Influence.mp3
- %Temp%\ns{random characters}.tmp
- %Temp%\ns{random characters}.tmp\catalogues.dll
(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)
Autostart Technique
This Trojan drops the following files:
- %System%\Tasks\{random filename} (for Windows Vista and above)
- %Windows%\Tasks\{random filename}.job (for Windows XP and below)
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Other System Modifications
This Trojan modifies the following registry entries:
HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = "0"
(Note: The default value data of the said registry entry is {user-defined}.)
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%User Profile%\{Documents or My Documents}\!Decrypt-All-Files-{random letters}.bmp"
(Note: The default value data of the said registry entry is {user-defined}.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}vfnw4wp4.onion.cab
- http://{BLOCKED}vfnw4wp4.tor2web.org
- http://{BLOCKED}mvfnw4wp4.onion.lt
- http://{BLOCKED}mvfnw4wp4.onion.gq
- http://{BLOCKED}mvfnw4wp4.tor2web.fi
- http://{BLOCKED}mvfnw4wp4.tor2web.{BLOCKED}gie.de