search

CRYPDEF

March 02, 2015
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


CRYPDEF belongs to family of ransomware that uses a specific of the type of encryption technique. The CRYPDEF ransomware family encrypts files and asks infected users to pay for the decryption of the files.

  TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This Trojan adds the following folders:

  • %System Root%{7 characters from UID}

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It drops the following files:

  • %Desktop%\DECRYPT_INSTRUCTION.TXT
  • %Desktop%\DECRYPT_INSTRUCTION.HTML
  • %Desktop%\DECRYPT_INSTRUCTION.URL
  • %User Startup%\DECRYPT_INSTRUCTION.TXT
  • %User Startup%\DECRYPT_INSTRUCTION.HTML
  • %User Startup%\DECRYPT_INSTRUCTION.URL

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops the following copies of itself into the affected system:

  • %System Root%{7 characters from UID}\{7 characters from UID}.exe
  • %Application Data%\{7 characters from UID}.exe
  • %User Startup%\{7 characters from UID}.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}lutsnil.com
  • http://{BLOCKED}alexus.com
  • {BLOCKED}rontima.com
  • {BLOCKED}hwelcome.com
  • {BLOCKED}tebit.com
  • {BLOCKED}asla.com
  • {BLOCKED}beab.com
  • http://{BLOCKED}kanabestplace.com
  • http://{BLOCKED}tdominicana.com
  • http://{BLOCKED}mediana.com
  • {BLOCKED}2.{BLOCKED}3.250.163
  • {BLOCKED}.{BLOCKED}1.146.182
  • {BLOCKED}9.{BLOCKED}8.203.16
  • {BLOCKED}9.{BLOCKED}7.225.232