RANSOM_CRYPAPP.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %User Temp%\keepalive.exe - also detected as RANSOM_CRYPAPP.A

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CryptoAppDelay = {multiple entries}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CryptoAppAppForcedEnded = "1"

HKEY_CURRENT_USER\Software\CryptoApp\
scrsss\progress
files = {number of files encrypted}

HKEY_CURRENT_USER\Software\CryptoApp\
scrsss\progress
done = {infection status}

HKEY_CURRENT_USER\Software\CryptoApp\
scrsss\progress
mode = 2

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\CryptoApp\
scrsss\progress

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://www.{BLOCKED}av.sk/media/csrsss.exe
• http://{BLOCKED}.{BLOCKED}.82.98/tmp/csrsss.exe
• http://{BLOCKED}gclip.ru/media/csrsss.exe
• http://{BLOCKED}allphoenix.com/media/csrsss.exe
• http://{BLOCKED}auto.pl/media/csrsss.exe

It saves the files it downloads using the following names:

• %System%\scsrss.exe - also detected as RANSOM_CRYPAPP.A

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Trojan connects to the following website to send and receive information:

• http://{BLOCKED}repairsystems.com/ksubmit.php/bitcoin_address={bitcoin payment address}&empid={victim ID}&comp={computer name}&ipv4={ victim IP address}&blkk={value}&publ={encryption public key}&priv={encryption private key}
• http://{BLOCKED}repairsystems.com/kretrieve.php/empid={victim ID}&comp={computer name}&ipv4={victim IP address}

It encrypts files with the following extensions:

• .iff
• .3fr
• .3gp
• .7z
• .accdb
• .ai
• .arc
• .arw
• .avi
• .bad
• .bay
• .bmp
• .cam
• .cdr
• .cer
• .cineon
• .cr2
• .crt
• .crw
• .csv
• .ctl
• .dat
• .dbf
• .dcr
• .der
• .des
• .dicom
• .dng
• .doc
• .docm
• .docx
• .dsc
• .dwg
• .dxf
• .dxg
• .eps
• .erf
• .fla
• .flv
• .fmb
• .fmt
• .fmx
• .gif
• .hdr
• .html
• .iif
• .img
• .indd
• .jpe
• .jpeg
• .jpg
• .kdc
• .log
• .lst
• .m4v
• .mdb
• .mdf
• .mef
• .mov
• .mpeg
• .mrw
• .nd
• .nef
• .nrw
• .odb
• .odm
• .odp
• .ods
• .odt
• .openexr
• .ora
• .orf
• .p12
• .p7b
• .p7c
• .pbm
• .pck
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .pgm
• .pic
• .pkb
• .pks
• .plb
• .pls
• .png
• .pot
• .ppm
• .pps
• .ppt
• .pptm
• .pptx
• .prn
• .psb
• .psd
• .pst
• .ptx
• .qba
• .tlg
• .qbm
• .qbr
• .qbw
• .qbw
• .tlg
• .qbx
• .qby
• .qfx
• .r3d
• .raf
• .rar
• .raw
• .rdf
• .rdo
• .rep
• .rex
• .rtf
• .rw2
• .rwl
• .sql
• .srf
• .srw
• .sti
• .sxi
• .tiff
• .txt
• .vdi
• .wb2
• .wpd
• .wps
• .xbm
• .xlk
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xml
• .yaml
• .zip
• .php
• .css
• .asp
• .cpp
• .c
• .js
• .pl
• .perl
• .swf
• .aspx
• .potx
• .potm
• .ppam
• .ppsx
• .ppsm
• .sldx
• .sldm
• .thmx
• .xlam
• .xltm
• .dotm
• .dotx

It renames encrypted files using the following names:

• {orginal filename and extension}.encrypted

NOTES:
It displays a ransom note: