RANSOM_WALTRIX.C

This ransomware, known as CryptXXX, is a .DLL file that is capable of locking screens. To avoid analysis, it has routines that makes it aware if it is run in a virtual environment.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This malware is a .DLL file known as CryptXXX. It is being distributed by the Angler Exploit Kit. It is capable of locking the screen.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It terminates itself if it detects it is being run in a virtual environment. It gathers information and reports it to its servers.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following file(s)/component(s):

• ProgramData\{unique ID}.key
• ProgramData\Z - deleted afterwards. contains installation date of this malware
• {folders containing encrypted files}\{unique ID}.bmp - image used as wallpaper
• {folders containing encrypted files}\{unique ID}.html - ransom note
• {folders containing encrypted files}\{unique ID}.txt - ransom note
  
     where {unique ID} contains 12 hexadecimal characters

It adds the following processes:

• copy of the legitimate rundll32.exe named as:
  • %User Temp%\svchost.exe
• executes svchost.exe {malware}.dll,MS11{number}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {first 5 characters from the unique ID}

Autostart Technique

This Trojan drops the following files:

• %User Startup%\{unique ID}.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "{random}\{unique ID}.bmp"

Other Details

This Trojan encrypts files with the following extensions:

• .3DM
• .3DS
• .3G2
• .3GP
• .7Z
• .ACCDB
• .AES
• .AI
• .AIF
• .APK
• .APP
• .ARC
• .ASC
• .ASF
• .ASM
• .ASP
• .ASPX
• .ASX
• .AVI
• .BMP
• .BRD
• .BZ2
• .C
• .CER
• .CFG
• .CFM
• .CGI
• .CGM
• .CLASS
• .CMD
• .CPP
• .CRT
• .CS
• .CSR
• .CSS
• .CSV
• .CUE
• .DB
• .DBF
• .DCH
• .DCU
• .DDS
• .DIF
• .DIP
• .DJV
• .DJVU
• .DOC
• .DOCB
• .DOCM
• .DOCX
• .DOT
• .DOTM
• .DOTX
• .DTD
• .DWG
• .DXF
• .EML
• .EPS
• .FDB
• .FLA
• .FLV
• .FRM
• .GADGET
• .GBK
• .GBR
• .GED
• .GIF
• .GPG
• .GPX
• .GZ
• .H
• .H
• .HTM
• .HTML
• .HWP
• .IBD
• .IBOOKS
• .IFF
• .INDD
• .JAR
• .JAVA
• .JKS
• .JPG
• .JS
• .JSP
• .KEY
• .KML
• .KMZ
• .LAY
• .LAY6
• .LDF
• .LUA
• .M
• .M3U
• .M4A
• .M4V
• .MAX
• .MDB
• .MDF
• .MFD
• .MID
• .MKV
• .MML
• .MOV
• .MP3
• .MP4
• .MPA
• .MPG
• .MS11
• .MSI
• .MYD
• .MYI
• .NEF
• .NOTE
• .OBJ
• .ODB
• .ODG
• .ODP
• .ODS
• .ODT
• .OTG
• .OTP
• .OTS
• .OTT
• .P12
• .PAGES
• .PAQ
• .PAS
• .PCT
• .PDB
• .PDF
• .PEM
• .PHP
• .PIF
• .PL
• .PLUGIN
• .PNG
• .POT
• .POTM
• .POTX
• .PPAM
• .PPS
• .PPSM
• .PPSX
• .PPT
• .PPTM
• .PPTX
• .PRF
• .PRIV
• .PRIVAT
• .PS
• .PSD
• .PSPIMAGE
• .PY
• .QCOW2
• .RA
• .RAR
• .RAW
• .RM
• .RSS
• .RTF
• .SCH
• .SDF
• .SH
• .SITX
• .SLDX
• .SLK
• .SLN
• .SQL
• .SQLITE
• .SQLITE
• .SRT
• .STC
• .STD
• .STI
• .STW
• .SVG
• .SWF
• .SXC
• .SXD
• .SXI
• .SXM
• .SXW
• .TAR
• .TBK
• .TEX
• .TGA
• .TGZ
• .THM
• .TIF
• .TIFF
• .TLB
• .TMP
• .TXT
• .UOP
• .UOT
• .VB
• .VBS
• .VCF
• .VCXPRO
• .VDI
• .VMDK
• .VMX
• .VOB
• .WAV
• .WKS
• .WMA
• .WMV
• .WPD
• .WPS
• .WSF
• .XCODEPROJ
• .XHTML
• .XLC
• .XLM
• .XLR
• .XLS
• .XLSB
• .XLSM
• .XLSX
• .XLT
• .XLTM
• .XLTX
• .XLW
• .XML
• .YUV
• .ZIP
• .ZIPX

It renames encrypted files using the following names:

• {original file name.file extension}.crypt

It terminates itself if it detects it is being run in a virtual environment.

It gathers the following information and reports it to its servers:

• It reports infection status and unique ID to {BLOCKED}.{BLOCKED}.13.153

NOTES:

This malware is a .DLL file known as CryptXXX. It is being distributed by the Angler Exploit Kit. It is capable of locking the screen.

The following is the content of {unique ID}.key:

The following is the content of ProgramData\Z:

It locks the screen and displays the following:

{unique ID}.bmp:

{unique ID}.txt:

{unique ID}.html: