Analysis by: Michael Jay Villanueva
ALIASES:

Ransom:Win32/Tescrypt.A (Microsoft); Trojan.Cryptolocker.N (Symantec); Trojan-Ransom.Win32.Crypmod.wxx (Kaspersky)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 335,872 bytes
File Type: EXE
Initial Samples Received Date: 10 Apr 2016

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops and executes the following files:

  • %Desktop%\RECOVERY.txt
  • %Desktop%\RECOVERY.png
  • %Desktop%\RECOVERY.html
  • %Windows%\{random filename}.exe

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKCU\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = %System%\cmd.exe /c start "" "%Windows%\{random filename}.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKCU\Software\xxxsys

HKCU\Software\{ID}

It adds the following registry entries:

HKCU\Software\xxxsys
ID = "{random values}"

HKCU\Software\{ID}
Data = “{random values}”

HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLinkedConnections = 1

Dropping Routine

This Trojan drops the following files:

  • %My Documents%\recover_file_{random}.txt
  • {folders containing encrypted files}\Recovery+{random}.png
  • {folders containing encrypted files}\Recovery+{random}.txt
  • {folders containing encrypted files}\Recovery+{random}.html

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}group.com/plugins/bsts.php
  • http://{BLOCKED}e.co.kr/board/common/bsts.php
  • http://{BLOCKED}dmarketing101.net/docs/cache/bsts.php
  • http://{BLOCKED}anph.com/wp-content/uploads/bsts.php
  • http://{BLOCKED}inslow.com/csys.php
  • http://{BLOCKED}dress.pl/wp-content/themes/sketch/csys.php

It deletes the initially executed copy of itself