Analysis by: Miguel Carlo Ang
ALIASES:

Trojan-Ransom.Win32.Cryptodef.civ(Kaspersky);Ransom:Win32/Crowti.A(Microsoft);RDN/Spybot.bfr!p(McAfee)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 124,416 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 09 Mar 2015
Payload: Connects to URLs/IPs, Drops files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %System Root%\(8 random characters)\{8 random characters}.exe
  • %Application Data%\(8 random characters).exe
  • %User Startup%\(8 random characters).exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{8 random characters} = "%System Root%\(8 random characters)\{8 random characters}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{9 random characters} = "%Application Data%\{8 random characters}.exe"

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

  • %User Startup%\(8 random characters).exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\{UID}
{random 2 characters} = "{RSA PUBLIC KEY} "

HKEY_CURRENT_USER\Software\{UID}
{random 2 characters} = {content of HELP_DECRYPT.TXT}

HKEY_CURRENT_USER\Software\{UID}
{random 2 characters} = {content of HELP_DECRYPT.HTML}

HKEY_CURRENT_USER\Software\{UID}
{random 2 characters} = {content of HELP_DECRYPT.URL}

HKEY_CURRENT_USER\Software\{UID}\
{random key}
{Full file path of encrypted file} = {data}

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
Start = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4

(Note: The default value data of the said registry entry is 2.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}9.com/img2.php
  • {BLOCKED}.{BLOCKED}nd.info/img1.php
  • {BLOCKED}an.com/img1.php
  • {BLOCKED}muslim-online.com/img5.php
  • {BLOCKED}m.com/img4.php
  • {BLOCKED}zateonline.com/img3.php
  • {BLOCKED}yber.com/img2.php
  • {BLOCKED}et.com/img1.php
  • {BLOCKED}-ng.com/img5.php
  • {BLOCKED}8.com/img5.php
  • {BLOCKED}an-guvenlik.com/img4.php
  • {BLOCKED}a.com/img3.php
  • {BLOCKED}de.com/img2.php
  • {BLOCKED}wohnungen-diana.com/img1.php
  • {BLOCKED}easset.com/img5.php
  • {BLOCKED}c.us/img4.php
  • {BLOCKED}dtile.net/img3.php
  • {BLOCKED}bjx.com/img2.php
  • {BLOCKED}talmd.com/img1.php
  • {BLOCKED}alaria.org/img5.php
  • {BLOCKED}hae.com/img4.php
  • {BLOCKED}9.com/img3.php
  • {BLOCKED}hon.com/img2.php
  • {BLOCKED}oft.com/img1.php
  • {BLOCKED}iaunited.com/img5.php
  • {BLOCKED}oosphoto.com/img4.php
  • {BLOCKED}orld.com/img3.php
  • {BLOCKED}urch.com/img2.php

It deletes the initially executed copy of itself

NOTES:

It drops the following files in the folder where encrypted files are:

  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.URL
  • HELP_DECRYPT.PNG