Home / malware Trojan.Cryptolocker.R
First posted on 30 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.R.
Explanation :
Once executed, the Trojan scans the compromised computer for the following process names to determine if it is being analyzed:
wireshark.exeidaq.exeidag.exeollydbg.exeidag64.exepexplorer.exelordpe.exehiew32.exebindiff.exeprocexp.exe
The Trojan scans the computer for the following registry subkeys to determine if it is running on a virtual machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest AdditionsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
The Trojan scans the computer for the following computer names to determine if it is running in a malware analysis environment:
WIN7PRO-MALTESTWIN7-MALTESTNXP-MALTESTNXPPRO-MALTESTXP3-HOST01SANDBOXVWINXP-MALTESTVWINXPPRO-MALTESTHARDXP-TEST17-TESTXPMWS01MWS02MWS03
If the Trojan finds any of the previously mentioned process names, registry subkeys, or computer names, it will quit.
The Trojan looks for an internet connection by contacting the following location:
www.adobe.com
The Trojan obtains the IP address of the compromised computer by contacting the following location:
checkip.dyndns.org
The Trojan creates the following file to remove all .exe files inside the directory:
%UserProfile%\Thumbsdb.bat
The Trojan then deletes the following file:
%UserProfile%\Thumbsdb.bat
The Trojan checks for the presence of the following mutex:
gordon
If the Trojan finds the gordon mutex, it quits. If the Trojan does not find the gordon mutex, it creates it.
The Trojan runs the following commands with ShellExecute to prevent the compromised computer from going on standby or sleeping while the Trojan encrypts files:
powercfg.exe -x -standby-timeout-ac 0powercfg.exe -x -standby-timeout-dc 0powercfg.exe -x -hibernate-timeout-ac 0powercfg.exe -x -hibernate-timeout-dc 0
The Trojan runs the following command to delete all shadow copies on the compromised computer to prevent it from being restored to a previous state:
vssadmin.exe Delete Shadows /All /Quiet
The Trojan sends an email from sales@valanoice.org to kolin@valanoice.org with the following information about the compromised computer:
Computer nameIP address
The Trojan then encrypts files with the following extensions on the compromised computer:
.prefab.emd.efn.efb.epf.md.lgp.erf.dt.1cd.kdbx.kdb.sqlitedb.sqlite3.sqlite.sql.mdf.mxl.mdb.eql.edb.dxl.dbt.dbf.dbx.dbc.adp.accdc.ldf.accdb.snk.shy.sef.rzx.rzk.enc.bsk.bpk.bfa.afp.rev.rar.7z.zipx.zip.dxe.dws.dwg.pcx.psb.psd.oab.pab.fp3.fg.fcz.fc2.egg.dwf.tbb.eml.key.xof.xcf.tbn.cfn.cf.raw.pov.ply.jpf.jiff.jif.png.jpeg.jpg.jpe.cdr.txt.ppsx.pptx.ppt.xlsm.xlsx.xls.rtf.docm.docx.doc.pdf.tiff.tif.fb2.fb.pfx.p7b.crt.stl.der.djvu.csr.cer.sec.sgn.pem.p7c.p7.mht.html.htm.jbc.pst.ebd
Note: Files encrypted by the Trojan will have the file extension changed to the following:
.just
The Trojan creates the following file in each directory where it encrypts files:
MESSAGE.txt
The MESSAGE.txt file contains a ransom message informing the user that their files have been encrypted. The message also provides information on how the files can be decrypted for a fee.Last update 30 April 2015
