Oct 12, 2015
The variant of Crypto Locker is distributed through Yahoo messenger. It is same as the
Crypto Locker which is issued last year in abroad. The malware is damaging to
financial institutions and damage cases has been confirmed on 22 Jan, 2014. The
system is infected with the malware, all documents in the computer are encrypted by
the malware. Also the malware requires the bitcoin in order to decrypt. In the system
that is suspected to be infected, countermeasures according to the action.
[ ]
Malware analysis report
2013 DEL, All Rights Reserved.
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
1
Index
1. Summary .....................................................................................................3
2. Detail Analysis ...........................................................................................7
3. Conclusion ............................................................................................... 12
4. Countermeasures ................................................................................... 13
5. Reference ................................................................................................. 14
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
2
Confidentiality Agreements
Following document is an analysis report written by DEL, it can be shared and distributed without
permission, but modifications are forbidden. This report can be found on the following facebook
page (https://www.facebook.com/delsa.story) managed by DEL..
All the analysis report registered on Facebook, including other data, are available as a premium
service in the following DEL homepage (http://www.digitalexplorerslab.com/).
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
3
1. Summary
The variant of Crypto Locker is distributed through Yahoo messenger. It is same as the Crypto
Locker which is issued last year in abroad. The malware is damaging to financial institutions and
damage cases has been confirmed on 22 Jan, 2014. The system is infected with the malware, all
documents in the computer are encrypted by the malware. Also the malware requires the bitcoin
in order to decrypt. The date and time is the time limit for payment. If a payment isnt in time, it
destroys the decryption key.
Figure 1. The variant of Crypto Locker
[+] Ransomware is, a class of malware which restricts access to the computer system that it
infects, and demands a ransom paid to the creator of the malware in order for the restriction to
be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral
extortion), while some may simply lock the system and display messages intended to coax the
user into paying.
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
4
The infection rate has increased actively from October 2013. And the Crypto Locker has spread
worldwide. The Crypto Locker is the form that developed in the Ransomware technically. An
attacker tend to use the existing tools rather than making a new attack tool.
The Crypto Locker is distributed in various ways and it uses an e-mail, messenger, and P2P to
infection. Also it has possibility of infection through a USB connection. Luckily, users can prevent
infection with only the users attention because a diffusion type using the USB isnt discovered yet.
The variant of the Crypto Locker is distributed by the messenger using social engineering
techniques.
Figure 2. Yahoo Messenger
The message of the Crypto Locker shows the RSA-2048 encryption is used in this attack. But,
actually, the malware uses AES+RSA encryption. A decoding isnt impossible, however, there is a
difficulty in creating a decoding tool every time.
Figure 3. The message reladted on encryption of CryptoLocker
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
5
In the first time of infection, the malware encrypts the file and outputs a message.
Figure 4. Require a payment
The message requiring the payment is showed, and a desktop of the infected computer is
changed as follows:
Figure 5. Change a wallpaper
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
6
There is a link in the message of requiring the payment to check the list of the encrypted files.
When the click on the link, users can check the list.
Figure 6. List of the encrypted file
There are several payment methods.
Figure 7. Payment window
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
7
2. Detail Analysis
The file name is YOUR.JPG.exe that is distributed the first time through Yahoo messenger. If the
file is running, it drop a file additionally. The dropped files are come in two ways, to run the
injection and to delete the first file. It injects explorer.exe first, and specific modules next. If a
specific condition is satisfied, the encryption module is downloaded additionally. But if the
condition isnt satisfied, the malware injects the module again. Each module derives a single result
through a complex coordination particular process.
Figure 8. Process of creating file
This syntax is an Injector dropped from YOURS.JPG.exe. When the Injector is dropped, it creates
temporary directory. And the Injector has temporary file name when it is created in directory.
[ %APP Data%\[Random Folder Name]\[Random File Name].exe ]
Figure 9. Injector Drop
Execute the Injector through creating process.
Figure 10. Create Injector process
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
8
Its a syntax that file to be deleted itself from YOURS.JPG.exe to drop. The file has temporary
name when it is created. It deletes YOURS.JPG.exe.
Figure 11. Drop a self-deleting file
The self-deleting file is dropped as a *.bat file.
@echo off
:d
del "C:\YOURS.JPG.exe"
if exist "C:\YOURS.JPG.exe" goto d
del /F "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XYU8B4.bat"
Table 1. Code of self-deleting file
Also, it executes the file through creating process. If the file is executing, it waits for termination
of YOURS.JPG.exe. And it deletes itself after deleting YOURS.JPG.exe.
Figure 12. Create process of self-deleting
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
9
The Injector dropped form YOURS.JPG.exe searches a list of process using ToolHelp and gets a
PID of explorer.exe. By using OpenProcess function, it gains Handle of explorer.exe.
Figure 13. By using OpenProcess function for getting Handle
It copies the decoded date in Allocate Memory section. The copied data is PE Format, and it is
allocated in memory as Section Alignment.
Figure 14. Create process of self-deleting
Execute the code copied to explorer.exe, using CreateRemoteThread.
Figure 15. Executing Injection Code
If certain conditions are aligned, it downloads the cryptographic module on the network.
Figure 16. Download a module for encryption
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
10
The cryptographic module reads the contents of the file of the subject to be encrypted and then
store it in the buffer. And it creates the file with a .tmp.tmp file same as the target file. The
generated file is processing Hide and it encrypt the contents were stored in the first buffer in
.tmp.tmp file. And it overwrites in existing file. After this, it changes the same extension as the
existing file.
Figure 17. Operation of a module for encryption
The first operation is reading the contents of a normal file.
Figure 18. Read normal file
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
11
Create a [normal file name].tmp.tmp file temporarily.
Figure 19. Create a [normal file name].tmp.tmp
It encrypts a content reading form normal file.
Figure 20. Data encryption
It write the encrypted content to the [].tmp.tmp and existing file.
Figure 21. Write encryption data
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
12
3. Conclusion
The attacker added elements to interfere the analysis intentionally. He induce a time consuming
to analyze through complex file cooperation and repeating the dropped process. The operating
conditions are also satisfied in complex conditions. The elements who tried to interfere with the
analysis are as follows:
. It is made as the critical data and code are XOR Encoding, or decoding.
Figure 22. Encoding and Decoding
Using Critical Section and Mutex, it controls running stream between the drop module.
Figure 23. Control running stream
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
13
4. Countermeasures
If the system is infected with Crypto Locker , it is difficult to decrypt the encrypted file. A
decoding isnt impossible, however, there is a difficulty in creating a decoding tool every time.
And, even if users pay to decrypt, it is unknown whether to decrypt. So the most effective way to
cope is the only way to prevent before infection.
The first distribution is occurred via e-mail or messenger. So users do not click the web link that
unknown to people.
Users need to be careful the attachment that is transmitted via the messenger or e-mail.
Users can replace the encrypted files with a backup file through backup the important data.
http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.
14
5. Reference
[1] HAURI
http://www.hauri.co.kr/information/issue_view.html?intSeq=205&page=1
[2] Trend Micro
http://www.trendmicro.co.kr/kr/support/blog/cryptolocker-its-spam-and-zeuszbot-
connection/index.html
[3] The Register
http://www.theregister.co.uk/2014/01/02/cryptolocker_worm/
[4] BUSINESS INSIDER
http://www.businessinsider.com/block-cryptolocker-virus-2014-1