20140124 CryptoLocker SG

The variant of Crypto Locker is distributed through Yahoo messenger. It is same as the

Crypto Locker which is issued last year in abroad. The malware is damaging to

financial institutions and damage cases has been confirmed on 22 Jan, 2014. The

system is infected with the malware, all documents in the computer are encrypted by

the malware. Also the malware requires the bitcoin in order to decrypt. In the system

that is suspected to be infected, countermeasures according to the action.

[ ]

Malware analysis report

2013 DEL, All Rights Reserved.

http://facebook.com/delsa.story 2013 DEL, All Rights Reserved.

1

Index

1. Summary .....................................................................................................3

2. Detail Analysis ...........................................................................................7

3. Conclusion ............................................................................................... 12

4. Countermeasures ................................................................................... 13

5. Reference ................................................................................................. 14


2

Confidentiality Agreements

Following document is an analysis report written by DEL, it can be shared and distributed without

permission, but modifications are forbidden. This report can be found on the following facebook

page (https://www.facebook.com/delsa.story) managed by DEL..

All the analysis report registered on Facebook, including other data, are available as a premium

service in the following DEL homepage (http://www.digitalexplorerslab.com/).


3

1. Summary

The variant of Crypto Locker is distributed through Yahoo messenger. It is same as the Crypto

Locker which is issued last year in abroad. The malware is damaging to financial institutions and

damage cases has been confirmed on 22 Jan, 2014. The system is infected with the malware, all

documents in the computer are encrypted by the malware. Also the malware requires the bitcoin

in order to decrypt. The date and time is the time limit for payment. If a payment isnt in time, it

destroys the decryption key.

Figure 1. The variant of Crypto Locker

[+] Ransomware is, a class of malware which restricts access to the computer system that it

infects, and demands a ransom paid to the creator of the malware in order for the restriction to

be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral

extortion), while some may simply lock the system and display messages intended to coax the

user into paying.


4

The infection rate has increased actively from October 2013. And the Crypto Locker has spread

worldwide. The Crypto Locker is the form that developed in the Ransomware technically. An

attacker tend to use the existing tools rather than making a new attack tool.

The Crypto Locker is distributed in various ways and it uses an e-mail, messenger, and P2P to

infection. Also it has possibility of infection through a USB connection. Luckily, users can prevent

infection with only the users attention because a diffusion type using the USB isnt discovered yet.

The variant of the Crypto Locker is distributed by the messenger using social engineering

techniques.

Figure 2. Yahoo Messenger

The message of the Crypto Locker shows the RSA-2048 encryption is used in this attack. But,

actually, the malware uses AES+RSA encryption. A decoding isnt impossible, however, there is a

difficulty in creating a decoding tool every time.

Figure 3. The message reladted on encryption of CryptoLocker


5

In the first time of infection, the malware encrypts the file and outputs a message.

Figure 4. Require a payment

The message requiring the payment is showed, and a desktop of the infected computer is

changed as follows:

Figure 5. Change a wallpaper


6

There is a link in the message of requiring the payment to check the list of the encrypted files.

When the click on the link, users can check the list.

Figure 6. List of the encrypted file

There are several payment methods.

Figure 7. Payment window


7

2. Detail Analysis

The file name is YOUR.JPG.exe that is distributed the first time through Yahoo messenger. If the

file is running, it drop a file additionally. The dropped files are come in two ways, to run the

injection and to delete the first file. It injects explorer.exe first, and specific modules next. If a

specific condition is satisfied, the encryption module is downloaded additionally. But if the

condition isnt satisfied, the malware injects the module again. Each module derives a single result

through a complex coordination particular process.

Figure 8. Process of creating file

This syntax is an Injector dropped from YOURS.JPG.exe. When the Injector is dropped, it creates

temporary directory. And the Injector has temporary file name when it is created in directory.

[ %APP Data%\[Random Folder Name]\[Random File Name].exe ]

Figure 9. Injector Drop

Execute the Injector through creating process.

Figure 10. Create Injector process


8

Its a syntax that file to be deleted itself from YOURS.JPG.exe to drop. The file has temporary

name when it is created. It deletes YOURS.JPG.exe.

Figure 11. Drop a self-deleting file

The self-deleting file is dropped as a *.bat file.

@echo off

:d

del "C:\YOURS.JPG.exe"

if exist "C:\YOURS.JPG.exe" goto d

del /F "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XYU8B4.bat"

Table 1. Code of self-deleting file

Also, it executes the file through creating process. If the file is executing, it waits for termination

of YOURS.JPG.exe. And it deletes itself after deleting YOURS.JPG.exe.

Figure 12. Create process of self-deleting


9

The Injector dropped form YOURS.JPG.exe searches a list of process using ToolHelp and gets a

PID of explorer.exe. By using OpenProcess function, it gains Handle of explorer.exe.

Figure 13. By using OpenProcess function for getting Handle

It copies the decoded date in Allocate Memory section. The copied data is PE Format, and it is

allocated in memory as Section Alignment.

Figure 14. Create process of self-deleting

Execute the code copied to explorer.exe, using CreateRemoteThread.

Figure 15. Executing Injection Code

If certain conditions are aligned, it downloads the cryptographic module on the network.

Figure 16. Download a module for encryption


10

The cryptographic module reads the contents of the file of the subject to be encrypted and then

store it in the buffer. And it creates the file with a .tmp.tmp file same as the target file. The

generated file is processing Hide and it encrypt the contents were stored in the first buffer in

.tmp.tmp file. And it overwrites in existing file. After this, it changes the same extension as the

existing file.

Figure 17. Operation of a module for encryption

The first operation is reading the contents of a normal file.

Figure 18. Read normal file


11

Create a [normal file name].tmp.tmp file temporarily.

Figure 19. Create a [normal file name].tmp.tmp

It encrypts a content reading form normal file.

Figure 20. Data encryption

It write the encrypted content to the [].tmp.tmp and existing file.

Figure 21. Write encryption data


12

3. Conclusion

The attacker added elements to interfere the analysis intentionally. He induce a time consuming

to analyze through complex file cooperation and repeating the dropped process. The operating

conditions are also satisfied in complex conditions. The elements who tried to interfere with the

analysis are as follows:

. It is made as the critical data and code are XOR Encoding, or decoding.

Figure 22. Encoding and Decoding

Using Critical Section and Mutex, it controls running stream between the drop module.

Figure 23. Control running stream


13

4. Countermeasures

If the system is infected with Crypto Locker , it is difficult to decrypt the encrypted file. A

decoding isnt impossible, however, there is a difficulty in creating a decoding tool every time.

And, even if users pay to decrypt, it is unknown whether to decrypt. So the most effective way to

cope is the only way to prevent before infection.

The first distribution is occurred via e-mail or messenger. So users do not click the web link that

unknown to people.

Users need to be careful the attachment that is transmitted via the messenger or e-mail.

Users can replace the encrypted files with a backup file through backup the important data.


14

5. Reference

[1] HAURI

http://www.hauri.co.kr/information/issue_view.html?intSeq=205&page=1

[2] Trend Micro

http://www.trendmicro.co.kr/kr/support/blog/cryptolocker-its-spam-and-zeuszbot-

connection/index.html

[3] The Register

http://www.theregister.co.uk/2014/01/02/cryptolocker_worm/

[4] BUSINESS INSIDER

http://www.businessinsider.com/block-cryptolocker-virus-2014-1

20140124 CryptoLocker SG

Documents

malware analysis report

class of malware

computer system

homepage http

following facebook page

yahoo messenger

time limit

financial institutions