A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21685  by Fabian Wosar
 Sun Dec 15, 2013 12:09 am
Not directly related to CryptoLocker, but a US company is currently creating a lot of PR buzz around a different crypto malware, calling it a CryptoLocker copycat. Based on the little technical information they shared, the malware they describe sounds suspiciously like the CryFile crypto malware family which has been around since at least July 2013. I have attached one of the most recent samples.

The crypto component the malware uses can be found here:
http://sourceforge.net/projects/tplockbox/

The group behind the malware seems to call itself "No Problem Bro" and they have been around for a while. Their web presence (noproblembro.com) is pretty much empty. Just hints here and there what they are up to.

The malware is VM aware, checking user names used, running processes, as well as various registry locations. The checks are located at 0x57F47C, 0x57FC9C, and 0x57FB28. Once it was made sure that the malware isn't running inside a VM, it will create an autorun key inside HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce as AdobeUpdate, pointing towards an AdobeSystem.exe file located inside the user profile directory. At least on my systems however, the malware doesn't copy itself there. I didn't look into whether or not that's a bug inside the malware. It is also possible that the sample is part of a larger dropper that actually takes care of placing the file inside that directory under the correct name.

The only other interesting aspect is the fact that crypto malware authors seem to pick up on the existence of shadow volumes. It is quite common for crypto malware authors to add shadow volume snapshot deletion in one of the later revisions of their malware, as that is usually one of the first things admins or malware removal techs try, but this particular sample shipped with some code to delete shadow copies right from the get go back in July.

I haven't looked into the encryption details yet but from the first look it seems to be reversible. Will take a closer look at it after a couple of hours of sleep.
Attachments
Password: infected
(547.95 KiB) Downloaded 163 times
 #21691  by Fabian Wosar
 Sun Dec 15, 2013 2:25 pm
As promised yesterday, I took a closer look at the malware today. To be more precise I looked into the AES password generation to figure out whether or not decryption is feasible. Password generation takes place inside the function located at 0x0058072C. The password generation is done using the stock Delphi random number generation functions. Essentially the Delphi RNG is seeded using QueryPerformanceCounter or GetTickCount if the former is unavailable. The Random function itself is a simple linear congruential generator using the factor 0x08088405. The password generation algorithm looks like this:
Code: Select all
for i := 0 to 249 do
begin
  if Random(2) = 1
    then Password := Password + Char(Random(93) + 33)
    else Password := Password + IntToStr(Random(10));
end;
The randomly generated key is then sent via email to "specialist2@noproblembro.com". Emails look like this:
Code: Select all
From: "informator@noproblembro.com" <informator@noproblembro.com>
Subject: Locked:WORKSTATION(2966044196)
To: specialist2@noproblembro.com
Date: Sun, 15 Dec 2013 12:06:18 -0200

PC: WORKSTATION
ID: 2966044196A
Password: 2/-5=EC,94=,yebt;0303L9Y0=W7dD3;8r)1682Rz5A2P>a{1'D8n`(78q59|f4e#171176381i0%Q4c1s&v53')7"z7t+Q4909(57?8166)9\R97UO>y4W,2Gux0834@6029lx5A6;1078`X403895J2wqA278l}H7-9<524"7441C37137120957506620$/4I66F8b*3Z[35A53<220]776kl47-88h315U0`44Y87/{6;D{{5*822&
Expire: 12/17/2013
IP: 127.0.0.1
TS: 12:06:18 AM
The 250 character key may look intimidating at first, but based on how the key is generated, decryption should be possible as a brute force attack against all possible 4294967296 keys seems feasible within a couple of hours or days depending on your processor. Maybe a mathematician or cryptographer with more experience in LCGs may find a more efficient attack.
 #21703  by Cody Johnston
 Mon Dec 16, 2013 10:21 pm
Grinler wrote:Fabian, any chance you have a copy of this with the anti-vm protection bypassed?
All you need to do is change the following registry key:
Code: Select all
HKLM\Hardware\ACPI\DSDT\VBOX__
Rename the VBOX__ key to anything other than VBOX and the sample Fabian posted will run.
 #21750  by Cody Johnston
 Fri Dec 20, 2013 7:19 pm
CryptoLocker 2.0 Cleaned up and mostly deobfuscated

http://www.welivesecurity.com/2013/12/1 ... r-copycat/

Image

MD5 4f6011ff98c257441ed388c607c5c7fe

Only ESET detects :) (1/47):
https://www.virustotal.com/en/file/3d9a ... 387566697/

This one gets more file extensions:
Code: Select all
this.string_0 = "3fr, accdb, txt, ai, arw, bay, cdr, cer, cr2, eps, erf, indd, mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf";
Also has DDoS functionality as well:
Code: Select all
str1 = "Error: DDoS failed due to invalid URL";
Attachments
Password: infected
(730.01 KiB) Downloaded 183 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 12