Cryptlocker
Environment: Sandbox without internet in my xp.
MD5: 444C339F422420BC317711DAC06F3545
Behavior:
Run the file in my sandboxie.
It drops exe files in appdata location,which is started execution and the target file gets terminated.
Run entry created as :
HKEY_USERS\Sandbox_xxxxxxxxxxx_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Run
value part as cryptoLocker and the data part points to the file dropped in app data "C:\Documents and Settings\xxxxxxxxxxx\Application Data\Ctzwwvskobndnvbt.exe".
Memory strings of the running file:
GetWindowTextLengthW
DestroyWindow
USER32.dll
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
CryptDecrypt
CryptGetHashParam
CryptCreateHash
CryptDestroyHash
CryptHashData
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteValueW
RegEnumValueW
RegOpenKeyExW
RegFlushKey
RegEnumKeyExW
RegSetValueExW
Plenty of crpyt related strings are found in the dropped file.
And some strings relates to requesting the server:
HttpSendRequestExA
HttpQueryInfoA
InternetConnectA
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
InternetOpenA
InternetCloseHandle
WININET.dll
GdiplusShutdown
GdipSaveImageToStream
GdipFree
GdipCreateBitmapFromStream
And some more crypt strings:
CryptStringToBinaryA
CryptDecodeObjectEx
CryptImportPublicKeyInfo
CRYPT32.dll
Regarding more about encryption and about moneypak is found in the memory strings:
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green176\blue80;\red0\green0\blue255;\red240\green0\blue0;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\f0\fs20 Your important files \b encryption\b0 produced on this computer: photos, videos, documents, etc. \cf2\ul\b{\field{\*\fldinst{HYPERLINK "viewfiles"}}{\fldrslt{Here}}}\cf1\ulnone\b0\f0\fs20 is a complete list of encrypted files, and you can personally verify this.\par
\par
Encryption was produced using a \b unique\b0 public key \cf2\ul\b{\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/RSA_%28algorithm%29"}}{\fldrslt{RSA-2048}}}\cf1\ulnone\b0\f0\fs20 generated for this computer. To decrypt files you need to obtain the \b private key.\par
\b0\par
The \b single copy \b0 of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will \b destroy\b0 the key after a time specified in this window. After that, \b nobody and never will be able\b0 to restore files...\par
\par
\b To obtain\b0 the private key for this computer, which will automatically decrypt files, you need to pay \b %AMOUNT_USD% USD\b0 / \b %AMOUNT_EUR% EUR\b0 / similar amount in another currency.\par
\par
Click \'abNext\'bb to select the method of payment.\par
\par
\cf4\b Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.\b0\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}
{\colortbl ;\red240\green0\blue0;\red0\green0\blue0;\red0\green176\blue80;\red0\green0\blue255;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang1033\kerning1\b\f0\fs20 It was not able to find payment receipt server on the Internet. This could happen due to following reasons:\par
\cf0\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\cf2\b0 You are disconnected from the Internet. Check your connection!\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Make sure your current time/date is set properly (used for server search).\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Your ISP has blocked an access to this server. Try to use another ISP, or \cf3\ul\b{\field{\*\fldinst{HYPERLINK "proxysettings"}}{\fldrslt{configure}}}\cf2\ulnone\b0\f0\fs20 proxy server to bypass this limitation.\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Server is temporarily blocked due to complaints of malware researchers. Keep waiting, this will get back to work soon!\b\par
\pard\nowidctlpar\par
\b0 Anyway, do not worry for your files, if you entered payment details correctly, your key will not be destructed until your computer payment status is confirmed.\par
\b\par
\cf1 This message will disappear within 5-10 minutes, after you eliminate the error cause.\cf0\lang9\kerning0\b0\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;\red0\green176\blue80;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\kerning1\f0\fs20 MoneyPak is an easy and convenient way to send money to where you need it. The MoneyPak works as a \lquote cash top-up card\rquote . \par
\par
You have to purchase MoneyPak card, load it with \b $%AMOUNT_USD%\b0 and enter the MoneyPak number on the next page.\par
\b\par
Where can wepurchase a MoneyPak?\b0\par
MoneyPak can be purchased at thousands of stores nationwide, including major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart and Kroger. Click {\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/StoreLocator.aspx" }}{\fldrslt{\cf3\ul\b here}}}\cf1\ulnone\b0\f0\fs20 to find a store near you.\par
\par
\b How do webuy a MoneyPak at the store?\b0\par
Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and take it to the register. The cashier will collect your cash and load it onto the MoneyPak.\par
\par
\cf3\b{\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/"}}{\fldrslt{\ul Home Page}}}\ulnone\f0\fs20\par
{\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/StoreLocator.aspx"}}{\fldrslt{\ul MoneyPak Store Locator}}}\cf1\kerning0\ulnone\b0\f0\fs20\par
\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;\red0\green176\blue80;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\f0\fs20 Bitcoin is a cryptocurrency where the creation and transfer of bitcoins is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution.\par
\par
You have to send \b %AMOUNT_BTC% BTC\b0 to Bitcoin address \b{\field{\*\fldinst{HYPERLINK "bitcoin:%BITCOIN_ADDRESS%?amount=%AMOUNT_BTC%"}}{\fldrslt{%BITCOIN_ADDRESS%}}}\b0\f0\fs20 and specify the Transaction ID on the next page, which will be verified and confirmed.\par
\par
\pard\cf3\b{\field{\*\fldinst{HYPERLINK "http://bitcoin.org/en/"}}{\fldrslt{\ul Home Page}}}\ulnone\f0\fs20\par
{\field{\*\fldinst{HYPERLINK "http://bitcoin.org/en/getting-started"}}{\fldrslt{\ul Getting started with Bitcoin}}}\cf1\ulnone\b0\f0\fs20\par
\pard\nowidctlpar\par
<?xml version='1.0' encoding='UTF-8' standalone='yes'?><assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'><dependency><dependentAssembly><assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'/></dependentAssembly></dependency></assembly>
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
(File in the Appdata)
Ctzwwvskobndnvbt.exe
2340
Ctzwwvskobndnvbt.exe
2380
Process: Ctzwwvskobndnvbt.exe Pid: 2380
Type
Name
Desktop
\Default
Directory
\Windows
Directory
\BaseNamedObjects
Directory
\KnownDlls
Event
\Sandbox\xxxxxxxxxxx\DefaultBox\Session_0\BaseNamedObjects\crypt32LogoffEvent
File
C:\Sandbox\xxxxxxxxxxx\DefaultBox\user\current\Application Data