Home / malware Trojan.Cryptolocker.AE
First posted on 16 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.AE.
Explanation :
When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\ChromeSetings3264\[RANDOM CHARACTERS].exe
The Trojan may create the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Internet Explorer Update" = [THREAT LOCATION]HKEY_CURRENT_USER\Software\Microsoft\Windows\"ChromeStarts3264" = "%UserProfile%\Application Data\ChromeSetings3264\[RANDOM CHARACTERS].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ChromeSettingsStart3264" = "%UserProfile%\Application Data\ChromeSetings3264\[RANDOM CHARACTERS].exe"
The Trojan may create the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\"MicrosoftUpd32" = [HEXADECIMAL VALUE]
The Trojan encrypts files with the following extensions:
.st6.st7.st8.stc.std.sti.stw.stx.svg.swf.sxc.sxd.sxg.sxi.sxm.sxw.tex.tga.thm.txt.vob.vsd.vsx.vtx.wav.wb2.wdb.wll.wmv.wpd.wps.x11.x3f.xla.xlam.xlb.xlc.xll.xlm.xlr.xls.xlsb.xlsm.xlsx.xlt.xltm.xltx.m4a.wma.d3dbsp.xlw.xpp.xsn.yuv.zip.zip.sie.unrec.scan.sum.t13.t12.qdf.tax.pkpass.bc6.bc7.sidn.sidd.mddata.itl.itdb.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.map.wmo.itm.sb.fos.mov.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.vcf.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.kdb.db0.dba.rofl.hkx.bar.upk.das.iwi.litemod.asset.forge.ltx.bsa.apk.re4.lbf.slm.epk.rgss3a.pak.big.wallet.wotreplay.xxx.desc.m3u.js.css.rb.png.rw2.rwl.mrwref.3fr.xf.pst.dx.tiff.bd.tar.gz.mkv.bmp.dot.xml.xmlx.dat.html.gif.mcl.ini.mte.cfg.mp3.qbi.qbr.cnt.v30.qbo.lgb.qwc.qbp.aif.qby.1pa.qpd.set.nd.rtp.qbwin.log.qbbackup.tmp.temp1234.qbt.qbsdk.syncmanagerlogger.ecml.qsm.qss.qst.fx0.fx1.mx0.fpx.fxr.fim
The Trojan may append each encrypted file with one of the following extensions:
.umbrecrypttmp_ID_[RANDON NUMBER].hydracrypt_ID_[RANDOM NUMBER]
The Trojan may create the following files in every location it has encrypted a file:
README_DECRYPT_UMBRE_ID_[RANDOM CHARACTERS].txtREADME_DECRYPT_UMBRE_ID_[RANDOM CHARACTERS].jpgREADME_DECRYPT_HYDRA_ID_[RANDOM CHARACTERS].txtREADME_DECRYPT_HYDRA_ID_[RANDOM CHARACTERS].jpg
The Trojan creates the following mutex:
HGFYThjgyhftyFYFGYHJGJIGFgyftgDF
The Trojan may connect to one of the following remote locations:
[http://]drivers-softprotect.eu/img[REMOVED][http://]drivers-softprotect.eu/flamm[REMOVED][http://]testcryp.eu/googd[REMOVED][http://]testcryp.eu/img[REMOVED]Last update 16 February 2016