Home / malware Trojan.Cryptolocker.AB
First posted on 24 November 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.AB.
Explanation :
When this Trojan is executed, it creates the following files:
%Windir%\Debug\ReadDecryptFilesHere.txt%UserProfile%\[NAME OF COMPROMISED COMPUTER]\[SYSTEM DRIVE SERIAL NUMBER].exe%UserProfile%\z2.bmp
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Corporation" = "%UserProfile%\[NAME OF COMPROMISED COMPUTER]\[SYSTEM DRIVE SERIAL NUMBER].exe"
Next, the Trojan looks for files with the following extensions and encrypts them:
.3dm.3ds.3fr.3g2.3gp.7z.ACCDB.ach.ai.aiff.arw.asf.asx.avi.back.backup.bak.BAY.bin.blend.c.cdr.cer.cpp.cr2.crt.crw.cs.dat.db.DBF.dcr.dds.DER.des.dit.DNG.doc.docm.DOCX.dtd.dwg.DXF.dxg.edb.eml.eps.ERF.fla.flac.flvv.gif.groups.h.hdd.hpp.html.iif.INDD.java.jpe.JPEG.jpg.jsp.kdc.key.kwm.log.lua.m.m2ts.m4p.m4v.max.mdb.mdf.MEF.mkv.mov.mp3.mp4.mpeg.mpg.MRW.msg.nd.ndf.nef.nk2.nrw.nvram.oab.obj.ODB.odc.odm.ODP.ods.odt.ogg.orf.ost.P12.p7b.P7C.pab.pas.pct.pdb.PDD.pdf.PEF.pem.pfx.php.pif.pl.png.pps.ppt.PPTM.pptx.prf.ps.PSD.pst.PTX.pwm.py.qba.qbb.qbm.qbr.qbw.qbx.qby.qcow.qcow2.qed.R3D.raf.RAW.rm.rtf.rvt.rw2.rwl.safe.sav.sql.SR2.SRF.srt.srw.stm.svg.swf.tex.tga.thm.tlg.vbox.vdi.vhd.vhdx.vmdk.vmsd.vmx.vmxf.vob.wav.WB2.wma.wmv.wpd.wps.X3F.XLK.xlr.XLS.xlsb.xlsm.xlsx.yuv
The Trojan then appends the following string to the file name of each encrypted file:
.crinf
Next, the Trojan deletes Windows Shadow Volume Copy and disables Windows Startup Repair.
The Trojan may then end the following processes:
msconfig.exerstrui.exetcpview.exeprocexp.exeprocmon.exeregmon.exewireshark.exeLordPE.exeregedit.execmd.exefilemon.exeprocexp64.exe
Next, the Trojan connects to the following remote location:
[http://]qbstdn6k7iivyki2.onion.direct/lending/bot[REMOVED]
The Trojan then changes the desktop wallpaper on the compromised computer and displays a message box with a ransom note and instructions on how to pay the ransom.Last update 24 November 2015