Home / malware Trojan.Cryptolocker.AC
First posted on 06 January 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.AC.
Explanation :
Once executed, the Trojan creates the following files:
%SystemDrive%\Documents and Settings\All Users\Desktop\DECRYPT FILES.txt%SystemDrive%\Documents and Settings\All Users\Desktop\GET MY FILES.txt%SystemDrive%\Documents and Settings\All Users\Desktop\READ NOW.txt%SystemDrive%\Documents and Settings\All Users\Desktop\read this file.txt%SystemDrive%\Documents and Settings\All Users\Desktop\READ.txt%SystemDrive%\Documents and Settings\All Users\Desktop\README!!!.txt%SystemDrive%\Documents and Settings\All Users\Desktop\readme.txt%Temp%\crjoker.html%Temp%\drvpci.exe%Temp%\GetYouFiles.txt%Temp%\imgdesktop.exe%Temp%\new.bat%Temp%\README!!!.txt%Temp%\windefrag.exe%Temp%\windrv.exe%Temp%\winpnp.exe
The Trijan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"winpnp" = "%Temp%\winpnp.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"drvpci" = "%Temp%drvpci.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"windefrag" = "%Temp%\windefrag.exe"
The Trojan then sends information about the compromised computer to the following remote location:
[http://]server6.thcservers.com/~advavast/write[REMOVED]
It may then download additional modules from the following remote location:
[http://]daapv.de/wp-content/plugins/libravatar-replace/statis[REMOVED]
Next, the Trojan deletes any Volume Shadow Copy backups from the compromised computer.
The Trojan then ends the the following processes:
taskmgrregedit
Next, the Trojan encrypts files with the following file extensions:
.asp.aspx.csv.db.doc.docm.docx.html.java.jpeg.jpg.mdb.odt.pdf.php.png.ppt.pptm.pptx
The Trojan adds the following extension to all the files it encrypts:
.crjoker
The Trojan then demands that the user pay a ransom in order to decrypt the files.
The readme.txt file created by the Trojan contains the following text:
You RSA key for CryptoJoker: [RSA KEY] Write to us at mail: file987@sigaint.org Spare mails: file9876@openmail.cc or file987@tutanota.com. You will certainly need to attach a file README ( it lockated on the desktop or in directory %TEMP% ).
The crjoker.html file created by the Trojan contains the following text:
Your personal files were encrypted using RSA key cryptographically! It decrypts files can be knowing a unique, private RSA key length of 2048 bits, which is only for us. Write to us at mail: file987@sigaint.org Spare mails: file9876@openmail.cc or file987@tutanota.com. Instructions for payment will be sent in the opposite letter. After payment we will send your key and decoder. And remember, you only have 72 hours to make a payment, then the price will rise to decipher. Attempts to decipher on their own will not lead to anything other than irretrievable loss of information. Your unique key that is required to send to the specified email: [RSA KEY] Good luck.Last update 06 January 2016
