Home / malwarePDF  

Trojan.Cryptolocker.S


First posted on 13 May 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Cryptolocker.S.

Explanation :

When the Trojan is executed, it downloads a clean file from the following location: [http://]www.dhl.sk.origin.dhl.com/content/dam/downloads/sk/logistics/Shipping%20conditions%20DHL%20Eu[REMOVED]
The Trojan then saves this file to the following location and displays it: [PATH TO MALWARE]\penalty.pdf
The Trojan then creates the following files: %SystemDrive%\1\locked.bmp%SystemDrive%\Documents and Settings\All Users\Desktop\qwer.html%SystemDrive%\Documents and Settings\All Users\Desktop\qwer2.html%SystemDrive%\Documents and Settings\All Users\Desktop\seckeys.DONOTDELETE%SystemDrive%\Documents and Settings\All Users\Desktop\customer.id%SystemDrive%\Documents and Settings\All Users\Desktop\encrypted.htm%SystemDrive%\Documents and Settings\All Users\Desktop\decrypted.htm%SystemDrive%\1\reflect.dll%SystemDrive%\1\t.dll
Next, the Trojan modifies the following registry entry: HKEY_CURRENT_USER\Control Panel\Desktop\"WallpaperStyle" = "0"
The Trojan connects to the following remote location to download PowerShell code: [http://]193.230.220.38/wall/Invoke-Reflectiv[REMOVED]
The Trojan then injects %SystemDrive%\1\reflect.dll into the Explorer process in order to execute %SystemDrive%\1\t.dll, which performs the following actions:
Deletes all shadow copies Disables Startup Repair and error messages related to this program Disables System Restore
Next, the Trojan encrypts all files with the following extensions: .ai.crt.csv.db.doc.docm.docx.dotx.gif.jpeg.jpg.jpg.lnk.mp3.msi.ods.one.ost.p12.pdf.pem.pps.ppsx.ppt.pptx.psd.pst.pub.rar.raw.rtf.tif.txt.vsdx.wma.xls.xlsm.xlsx.xml.zip
The Trojan then connects to the following remote location in a hidden Internet Explorer window in order to play music in the background: [https://]www.youtube.com/wa[REMOVED]
The Trojan then displays a ransom notice, demanding that the user pays up to AU$1,000 (US$791) in order to decrypt their files. The ransom demand links to a legitimate video tutorial on how to obtain Bitcoins in order to assist victims with paying the ransom. It also uses the 'Los Pollos Hermanos' branding from the TV show Breaking Bad in the notice.

Last update 13 May 2015

 

TOP