Home / malware Trojan.Cryptolocker.AF
First posted on 14 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Cryptolocker.AF.
Explanation :
When the Trojan is executed, it creates the following file on the compromised computer:
"%UserProfile%\Application Data\[RANDOM CHARACTERS].exe"
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\"addon_v57" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].exe"
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\xxxsys\"ID" = [HEXADECIMAL NUMBER]
The Trojan encrypts any file with the following extensions:
.7z.rar.m4a.wma.avi.wmv.csv.d3dbsp.sc2save.sie.sum.ibank.t13.t12.qdf.gdb.tax.pkpass.bc6.bc7.bkp.qic.bkf.sidn.sidd.mddata.itl.itdb.icxs.hvpl.hplg.hkdb.mdbackup.syncdb.gho.cas.svg.map.wmo.itm.sb.fos.mcgame.vdf.ztmp.sis.sid.ncf.menu.layout.dmp.blob.esm.001.vtf.dazip.fpk.mlx.kf.iwd.vpk.tor.psk.rim.w3x.fsh.ntl.arch00.lvl.snx.cfr.ff.vpp_pc.lrf.m2.mcmeta.vfs0.mpqge.kdb.db0.DayZProfile.rofl.hkx.bar.upk.das.iwi.litemod.asset.forge.ltx.bsa.apk.re4.sav.lbf.slm.bik.epk.rgss3a.pak.big.unity3d.wotreplay.xxx.desc.py.m3u.flv.js.css.rb.png.jpeg.txt.p7c.p7b.p12.pfx.pem.crt.cer.der.x3f.srw.pef.ptx.r3d.rw2.rwl.raw.raf.orf.nrw.mrwref.mef.erf.kdc.dcr.cr2.crw.bay.sr2.srf.arw.3fr.dng.jpe.jpg.cdr.indd.ai.eps.pdf.pdd.psd.dbfv.mdf.wb2.rtf.wpd.dxg.xf.dwg.pst.accdb.mdb.pptm.pptx.ppt.xlk.xlsb.xlsm.xlsx.xls.wps.docm.docx.doc.odb.odc.odm.odp.ods.odt
The Trojan appends each encrypted file with the following string:
.mp3
The Trojan creates the following files in every location it encrypts a file:
_H_e_l_p_RECOVER_INSTRUCTIONS+[THREE RANDOM LETTERS].png_H_e_l_p_RECOVER_INSTRUCTIONS+[THREE RANDOM LETTERS].txt_H_e_l_p_RECOVER_INSTRUCTIONS+[THREE RANDOM LETTERS].html
The Trojan creates the following mutex:
__sys_[12 RANDOM NUMBERS]
The Trojan connect to any of the following remote locations:
[http://]ladiesdehaan.be/modules/mod_cmscore/mzsy[REMOVED][http://]chonburicoop.net/tmp/mzsy[REMOVED][http://]ferienwohnung-walchensee-pur.de/tmp/mzsy[REMOVED][http://]espoirsetvie.com/modules/mod_cmscore/mzsy[REMOVED][http://]ioasis.org/modules/mod_fxprev/libraries/mzsy[REMOVED][http://]polyhedrusgroup.com/components/com_acymailing/views/user/tmpl/mzsy[REMOVED]Last update 14 February 2016