Archives par mot-clé : malware

Crypto Locker IOCs

Quick Description

Malware using Elliptic Curve Cryptography, Tor network and Bitcoin.

It fist appeared in January 2015, and it still on net present.

Infection process

The user receive an email, with an attachment in .zip or .cab file format. The archive contains a file with .src extension, the dropper.

At its execution, it extracted a file in .rtf extension, with random file name. When this last file is opened, It contains Terms & Conditions of Use, off course it is a decoy. Then the infection is realized, by downloading the malware with executes its play load from the .src file.

Symptoms

All user’s file are encrypted.

IOCs

Installed File
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fzjujkn.exe
  • 7-characters random file names
IPs of adminitration:
  • maisondessources.com (213.186.33.19)
  • pleiade.asso.fr (213.186.33.19)
  • scolapedia.org (213.186.33.19)
  • breteau-photographe.com (213.186.33.150)
  • voigt-its.de (188.93.8.7)
  • jbmsystem.fr (213.186.33.3)
Attachment:
  • malformed.zip
  • plenitude.zip
  • inquires.zip
  • simoniac.zip
  • faltboat.zip
  • incurably.zip
  • payloads.zip
  • dessiatine.zip
Playload Downloading URLs
  • http://agatecom.fr/voeux/doom.tar.gz
  • http://aspiroflash.fr/cai/abc.tar.gz
  • http://baselineproduction.fr/Modules/doom.tar.gz
  • http://bikeceuta.com/templates/nero.tar.gz
  • http://breteau-photographe.com/tmp/pack.tar.gz
  • http://cargol.cat/IESABP/nero.tar.gz
  • http://cds-chartreuse.fr/locales/sancho.tar.gz
  • http://cognacbrown.co.uk/ChromeSetup.exe
  • http://collection-opus.fr/_gfx/cario.tar.gz
  • http://compassfx.com/OLD/cario.tar.gz
  • http://dariocasati.it/logs/dostanes_do_drzky.tar.gz
  • http://dequinnzangersborne.nl/language/upupup.tar.gz
  • http://dieideenwerkstatt.at/css/abc.tar.gz
  • http://evalero.com/img/cario.tar.gz
  • http://fbrugues.com/language/hiser.tar.gz
  • http://firststepbahamas.com/PDF/abc.tar.gz
  • http://fotocb.de/php/upupup.tar.gz
  • http://funnydeando.com/pdthm0/moon1.exehttp://hotel-mas-saint-joseph.com/css/pack.tar.gz
  • http://Icedjungle.com/pdthm0/dan2.exe
  • http://integritysites.net/files/nero.tar.gz
  • http://jbmsystem.fr/jb/pack.tar.gz
  • http://joefel.com/easyscripts/sancho.tar.gz
  • http://krzysztofkarpinski.pl/log/hiser.tar.gz
  • http://locamat-antilles.com/memo/sancho.tar.gz
  • http://maisondessources.com/assets/pack.tar.gz
  • http://m-a-metare.fr/media/sancho.tar.gz
  • http://masterbranditalia.com/downloader/cario.tar.gz
  • http://microneedle.com/menu_files/pack.tar.gz
  • http://mmadolec.ipower.com/me/cario.tar.gz
  • http://n23.fr/asstempo/doom.tar.gz
  • http://necaps.org/pagestyles/mine.tar.gz
  • http://ohayons.com/dostanes_do_drzky.tar.gz
  • http://ourtrainingacademy.com/LeadingRE/sancho.tar.gz
  • http://peche-sportive-martinique.com/wp-includes/pack.tar.gz
  • http://pinballpassion.fr/images/mine.tar.gz
  • http://pleiade.asso.fr/piwigotest/pack.tar.gz
  • http://ppc.cba.pl/cache/nero.tar.gz
  • http://prevencionprl.com/im/hiser.tar.gz
  • http://pubbliemme.com/plugins/doom.tar.gz
  • http://scolapedia.org/histoiredesarts/pack.tar.gz
  • http://shop-oye.it/XXXinstallXXX/abc.tar.gz
  • http://siestahealthtrack.com/media/pack.tar.gz
  • http://smartoptionsinc.com/data-test/nero.tar.gz
  • http://sp107.home.pl/logs/dostanes_do_drzky.tar.gz
  • http://springtree.cba.pl/modules/cario.tar.gz
  • http://stevenblood.com/ChromeSetup.exe
  • http://stmarys-andover.org.uk/audio_files/upupup.tar.gz
  • http://telasramacrisna.com.br/ramacrisna/mine.tar.gz
  • http://telasramacrisna.com.br/site/lightbox/hiser.tar.gz
  • http://thelastxmas.com/ChromeSetup.exe
  • http://thehollow.co/ChromeSetup.exe
  • http://thinkonthis.net/style/dostanes_do_drzky.tar.gz
  • http://thomasottogalli.com/webtest/sancho.tar.gz
  • http://voigt-its.de/fit/pack.tar.gz
  • http://wcicinc.org/flv/dostanes_do_drzky.tar.gz
  • http://wireandwoods.ru/pdthm0/042.exe
  • http://www.baddadclub.com/ChromeSetup.exe
  • http://www.cpeconsultores.com/tmp/pack.tar.gz
  • http://www.geordie.land/ChromeSetup.exe
  • http://www.goodtobeloved.com/ChromeSetup.exe
  • http://www.lamas.si/picture_library/upupup.tar.gz
  • http://www.sazlar.de/sazlar/mine.tar.gz
  • http://www.thelatxma.com/ChromeSetup.exe
  • http://wymiana-wsb.cba.pl/pp/abc.tar.gz
  • http://zysztofkarpinski.pl/log/hiser.tar.gz
Download file Extention
  • exe
  • src
  • bat
  • pif
  • cmd

References

  •  http://blog.cert.societegenerale.com/2015/02/ctb-locker-new-massive-crypto.html
  • http://www.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware
  • http://www.symantec.com/connect/forums/new-article-ctb-locker-and-other-forms-crypto-malware-0
  • http://www.symantec.com/connect/forums/cbt-locker-ransomeware-ips-signature
  • http://community.norton.com/en/forums/ctb-locker
  • http://isc.sans.edu/diary/DalexisCTB-Locker+malspam+campaign/19641
  • http://malware.dontneedcoffee.com/2014/07/ctb-locker.html
  • https://www.circl.lu/pub/tr-33/
  • http://blogs.it.ox.ac.uk/oxcert/2015/02/06/ctb-locker-ransomware-campaign/
  • http://christophe.rieunier.name/securite/CTB-Locker/CTB-Locker_analysis_en.php