SHA1
- fd131f8d61b57954a5906483baf43c92d76a80e7
- a07a1660ebd71bff4b640665208d2ade51791e69
- d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f
- 583bbf424a7114586dd48fe57be999cbd750ba56
A ransomware Trojan for Windows. At least 4 of its modifications employ different encryption procedures, and 4 of its versions implement different schemes of file naming. Presumably, the Trojan is created by the authors of Trojan.Encoder.741 and Trojan.Encoder.2667.
Once encrypted, files are appended with a suffix containing an email address and an extension. The Trojan is known to append files with the following extensions:
- *.xtbl
- *.CrySiS
Cybercriminals leave the following email addresses:
- dalailama2015@protonmail.ch
- Vegclass@aol.com
- a_princ@aol.com
- TREE_OF_LIFE@INDIA.COM
- redshitline@india.com
- milarepa.lotos@aol.com
- Eco_vector@aol.com
- sub_zero12@aol.com
- gerkaman@aol.com
- freetibet@india.com
- cyber_baba2@aol.com
- siddhiup2@india.com
- gruzinrussian@aol.com
- Ecovector3@aol.com
- ramachandra7@india.com
The following 4 schemes are used to name encrypted files:
- *.{email}.ext
- *.ID*.email.xtbl
- *.ID*.{email}.xtbl
- *.id-*.{email}.ext
Version 1
SHA1
- fd131f8d61b57954a5906483baf43c92d76a80e7
Once launched, the Trojan copies itself to the %windir%\system32 directory, saving its original name. If the attempt is unsuccessful, the Trojan locates its copy in the %localappdata% folder. Then, to ensure its autorun, the malware modifies the HKLM\Software\Microsoft\Windows\CurrentVersion\Run system registry branch (if the attempt fails, the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry branch is modified) and registers its copy with the name of the System Service parameter. To control its relaunching, the Trojan uses a mutex with the following name: Global\snc_%virname%.
Internal state of the random number generator is stored in a 32-byte buffer. This buffer is used to obtain MD5. The result is a RC4 key that encrypts the buffer. The obtained 0x20 bytes represent an encryption key.
Encryption is performed in a separate thread, using the AES-CBC-256 algorithms. Names of encrypted files are appended with *.{email}.ext. A 6-byte marker, 16-byte initialization vector, and 1 byte, which indicates the length of alignment, are added to the end of the file. An encrypted key for file decryption is stored in the following 0x80 bytes. All files are encrypted with the same key. Every file has a unique initialization vector.
Files corrupted by this Trojan can be decrypted.
Version 2
SHA1
- a07a1660ebd71bff4b640665208d2ade51791e69
The Trojan is packed. The unpacked sample has SHA1 8d2b415f8da004f5da7ac706d418f25072782abe.
While a key is being generated, the buffer information is modified by means of the XOR function. Intermediate data of previous calls for random value generation is used. A unique key is generated for network resources.
It names encrypted files using the *.ID*.email.xtbl or *.ID*.{email}.xtbl scheme.
Information is encrypted with the AES-CBC-256 algorithms.
The Trojan registers itself under the fixed name while modifying the system registry to enable its autorun.
This version has the following scheme of adding data to the end of the file: first, the file name is saved (in Unicode), then a 6-byte marker goes followed by 20 bytes of unknown purpose and 16 bytes of initialization vector. After that, 4 bytes indicating the length of alignment are saved. Then there are 0x80 bytes that contain an encrypted key for file decryption. The last DWORD parameter writes the length of the original file name in bytes. In total, 178 bytes are added to the end of the file.
Files corrupted by this Trojan can be decrypted.
Version 2.5
SHA1
- d0a05ad76a8eec9a4fce36e9cf5d446d7ddaae3f
The Trojan is packed. The unpacked sample has SHA1 ad68d95b42ef99dab3a87d49aed403a86cd99673.
The operation of random number generator is modified in this version.
The Trojan registers itself in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch under a random name.
It names encrypted files using the *.ID*.{email}.xtbl scheme.
The procedure of adding information to the end of a file is the same as for the above-mentioned version.
Files corrupted by this Trojan can be decrypted in some cases.
Version 3
SHA1
- 583bbf424a7114586dd48fe57be999cbd750ba56
It names encrypted files using the *.id-*.{email}.ext scheme.
Information is encrypted with the AES-CBC-256 algorithms. The initialization vector is unique for every file.
Keys generated by this version have become more tamper-proof.
A decryption key together with random bytes is encrypted with RSA-1024 and is saved at the end of the file.