Trojan Encoder undetected by Avast

This is some undetected malware from virussign files.

Virustotal Scan: https://www.virustotal.com/de/file/54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e/analysis/

Desktop can be restored by killing the process and resetting the Background.
Malware comes back after restart. Files are sitting in ProgramData folder.

And some more screenshots.

Malwr Analysis: https://malwr.com/analysis/ZTc3MzMwZDRhZjZiNDZhOWFmYmYzYjg0NjU2NzNiNTg/#signature_persistence_ads

PM a sample to me… Would like to see what proccesses it hijacked in task manager.

Uses uTorrent to spread? HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\

Encrypts the data.

SRC: C:\cuckoo\additional.gitignore
DST: C:\cuckoo\additional.gitignore.encrypted (successful)
SRC: C:\cuckoo\files.gitignore
DST: C:\cuckoo\files.gitignore.encrypted (successful)
SRC: C:\cuckoo\logs.gitignore
DST: C:\cuckoo\logs.gitignore.encrypted (successful)
SRC: C:\cuckoo\shots.gitignore
DST: C:\cuckoo\shots.gitignore.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven’s Symphony No. 9 (Scherzo).wma
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven’s Symphony No. 9 (Scherzo).wma.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst1.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst1.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst10.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst10.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst11.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst11.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst12.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst12.wpl.encrypted (successful)

(More to be shown)

Adds a “Run” Key on the entire computer. Not 1 account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

MD5 256bb50af06d5d4dc5dba73a5991e410
SHA1 1d81e6fd6d0e4b11d6f0ebf59c595733e4f59a44
SHA256 54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e

MBAM Confirmed as CL: Malwarebytes Trojan.CryptoLocker

See also: March 9, 2014, 2:55 p.m., 256bb50af06d5d4dc5dba73a5991e410, at https://malwr.com/analysis

pol

1 week old,

CF, OTL, aswMBR logs attached.

Spywar posted a comment with a link to this topic on Virustotal. :wink:

Looks like CF nailed that malware to the wall.

c:\programdata\oniruwas.exe

Upon running those tools, all Internet connection was disabled. CF managed to track is down and fix it. Avast! doesn’t block the outgoing communication w/ the decryption key!

was added to the database or BD (signatures)

avast detects Win32:Trojan-gen

https://www.virustotal.com/de/file/54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e/analysis/

Only Avast 8 detects it for some odd reason.

Avast 2014 gives no threat found.

Avast 9 does not contain full VPS with all detections like v8
this can be the reason, why the samples is not detected by v9.

Hi Steven Winderlich,

Would be possible if I could get the droper for this? Can you PM me?

Thanks :slight_smile:

Done. :wink:

Confirmed. v9 Does not detect the Newest CL version. Avast! update the v9 VPS please!

Thank you Steven for droper. :slight_smile:

=>> Quick analysis::

Malware creates the HKLM.…\Run key for loading his malware file located here: C:\Windows\elekilus.exe. This one here is malware loading point.
To kill this malware, you’ll need to delete the loading point (Run key) and related file and running module. At that point, malware is inactive but you still see the active (harmless) leftovers. E.g loaded .jpg file on desktop, varius .ini files droped on system …etc

Create File C:\Windows\elekilus.exe Set Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ikibepdm

As additionaly, malware create varius configuration keys:

Create Key HKEY_CURRENT_USER\Software\[b]Bit Torrent Application[/b] Create Key HKEY_CURRENT_USER\Software\Bit Torrent Application\[b]Configuration[/b] Set Value HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\0*000000 ([b]*[/b] = random_number)
[i]- II - x ~3, 4 additional keys[/i]

It create “PLEASE_READ.inf” file in most (if not all) %path% as for example:

17:10:08 Create File C:\Users\Magna\Desktop\E\PLEASE_READ.inf 17:10:08 Create File C:\Program Files\Common Files\VMware\Drivers\pvscsi\PLEASE_READ.inf 17:10:09 Create File C:\Program Files\Java\jre7\bin\server\PLEASE_READ.inf 17:10:11 Create File C:\Program Files\K-Lite Codec Pack x64\Filters\LAV\PLEASE_READ.inf 17:10:12 Create File C:\Program Files\Microsoft Games\Chess\en-US\PLEASE_READ.inf 17:10:16 Create File C:\Program Files (x86)\AIMP3\Modules\PLEASE_READ.inf 17:10:21 Create File C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\default_apps\PLEASE_READ.inf 17:10:42 Create File C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\PLEASE_READ.inf 17:10:45 Create File C:\Program Files (x86)\Notepad++\user.manual\sites\all\modules\fancy_login\scripts\PLEASE_READ.inf 17:10:49 Create File C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ms\PLEASE_READ.inf

…etc

.ini file contents:

Hello,

I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it. I have copied all valuable data from this PC and from your computer network. Then I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact:

e-mail: it-spec@mail.ua

You have 3 days to purchase the decryption key, otherwise some of your sensitive data may be published on the internet and your system will not get decrypted.

Information for IT specialists:

  1. Anti-virus will delete encryption program but will not decrypt the data. Using system restore point will not help you to recover the data.

  2. Data was encrypted with AES (Rijndael) algorithm (256 bit). Encryption key was encrypted with RSA (2048 bit) algorithm. This is extremely secure cryptography technique, around 1000 year time period will be required to break it, so do not try to do it.
    ---- Encrypted Session Key Begin ----
    7A2E83B2C40E25DAE3C77762184EF58D3D19FA60E979B7B4932E867084E731C926868E080B9DDEFADEF0DE8B0C7EB1A9910C112AE56362E1DFB5BABC9F971F37ED72E59A6421B51D043B7AD339D4598166E1590FBF8B93D0D7F2C178385F9F2B59A9420F84F7E7416E3E6F44B704B400443D90557B0517657903E82D5823CABD3CECF79DCCA65E040376DF64E55DB6F4D2A4425CDC4DC8D75B0BB8CFB4A9607C7810C2C2B09F101348EB190586970838438435B54DDCE46B9D6CA52D70E9BFEB95962491159D160025A9328AA35A60415A6AD685DFC9B2A167CC175BD9F4A7BB5F1C771CC30F611049C3875FE52679A4ADA40C5B6729A8A283C4B9CFC824BF6F
    ---- Encrypted Session Key End ----


It creates files in %temp%:

17:11:27 Create File C:\Users\Magna\AppData\Local\Temp\CabD71D.tmp < -- this is folder 17:11:27 Create File C:\Users\Magna\AppData\Local\Temp\TarD71E.tmp <-- this is folder

It creates one htm file:

Create File C:\Users\Magna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6LKK4X\gate-uk[1].htm

Other created files:

Create File C:\ProgramData\icodukalemem.jpg < --- this is what you actually see on your desktop

=======================================================

FRST sees the malware and shows the following:

==================== Processes (Whitelisted) ================= () C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe

==================== Registry (Whitelisted) ==================
HKLM.…\Run: [ikibepdm] - C:\Windows\elekilus.exe [341504 2014-03-10] ()

==================== Drivers (Whitelisted) ====================
U3 uxroifog; ??\C:\Users\Magna\AppData\Local\Temp\uxroifog.sys

Created Files:

2014-03-10 17:10 - 2014-03-10 17:10 - 00341504 _____ () C:\Windows\elekilus.exe

Modified Files:

2014-03-10 17:11 - 2013-03-30 21:08 - 01134854 ____H () C:\Users\Radna_Stanica\AppData\Local\IconCache.db.encrypted 2014-03-10 17:11 - 2013-03-30 18:42 - 00778714 ____H () C:\Users\User\AppData\Local\IconCache.db.encrypted 2014-03-10 17:11 - 2013-03-30 18:35 - 00057560 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted 2014-03-10 17:11 - 2013-03-30 18:22 - 00082316 _____ () C:\Users\Magna\Documents\wallpaper-499261.jpg.encrypted 2014-03-10 17:11 - 2013-03-30 18:21 - 00082316 _____ () C:\Users\Administrator\Documents\wallpaper-499261.jpg.encrypted 2014-03-10 17:11 - 2013-03-30 18:18 - 00248259 _____ () C:\Users\Administrator\Documents\tweakslogon.zip.encrypted 2014-03-10 17:11 - 2013-03-30 18:18 - 00170151 _____ () C:\Users\Administrator\Documents\reWalls.com_84.jpg.encrypted 2014-03-10 17:11 - 2013-03-30 18:06 - 00248259 _____ () C:\Users\Magna\Documents\tweakslogon.zip.encrypted 2014-03-10 17:11 - 2013-03-30 15:46 - 00170151 _____ () C:\Users\Magna\Documents\reWalls.com_84.jpg.encrypted 014-03-10 17:10 - 2013-03-30 18:29 - 01330546 ____H () C:\Users\Administrator\AppData\Local\IconCache.db.encrypted 2014-03-10 17:10 - 2013-03-30 18:18 - 00057560 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted

// I don’t know why this malware adds the “.encrypted” extension right to these files but it does. My guesses are that these will be locked after 3 days pass

Running Module:

2014-03-10 17:07 - 2014-03-01 05:37 - 00341504 _____ () C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe

Cheers ;D

Hi Magna,

it appears the droppercreates randomly named files. As yours, Steven’s & I’s all have different file names. What I find interesting is the file extension for that text file. Why is it .ini and not .txt? Or is that just reloading the malware into the memory?

hello is it possible to have 2 files non encrypted and their respectives encrypted files ? I’d like to watch in the offsets of the files If I can found something

I can send you a download link to the sample.

it’s not the encoder which is interesting me

Sorry,

just want to make sure I understand. You want 2 unencrypted files, and then the exact same files encrypted? If so, I can arrange that when I get home. Any given file types? .exe, .avi, .txt, .doc(x), .ppt(x)?