SHA1:
- fbbf8e3877a1bb826be623908fc93e570967b666
A malicious program belonging to the family of Trojans that encrypts files on the computers and demands a ransom from users for decryption of compromised data. Written in Delphi.
Once launched, it checks for presence of the VBoxService.exe running process, and in case of its detection, the Trojan goes to an infinite pause mode. When launched with the command line parameter -d,
HKCU\Software\mscloq
Then with the help of local proxy server, the Trojan attempts to connect to the command and control onion server located in the TOR network. Encryption is performed only in case of the successful connection.
Once launched, the Trojan checks if it is executed from the mtrea.exe file, and if it is not, it creates a file with such name in the %APPDATA% folder. If this condition is satisfied, the Trojan checks for presence of the process with such name and shuts down in case of its detection.
It registers its executable file in the following system registry branch:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The encryption of files on the infected computer is performed using the DCPCrypt library and AES algorithm in the CBC mode with the 256-bit key. The encoder appends the infected files with .crptxxx extension and saves a text file on the disc. The file’s name is HOW_TO_DECRYPT.txt and it has the following content:
Warning!!!
All your files are encrypted with AESalgorithm!
For decrypt use this instructions:
Download tor browser
Run tor and go to: http://vejtqvliimdv66dh.onion
Or you can use tor2web services
http://vejtqvliimdv66dh.onion.to
in log panel enter your id (CRPTksrjghkrkwkrjthkewVM)
follow next instructions
if server is down, try connect later
locker version 3.0.0
Decryption of files encrypted with this Trojan is possible.
News about the Trojan