- 1125617489218734be30513fc5d822cfe0f865cf – version 1.000, packed
- 89091aa0258c7e535b6edf348370f66049e84201– version 1.000, unpacked
- 82d9018f15c1940970ebbae75bea5f403f81300e – version 1.001, packed
- e3af0112019792f98c803ea1e7684ce2fa365dd5 – version 1.001, unpacked
- 45d699855bea5d7b02c3de5a7fb95a939a52dd0e – version 2.000, packed
- df665809dae34d432ef43af7fad19a83463b3853 – version 2.000, unpacked
- 8f76eb19362a423dde272e7fffdc35cb45cd0401 – version 2.005, packed
- 5251e88ecf8c6d1ea228ff381af83ec4df41f1aa – version 2.005, unpacked
- d7ee6eb9d5390b9afbfc50f958dd95f7bb122c1a – version 2.006, packed
- e4d14bed6861f304127316aa1035c5207553c14f – version 2.006, unpacked
- a1a0ba3b038113bb9a2c711cdbfb53bc34b519cf – version 2.007, packed
- 4618eeb1be392b844183a85e6d000721cd364d49– version 2.007, unpacked
- 04f6f74443e44c32048b3b1522748a5f981ac7ed – version 3.000, unpacked
- 4205daa502d8e73af4ee14e838513131c1e3de2d – version 3.000, unpacked
- 1a3532f0bcda543085da49c74c5db4d56532dc67– version 3.002, packed
- bce18acb9b06f4f676cbdf6445aee1cb5325c3de - version 3.002, unpacked
- a3097c3685bc0ab9e07774072d0ae3474a897dcb - version 3.100, packed
- b4c459e986a099d691f970228ddbe2cba13e6cbb - version 3.100, unpacked
A ransomware Trojan for Windows, also known as CryptXXX. It is written in Delphi. Encrypted files are appended with the *.crypt extension (this extension was replaced with *.cryp1 in version 3.100), and files containing cybercriminals' demands are named as de_crypt_readme.txt, de_crypt_readme.html, and de_crypt_readme.png. The Trojan connects to the C&C server using port 443 via HTTPS. However, Trojan.Encoder.4393 uses its own protocol. It also has several modifications. Files encrypted with some of them can be decrypted.
The Trojan consists of a dynamic library with several exports. Once the library is loaded, the DllMain function is called. It unpacks the payload that is also in the form of dynamic library. Then the program checks which process run the Trojan. If the name of the process is not Rundll32, the Trojan launches itself via Rundll32 and names the procedure as Working. If the name of the process is Rundll32, it reloads the library with the input point in AccessToken. To control its relaunching, the Trojan uses a special file created in the %CommonAppData% directory.
Trojans of versions 1.000, 1.001, and 2.000 encrypt files with RC4. The Trojan receives the key from the server. Other versions use a combination of the RC4 and RSA algorithms. To get a unique identifier of the computer, the malicious program retrieves values of the following system registry branches:
[HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\Identifier] [HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString] [HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVendor] [HARDWARE\\DESCRIPTION\\System\\Identifier]
The obtained data is combined with the hard drive serial number and is encrypted with MD5.
The Trojan of version 2.006 differs from its counterparts. For instance, it terminates itself if it detects such processes as AVP.EXE or EGUI.EXE. If the Trojan is not launched with the svchost.exe process, it copies the rundll32.exe file to its folder under the name of svchost.exe and launches this copy. Then the original file is closed. If the Trojan is launched from the svchost.exe process, it scans the system for the reinfection checking for the presence of the %CommonAppData%\Z file. If the file is detected, the Trojan stops its own operation; if not, the Trojan creates this file. Also this version has a different algorithm of computer ID generation.