Trojan Encoder undetected by Avast

[Secondmineboy]

This is some undetected malware from virussign files.

Virustotal Scan: https://www.virustotal.com/de/file/54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e/analysis/

Desktop can be restored by killing the process and resetting the Background.
Malware comes back after restart. Files are sitting in ProgramData folder.

[Secondmineboy]

And some more screenshots.

[Secondmineboy]

Malwr Analysis: https://malwr.com/analysis/ZTc3MzMwZDRhZjZiNDZhOWFmYmYzYjg0NjU2NzNiNTg/#signature_persistence_ads

[Michael (alan1998)]

PM a sample to me... Would like to see what proccesses it hijacked in task manager.

Uses uTorrent to spread? HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\

Encrypts the data.

SRC: C:\cuckoo\additional\.gitignore
DST: C:\cuckoo\additional\.gitignore.encrypted (successful)
SRC: C:\cuckoo\files\.gitignore
DST: C:\cuckoo\files\.gitignore.encrypted (successful)
SRC: C:\cuckoo\logs\.gitignore
DST: C:\cuckoo\logs\.gitignore.encrypted (successful)
SRC: C:\cuckoo\shots\.gitignore
DST: C:\cuckoo\shots\.gitignore.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst1.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst1.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst10.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst10.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst11.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst11.wpl.encrypted (successful)
SRC: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst12.wpl
DST: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000511FF\Plylst12.wpl.encrypted (successful)

(More to be shown)

Adds a "Run" Key on the entire computer. Not 1 account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

MD5 256bb50af06d5d4dc5dba73a5991e410
SHA1 1d81e6fd6d0e4b11d6f0ebf59c595733e4f59a44
SHA256 54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e

MBAM Confirmed as CL: Malwarebytes    Trojan.CryptoLocker

[polonus]

See also: March 9, 2014, 2:55 p.m., 256bb50af06d5d4dc5dba73a5991e410, at https://malwr.com/analysis

pol

[Michael (alan1998)]

1 week old,

CF, OTL, aswMBR logs attached.

[Secondmineboy]

Spywar posted a comment with a link to this topic on Virustotal.

[Michael (alan1998)]

Looks like CF nailed that malware to the wall.

c:\programdata\oniruwas.exe

Upon running those tools, all Internet connection was disabled. CF managed to track is down and fix it. Avast! doesn't block the outgoing communication w/ the decryption key!

[jefferson sant]

This is some undetected malware from virussign files.

Desktop can be restored by killing the process and resetting the Background.
Malware comes back after restart. Files are sitting in ProgramData folder.

was added to the database or BD (signatures)

avast detects Win32:Trojan-gen

https://www.virustotal.com/de/file/54efd3706a3e6f29ab51cbcee4d850fb0ab856b6c35a183aff19605e5df5e03e/analysis/

[Secondmineboy]

Only Avast 8 detects it for some odd reason.

Avast 2014 gives no threat found.

[jefferson sant]

Only Avast 8 detects it for some odd reason.
Avast 2014 gives no threat found.

Avast 9 does not contain full VPS with all detections like v8
this can be the reason, why the samples is not detected by v9.

[magna86]

Hi Steven Winderlich,


Would be possible if I could get the droper for this? Can you PM me?


Thanks 

[Secondmineboy]

Done.

[Michael (alan1998)]

Confirmed. v9 Does not detect the Newest CL version. Avast! update the v9 VPS please!

[magna86]

Thank you Steven for droper. 


=>> Quick analysis::

Malware creates the HKLM\...\Run key for loading his malware file located here: C:\Windows\elekilus.exe. This one here is malware loading point.
To kill this malware, you'll need to delete the loading point (Run key) and related file and running module. At that point, malware is inactive but you still see the active (harmless) leftovers. E.g loaded .jpg file on desktop, varius .ini files droped on system ...etc

Create File        C:\Windows\elekilus.exe
Set Value       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ikibepdm

As additionaly, malware create varius configuration keys:

Create Key   HKEY_CURRENT_USER\Software\Bit Torrent Application
Create Key   HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration
Set Value   HKEY_CURRENT_USER\Software\Bit Torrent Application\Configuration\0*000000   (* = random_number)

                                                                                                                                                        - II -       x ~3, 4 additional keys




It create "PLEASE_READ.inf" file in most (if not all) %path% as for example:

17:10:08   Create File   C:\Users\Magna\Desktop\E\PLEASE_READ.inf
17:10:08   Create File   C:\Program Files\Common Files\VMware\Drivers\pvscsi\PLEASE_READ.inf
17:10:09   Create File   C:\Program Files\Java\jre7\bin\server\PLEASE_READ.inf
17:10:11   Create File   C:\Program Files\K-Lite Codec Pack x64\Filters\LAV\PLEASE_READ.inf
17:10:12   Create File   C:\Program Files\Microsoft Games\Chess\en-US\PLEASE_READ.inf
17:10:16   Create File   C:\Program Files (x86)\AIMP3\Modules\PLEASE_READ.inf
17:10:21   Create File   C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\default_apps\PLEASE_READ.inf
17:10:42   Create File   C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\PLEASE_READ.inf
17:10:45   Create File   C:\Program Files (x86)\Notepad++\user.manual\sites\all\modules\fancy_login\scripts\PLEASE_READ.inf
17:10:49   Create File   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ms\PLEASE_READ.inf

...etc





.ini file contents:
------------------------------------------------------------------

Hello,

I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it. I have copied all valuable data from this PC and  from your computer network. Then I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact:

e-mail: it-spec@mail.ua

You have 3 days to purchase the decryption key, otherwise some of your sensitive data may be published on the internet and your system will not get decrypted.

Information for IT specialists:

1. Anti-virus will delete encryption program but will not decrypt the data. Using system restore point will not help you to recover the data.

2. Data was encrypted with AES (Rijndael) algorithm (256 bit). Encryption key was encrypted with RSA (2048 bit) algorithm. This is extremely secure cryptography technique, around 1000 year time period will be required to break it, so do not try to do it.
---- Encrypted Session Key Begin ----
7A2E83B2C40E25DAE3C77762184EF58D3D19FA60E979B7B4932E867084E731C926868E080B9DDEFADEF0DE8B0C7EB1A9910C112AE56362E1DFB5BABC9F971F37ED72E59A6421B51D043B7AD339D4598166E1590FBF8B93D0D7F2C178385F9F2B59A9420F84F7E7416E3E6F44B704B400443D90557B0517657903E82D5823CABD3CECF79DCCA65E040376DF64E55DB6F4D2A4425CDC4DC8D75B0BB8CFB4A9607C7810C2C2B09F101348EB190586970838438435B54DDCE46B9D6CA52D70E9BFEB95962491159D160025A9328AA35A60415A6AD685DFC9B2A167CC175BD9F4A7BB5F1C771CC30F611049C3875FE52679A4ADA40C5B6729A8A283C4B9CFC824BF6F
---- Encrypted Session Key End ----

--------------------------------------------------------------------




It creates files in %temp%:

17:11:27   Create File   C:\Users\Magna\AppData\Local\Temp\CabD71D.tmp  < -- this is folder
17:11:27   Create File   C:\Users\Magna\AppData\Local\Temp\TarD71E.tmp   <-- this is folder

It creates one htm file:

Create File        C:\Users\Magna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6LKK4X\gate-uk[1].htm

Other created files:

Create File          C:\ProgramData\icodukalemem.jpg   < --- this is what you actually see on your desktop

=======================================================





FRST sees the malware and shows the following:

==================== Processes (Whitelisted) =================
() C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe

==================== Registry (Whitelisted) ==================
HKLM\...\Run: [ikibepdm] - C:\Windows\elekilus.exe [341504 2014-03-10] ()

==================== Drivers (Whitelisted) ====================
U3 uxroifog; \??\C:\Users\Magna\AppData\Local\Temp\uxroifog.sys [X]

Created Files:

2014-03-10 17:10 - 2014-03-10 17:10 - 00341504 _____ () C:\Windows\elekilus.exe

Modified Files:

2014-03-10 17:11 - 2013-03-30 21:08 - 01134854 ____H () C:\Users\Radna_Stanica\AppData\Local\IconCache.db.encrypted
2014-03-10 17:11 - 2013-03-30 18:42 - 00778714 ____H () C:\Users\User\AppData\Local\IconCache.db.encrypted
2014-03-10 17:11 - 2013-03-30 18:35 - 00057560 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted
2014-03-10 17:11 - 2013-03-30 18:22 - 00082316 _____ () C:\Users\Magna\Documents\wallpaper-499261.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:21 - 00082316 _____ () C:\Users\Administrator\Documents\wallpaper-499261.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:18 - 00248259 _____ () C:\Users\Administrator\Documents\tweakslogon.zip.encrypted
2014-03-10 17:11 - 2013-03-30 18:18 - 00170151 _____ () C:\Users\Administrator\Documents\reWalls.com_84.jpg.encrypted
2014-03-10 17:11 - 2013-03-30 18:06 - 00248259 _____ () C:\Users\Magna\Documents\tweakslogon.zip.encrypted
2014-03-10 17:11 - 2013-03-30 15:46 - 00170151 _____ () C:\Users\Magna\Documents\reWalls.com_84.jpg.encrypted
014-03-10 17:10 - 2013-03-30 18:29 - 01330546 ____H () C:\Users\Administrator\AppData\Local\IconCache.db.encrypted
2014-03-10 17:10 - 2013-03-30 18:18 - 00057560 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT.encrypted

// I don't know why this malware adds the ".encrypted" extension right to these files but it does. My guesses are that these will be locked after 3 days pass



Running Module:

2014-03-10 17:07 - 2014-03-01 05:37 - 00341504 _____ () C:\Users\Magna\Desktop\E\virussign.com_256bb50af06d5d4dc5dba73a5991e410.vir\virus.exe.exe

Cheers