We have seen various mutations of the well known “police ransomware” Trojan throughout the year. Despite the threatening and convincing message it carries, most people probably choose to avoid the “fine” by simply removing the malware. Well, the following ransomware is little bit different.

After the sample is executed and initial emulators and virtual machine detections are passed, the process spawns either ctfmon.exe or svchost.exe (randomly chosen) where it injects its own code. This injected system process then executes the copy of the sample from %TEMP% folder, which creates another ctfmon.exe or svchost.exe child process with injected code and finally starts some interesting actions.

Virtual machines detections

 

So, what does this malware actually do except display quite common ransom messages? Well, to prevent manual removal, this sample also encrypts many of your files making them practically unusable. So far we’ve seen documents, images and even executable files affected by the encryption. Windows system files are excluded from this encryption process so your system won’t stop working but many third party programs will, not to mention the loss of your personal data.

Here is the quick overlook of the encryption process:

1) First of all, a unique computer ID is generated (based on computer name, etc.).

2) This computer ID is then used together with the fixed string “QQasd123zxc” to generate an encryption key (key1). Crypto API functions such as advapi32!CryptHashData and advapi32!CryptDeriveKey are used in this process. This way, exactly the same key can be created each time you use the same string for generation, so even attacker can generate the same key.

3) The sample sends requests together with your computer ID to its C&C server and receives further commands. All extra data from this communication is encrypted on the server using the key1 generated in step 2 (as attacker has received your computer ID and could recreate same key as on your computer) and decrypted by the Trojan on your station.

Example of trojan => C&C server communication and its available commands

 

4) Then a new unique encryption key using advapi32!CryptGenKey is generated (key2). This function generates a random key every time it is used and unlike the previous one (from step 2) the same key cannot be recreated. The RSA2 blob is then exported from this key, encrypted by key1, encoded by base64 and sent to the C&C server again together with your computer ID to pair it in attacker’s database.

5) Finally, the list of files to be encrypted is generated and these files are encrypted by advapi32!CryptEncrypt function using key2 from the previous step. A ransom note is also displayed and the screen locked.

Locked screen

 

After this step, only the attacker has the key2 necessary for the files recovery unless it was dumped from process memory or captured when it was sent to the C&C server (step 4).

TXT file before and after encryption. All encrypted files contain this “CR_M0x04″ signature.

 

This particular malware also disables regedit, task manager and msconfig to make the life of the victim even harder. However encrypted personal data which you simply cannot use is definitely bigger problem here.

MD5 of this sample is: 51B046256DB58B603A27EBA8DEE05479

AVG detects this file as Trojan horse Generic31.LBT

Tomas Prochazka & Michal Cebak