crylock

General

Target

ab337d28b494a966f107fc428d71f78b
Size

1.8MB
Sample

240228-g1jpzadb31
MD5

ab337d28b494a966f107fc428d71f78b
SHA1

5c77dc1f673fbfb9d45de2a63aa16616f80b7a12
SHA256

647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d
SHA512

98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a
SSDEEP

6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\how_to_decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('March 1 2024 06:16:24'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('March 2 2024 06:16:24'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> <b>What happened?</b><br> All your documents, databases, backups and other important files have been encrypted due to a security problem with your PC. The only way to recover files is to purchase a unique private decryption key. If you want to recover files, write to us by e-mail: <b>fairexchange@qq.com</b> with the following details: <ul> <li>External IP</li> <li>You unique ID <font face="monospace" OnClick="copytext('[5FEF09AB-E822B099]')"><b>[5FEF09AB-E822B099] <font size="2">[copy]</font></b></font></li> </ul> The price depends on how fast you write to us, on timers you can see how many time do you have before price increasing. After payment we will send you the tool that will decrypt all your files. In case of no answer in 24 hours write us to this e-mail: <font face="monospace" OnClick="copytext('fairexchange@qq.com')"><b>fairexchange@qq.com <font size="2">[copy]</font></b></font><br> <br> <b>Any guarantees?</b><br> Before paying you can send us up to 3 files for free decryption. The total size of files must be less than <i><u>5Mb</u></i> (<i><u>non archived</u></i>), and files should not contain valuable information. (<u><i>databases, backups, large excel sheets, etc.</i></u>)<br> <br> <b><font color="red">Attention!</font></b><br> <ul> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. </li> <li>Use trusted email clients (gmail.com, protonmail.com, aol.com, etc.) for communication; sometimes your letters do not reach us from corporate letters. </li> <li>Communication with us lasts 2-4 weeks, then we block mail for communication </li> </ul> </div> <div title="Click to copy" OnClick="copytext('[5FEF09AB-E822B099]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [5FEF09AB-E822B099] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('fairexchange@qq.com')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to fairexchange@qq.com <font size="2">[copy]</font></b> </div> </body> </html>

Emails

<b>fairexchange@qq.com</b>

OnClick="copytext('fairexchange@qq.com')"><b>fairexchange@qq.com

OnClick="copytext('fairexchange@qq.com')"

fairexchange@qq.com

Targets

- Target
  
  ab337d28b494a966f107fc428d71f78b
- Size
  
  1.8MB
- MD5
  
  ab337d28b494a966f107fc428d71f78b
- SHA1
  
  5c77dc1f673fbfb9d45de2a63aa16616f80b7a12
- SHA256
  
  647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d
- SHA512
  
  98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a
- SSDEEP
  
  6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr
Score

10^/10

crylock persistence ransomware spyware stealer
- Crylock
  Ransomware family, which is a new variant of Cryakl ransomware.
  ransomware crylock
- Renames multiple (619) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2