TROJ_CRILOCK.SER

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

File Size: 762,368 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 24 Mar 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

%WINDOWS%\{random filename}.exe

It drops the following file(s)/component(s):

%All Users Profile%\%Application Data%\{random folder name}\03000000 ← encrypted copy of ransom note
%All Users Profile%\%Application Data%\{random folder name}\04000000
%All Users Profile%\%Application Data%\{random folder name}\01000000 - encrypted copy of itself
%All Users Profile%\%Application Data%\{random folder name}\02000000
%All Users Profile%\%Application Data%\{random folder name}\00000000

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

explorer.exe

It injects codes into the following process(es):

added explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "%Windows%\{random filename}.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV9 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"

Backdoor Routine

This Trojan connects to the following websites to send and receive information:

http://{BLOCKED}raje.ru/topic.php

However, as of this writing, the said sites are inaccessible.

Information Theft

This Trojan gathers the following data:

Machine GUID
Computer name

Other Details

This Trojan encrypts files with the following extensions:

wb2
psd
p7c
p7b
p12
pfx
pem
crt
cer
der
pl
py
lua
css
js
asp
php
incpas
asm
hpp
h
cpp
c
7z
zip
rar
drf
blend
apj
3ds
dwg
sda
ps
pat
fxg
fhd
fh
dxb
drw
design
ddrw
ddoc
dcs
csl
csh
cpi
cgm
cdx
cdrw
cdr6
cdr5
cdr4
cdr3
cdr
awg
ait
ai
agd1
ycbcra
x3f
stx
st8
st7
st6
st5
st4
srw
srf
sr2
sd1
sd0
rwz
rwl
rw2
raw
raf
ra2
ptx
pef
pcd
orf
nwb
nrw
nop
nef
ndd
mrw
mos
mfw
mef
mdc
kdc
kc2
iiq
gry
grey
gray
fpx
fff
exf
erf
dng
dcr
dc2
crw
craw
cr2
cmt
cib
ce2
ce1
arw
3pr
3fr
mpg
jpeg
jpg
mdb
sqlitedb
sqlite3
sqlite
sql
sdf
sav
sas7bdat
s3db
rdb
psafe3
nyf
nx2
nx1
nsh
nsg
nsf
nsd
ns4
ns3
ns2
myd
kpdx
kdbx
idx
ibz
ibd
fdb
erbsql
db3
dbf
db-journal
db
cls
bdb
al
adb
backupdb
bik
backup
bak
bkp
moneywell
mmw
ibank
hbk
ffd
dgc
ddd
dac
cfp
cdf
bpw
bgt
acr
ac2
ab4
djvu
pdf
sxm
odf
std
sxd
otg
sti
sxi
otp
odg
odp
stc
sxc
ots
ods
sxg
stw
sxw
odm
oth
ott
odt
odb
csv
rtf
accdr
accdt
accde
accdb
sldm
sldx
ppsm
ppsx
ppam
potm
potx
pptm
pptx
pps
pot
ppt
xlw
xll
xlam
xla
xlsb
xltm
xltx
xlsm
xlsx
xlm
xlt
xls
xml
dotm
dotx
docm
docx
dot
doc
txt
wb2
psd
p7c
p7b
p12
pfx
pem
crt
cer
der
pl
py
lua
css
js
asp
php
incpas
asm
hpp
h
cpp
c
7z
zip
rar
drf
blend
apj
3ds
dwg
sda
ps
pat
fxg
fhd
fh
dxb
drw
design
ddrw
ddoc
dcs
csl
csh
cpi
cgm
cdx
cdrw
cdr6
cdr5
cdr4
cdr3
cdr
awg
ait
ai
agd1
ycbcra
x3f
stx
st8
st7
st6
st5
st4
srw
srf
sr2
sd1
sd0
rwz
rwl
rw2
raw
raf
ra2
ptx
pef
pcd
orf
nwb
nrw
nop
nef
ndd
mrw
mos
mfw
mef
mdc
kdc
kc2
iiq
gry
grey
gray
fpx
fff
exf
erf
dng
dcr
dc2
crw
craw
cr2
cmt
cib
ce2
ce1
arw
3pr
3fr
mpg
jpeg
jpg
mdb
sqlitedb
sqlite3
sqlite
sql
sdf
sav
sas7bdat
s3db
rdb
psafe3
nyf
nx2
nx1
nsh
nsg
nsf
nsd
ns4
ns3
ns2
myd
kpdx
kdbx
idx
ibz
ibd
fdb
erbsql
db3
dbf
db-journal
db
cls
bdb
al
adb
backupdb
bik
backup
bak
bkp
moneywell
mmw
ibank
hbk
ffd
dgc
ddd
dac
cfp
cdf
bpw
bgt
acr
ac2
ab4
djvu
pdf
sxm
odf
std
sxd
otg
sti
sxi
otp
odg
odp
stc
sxc
ots
ods
sxg
stw
sxw
odm
oth
ott
odt
odb
csv
rtf
accdr
accdt
accde
accdb
sldm
sldx
ppsm
ppsx
ppam
potm
potx
pptm
pptx
pps
pot
ppt
xlw
xll
xlam
xla
xlsb
xltm
xltx
xlsm
xlsx
xlm
xlt
xls
xml
dotm
dotx
docm
docx
dot
doc
txt

It renames encrypted files using the following names:

{original file name and extension}.encrypted

NOTES:
It does not proceed to its intended encryption routine since its C&C server is no longer accessible.

Minimum Scan Engine: 9.750

FIRST VSAPI PATTERN FILE: 11.558.06

FIRST VSAPI PATTERN DATE: 24 Mar 2015

VSAPI OPR PATTERN File: 11.559.00

VSAPI OPR PATTERN Date: 25 Mar 2015

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {random letters} = "%WINDOWS%\{random filename}.exe"

Step 5

Delete this registry key

[ Learn More ]

=Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter

Step 6

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%All Users Profile%\%Application Data%\{random folder name}\00000000
%All Users Profile%\%Application Data%\{random folder name}\01000000
%All Users Profile%\%Application Data%\{random folder name}\02000000
%All Users Profile%\%Application Data%\{random folder name}\03000000
%All Users Profile%\%Application Data%\{random folder name}\04000000
DECRYPT_INSTRUCTIONS.html

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_CRILOCK.SER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Scan your computer with your Trend Micro product to delete files detected as TROJ_CRILOCK.SER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

TROJ_CRILOCK.SER

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific