AFP Cryptolocker analysis

Another day, another cryptolocker variant. Enter stage left, the AFP cryptolocker scam email. This anaylsis will be shorter than my previous considering there’s not too much different about it apart from the transport method. Should you want more detail, please read this analysis.

The suspect email:

afpemail

I amended the anchor link to the following so that the recipient’s details were not passed: h[]p://hairexpert.com.ua/system/logs/sLahSJvX2kI.php?id=im_not_a_crypto_noob@uradickhead.co

Once the user clicks on the link, they are redirected to the following URL: h[]p://violation-info.com/xec3xik.php?id=ZG9jdG9yX3NtaXRoQGhvc3BpdGFsLmdvdg==

The page the user is redirected to is nicely designed and links/pulls as much code from the AFP website as possible to make the user experience as genuine as possible:

afpwebpage

Once the user enters the captcha code and clicks the DOWNLOAD button, they will be presented a dialog to download their “notice_[].zip” compressed file from copy[].com

afpcompressed

Unzipping and inspecting the file we can see it’s a 32bit PE binary.

File details are as follows:

Submitting this file to VirusTotal shows that only 5/56 AV products detect the file as being malicious. For a lot of large enterprises, this is a concern as the main enterprise AV players in this field detect the file as being clean at the time of submitting.

As this cryptolocker malware is very similar to the last one I analysed on the 19th of February, I am not going to go into the exact order of dropped files, mutexes, registry changes etc etc. If you are interested in this, check out my previous analysis.

The following IP address/domain are accessed in order to communicate and download required binaries:

The following files were dropped:

All in all, the cryptolocker function of the malware is very close to other variants I have seen. All useful files are encrypted, and the user is presented with instructions on how to decrypt their data.

Firstly, the plain text file:

A HTML file is also presented to the user, which is the same as that from my previous analysis.

As previously stated, only 5/56 AV products currently detect the binary as malicious, which is a significant risk for most enterprises. Hopefully vendors will update signatures ASAP.

virustotal2

That’s pretty much all the analysis that is needed considering it’s not too different to other cryptolocker variants. As always, if you want me to look a little deeper into suspect emails or files, just yell out. Cheers.