Crypren
Crypren Ransomware Analysis
Overview
In this article we analyze Crypren, a piece of malware which at first looks like a typical Ransomware by encrypting the victim’s document files and asking for a ransom, in Bitcoins (BTC), but with a little surprise. If the victim actually pays the ransom, no file is restored. Fair to say, Crypren turns to be more like a fraud than a Ransomware at the end.
Infection vector
The infection vector starts by downloading a ZIP file available in the, already removed, YouTube video: h t t p s : / / www.youtube(.)com/watch?v=X_gFoqhP99k. In the video description we can find a link pointing to a supposed SKIDROW’s crack for the “Enter the Gungeon” videogame. The link to the cracking tool was recently deleted but originally pointing to: h t t p : / / www.mediafire.com/download/430i2vh9h4hldfc/Enter_the_Gungeon_SKIDROW.zip.
Infection Analysis
Dropper
The ZIP file contains two files, one is the dropper and the other is a cURL library used for downloading the actual Ransomware binary.
The dropper’s main functionality is implemented by two functions. The first one downloads the Ransomware binary to the C:\ProgramData\krypt.exe folder. The second, adds a Registry launch point at Software\Microsoft\Windows\CurrentVersion for further persistence.
The Ransomware binary’s download URL points to: h t t p : / / www.qweasdzxc1425(.)cba(.)pl/x/k.exe .
PE Hash
| Name | Hash |
|---|---|
| MD5 | 7273c6869d31e056c21fcda7a4cd7862 |
| SHA1 | 78ae127436b873615b2dfd7668800ec09aa3261a |
| SHA256 | 1202583cbe44fbf9fc607112844471c25af48db17fa2ea332bb6b3ae6443d784 |
| Compile Time | 2016-03-29 18:27:23 |
PE Sections
| Name | RVA | VirtualSize | RawDataSize | Entropy |
|---|---|---|---|---|
| .text | 0x1000 | 0x7913a | 496128 | 6.64049861111 |
| .rdata | 0x7b000 | 0x2acc4 | 175616 | 5.77174159966 |
| .data | 0xa6000 | 0x14d0c | 69120 | 5.0644646639 |
| .rsrc | 0xbb000 | 0x1a6e4 | 108544 | 2.95189948151 |
| .reloc | 0xd6000 | 0x89a0 | 35328 | 6.43558546889 |
Crypren
At the begining, the malware tries to enumerate all disk devices by scanning the mapped drive letters from B: to P: and leaving C: for the glorious end.
If a valid drive is found, a new thread is run to enumerate all the files with the following extensions:
'txt','jpg','png','xml','doc','docx','xls','xlsx','ppt','pptx','gif','bmp','sql','php','html','cs','cpp','docm','docb','rar','zip','xlm','py','mp3','mp4','xlsb','xla ','xlam ','xll ','xlw ','pdf','pps','pot','accdb','accde','accdt','accdr','cert','swf','mdb','rtf','gzip','tar','css'
Once the file enumeration is done, the malware generates a 64 bytes key to encrypt the files.
Then, it creates an HTML file with the user’s recovery instructions as follows.
Next, the file processing task continues by adding each matching file to a linked list for its later deletion, and creating a new file with the same name and extension as the original, but adding a second extension: .ENCRYPTED. The original file’s content is then encrypted with the key and stored in the newly created file.
Last step will delete the original files from the system.
Once the full encryption is completed, the malware will kindly ask to reboot the system, showing a welcoming Readme file on startup.
PE Hash
| Name | Hash |
|---|---|
| MD5 | f6a8d7a4291c55020101d046371a8bda |
| SHA1 | 09b08e04ee85b26ba5297cf3156653909671da90 |
| SHA256 | 082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76 |
| Compile Time | 2016-03-26 20:11:42 |
PE Sections
| Name | RVA | VirtualSize | RawDataSize | Entropy |
|---|---|---|---|---|
| .text | 0x1000 | 0x80526 | 525824 | 6.63655386644 |
| .rdata | 0x82000 | 0x2c4cc | 181760 | 5.75334248077 |
| .data | 0xaf000 | 0x15668 | 71168 | 4.96405425552 |
| .rsrc | 0xc5000 | 0x1e0 | 512 | 4.71229819329 |
| .reloc | 0xc6000 | 0x9460 | 38400 | 6.45523635215 |
Conclusions
Perhaps not the most sophisticated Ransomware ever, to the analysis’ author it looks more like a Frankenstein copycat born from the StackOverflow forums. To note, the use of the same compiler vc++ 2010 and OpenSSL libraries in both components suggest the dropper and the Ransomware may come from the same actor.
Moreover, the encryption routine is far simple and can be further read about here: https://github.com/mlwre/DecryptCrypren/blob/master/README.md .