While I was checking my junk e-mail folder I found something resembling a CTB-Locker e-mail type. The e-mail text is in italian language without typo errors. Opening the attachment inside a safe environment I recognize the same infection method, everything starts from the word file (this time in French language) executed by the exe file inside the attached Zip (Sha256: BF0ED6937D3B8A882FCB4EB9F22B5B69FB1ED4E35F2692BF3B7C8CFBD7266543). The only thing I haven’t seen before is the fact that the exe file is using .NET library. I decided to go deep a little bit more into the file analisys raw dumping the running malware at two random points. Applying Snippet Detector I got the next results for the two dumps:

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.
[SNIPPET DETECTOR] Semantic match at 0x401C44
Snippet name: CTB_Locker__DecryptDownloadedExeFile
Snippet description: CTB-Locker::DecryptDownloadedExeFile decrypts the file downloaded from the net

[SNIPPET DETECTOR] Semantic match at 0x401CBF
Snippet name: CTB_Locker__ShowErrorAndExitProcess
Snippet description: CTB-Locker::ShowErrorAndProcessEnd is called when an error occurs. It format the error message, it shows it and then it terminates the malware

[SNIPPET DETECTOR] Semantic match at 0x401E90
Snippet name: CTB_Locker__CabinetCallback
Snippet description: CTB-Locker::CabinetCallback used to format the .rtf complete file path

[SNIPPET DETECTOR] Semantic match at 0x401F4B
Snippet name: CTB_Locker__MoveUnicodeString
Snippet description: CTB-Locker::MoveUnicodeString moves one unicode string into another buffer

[SNIPPET DETECTOR] Syntactic match at 0x40242D
Snippet name: CTB_Locker__ChecksumOverDecryptedExeFile
Snippet description: CTB-Locker::ChecksumOverDecryptedExeFile applies a checksum over a sequence of bytes

[SNIPPET DETECTOR] 1 syntactic snippet, 4 semantic snippet and 0 multiple matches has been found
[SNIPPET DETECTOR] Semantic match at 0xC58F
Snippet name: CTB_Locker__UnicodeStringCompare
Snippet description: CTB-Locker::UnicodeStringCompare

[SNIPPET DETECTOR] Semantic match at 0x1CDF3
Snippet name: CTB_Locker__AESDecrypt
Snippet description: CTB_Locker__AESDecrypt decrypts applying the AES algo.

[SNIPPET DETECTOR] Semantic match at 0x1F9B8
Snippet name: CTB_Locker__SHA256
Snippet description: CTB-Locker::SHA256 hash function

[SNIPPET DETECTOR] Semantic match at 0x2A5DA
Snippet name: CTB_Locker__AESEncrypt
Snippet description: CTB-Locker::AESEncrypt encrypts applying the AES algo.

[SNIPPET DETECTOR] Semantic match at 0x2CF31
Snippet name: CTB_Locker__AESEncryptExpandKey
Snippet description: CTB-Locker::AESEncryptExpandKey function used at the beginning of the AES encryption process

[SNIPPET DETECTOR] Semantic match at 0x33A0C
Snippet name: CTB_Locker__AESDecryptExpandKey
Snippet description: CTB-Locker::AESDecryptExpandKey function used at the beginning of the AES decryption process.

[SNIPPET DETECTOR] Semantic match at 0x43BD0
Snippet name: CTB_Locker__ZLibDecompress
Snippet description: CTB-Locker::ZLibDecompress

[SNIPPET DETECTOR] Semantic match at 0x683F7
Snippet name: CTB_Locker__Curve_25519
Snippet description: CTB-Locker::Curve_25519 crypto

[SNIPPET DETECTOR] Semantic match at 0x8D3F0
Snippet name: CTB_Locker__MoveExtensionsFileIntoSeparateBuffers
Snippet description: CTB-Locker::MoveExtensionsFileIntoSeparateBuffers

[SNIPPET DETECTOR] Syntactic match at 0x8D487
Snippet name: CTB_Locker__UnicodeStringAppend
Snippet description: CTB-Locker::UnicodeStringAppend

[SNIPPET DETECTOR] Semantic match at 0x8D4B0
Snippet name: CTB_Locker__GenSecretAndPublicKeys
Snippet description: CTB-Locker::GenSecretAndPublicKeys generates two distinct keys for a future use.

[SNIPPET DETECTOR] Semantic match at 0x8D5F0
Snippet name: CTB_Locker__CRCChecksum
Snippet description: CTB-Locker::CRCChecksum, crc checksum used by CTB-Locker

[SNIPPET DETECTOR] Semantic match at 0x8D624
Snippet name: CTB_Locker__GetMachineGUIDMultibyte
Snippet description: CTB_Locker__GetMachineGUIDMultibyte converts the machineGUID into multibyte

[SNIPPET DETECTOR] Semantic match at 0x8D876
Snippet name: CTB_Locker__TryToDecryptCandidateFile
Snippet description: CTB-Locker::TryToDecryptCandidateFile tries to decrypt a file using one of the available keys

[SNIPPET DETECTOR] Semantic match at 0x8D92C
Snippet name: CTB_Locker__DecryptWithPrivateKey
Snippet description: CTB-Locker::DecryptWithPrivateKey using elliptic curve, sha256, AES and ZLib decompression algo

[SNIPPET DETECTOR] Semantic match at 0x8DCD2
Snippet name: CTB_Locker__DetectVM
Snippet description: CTB_Locker__DetectVM tries to detect VM. Return 1 if VM is detected, 0 otherwise

[SNIPPET DETECTOR] Semantic match at 0x8E090
Snippet name: CTB_Locker__GetSytemFileProcessesVMInfo
Snippet description: CTB-Locker::GetSytemFileProcessesVMInfo performs some checks over the malware file, the system and the VM

[SNIPPET DETECTOR] Semantic match at 0x8E32E
Snippet name: CTB_Locker__CreateInitialPartOfHIDDENINFO
Snippet description: CTB-Locker::CreateInitialPartOfHIDDENINFO create the initial part of the HiddenInfo file

[SNIPPET DETECTOR] Semantic match at 0x8E567
Snippet name: CTB_Locker__RenderTextOverButton
Snippet description: CTB_Locker__RenderTextOverButton writes a specific text over the dialog button

[SNIPPET DETECTOR] Semantic match at 0x8E85C
Snippet name: CTB_Locker__RenderInfoTextOnTheDialog
Snippet description: CTB-Locker::RenderInfoTextOnTheDialog

[SNIPPET DETECTOR] Semantic match at 0x8EE52
Snippet name: CTB_Locker__RenderGUIDialog
Snippet description: CTB-Locker::RenderGUIDialog

[SNIPPET DETECTOR] Semantic match at 0x8F28D
Snippet name: CTB_Locker__ShowCTBLockerDialogWindow
Snippet description: CTB-Locker::ShowCTBLockerDialogWindow shows one of the CTB-Locker dialogs

[SNIPPET DETECTOR] Syntactic match at 0x8F3AA
Snippet name: CTB_Locker__CreateRandomSevenCharsUnicodeStringFromDwordValue
Snippet description: CTB-Locker::CreateRandomSevenCharsUnicodeStringFromDwordValue

[SNIPPET DETECTOR] Semantic match at 0x8F3D0
Snippet name: CTB_Locker__ParseResponseFromServer
Snippet description: CTB_Locker__ParseResponseFromServer parses the reply obtained from the server

[SNIPPET DETECTOR] Semantic match at 0x90455
Snippet name: CTB_Locker__DecryptHiddenInfoFile
Snippet description: CTB-Locker::DecryptHiddenInfoFile decrypts the HiddenInfo file

[SNIPPET DETECTOR] Semantic match at 0x904D7
Snippet name: CTB_Locker__DecryptHiddenInfo
Snippet description: CTB-Locker::DecryptHiddenInfo, HiddenInfo file decryption routine

[SNIPPET DETECTOR] Semantic match at 0x9054E
Snippet name: CTB_Locker__EncryptHiddenInfo
Snippet description: CTB-Locker::EncryptHiddenInfo using AES

[SNIPPET DETECTOR] Semantic match at 0x91156
Snippet name: CTB_Locker__CreateBitmapImage
Snippet description: CTB-Locker::CreateBitmapImage creates a bitmap image

[SNIPPET DETECTOR] Semantic match at 0x9354B
Snippet name: CTB_Locker__IsProcessUnderWow64Process
Snippet description: CTB_Locker__IsProcessUnderWow64Process checks to see if the process runs under Wow64Process or not

[SNIPPET DETECTOR] Semantic match at 0x93594
Snippet name: CTB_Locker__Injection
Snippet description: CTB-Locker::Injection function

[SNIPPET DETECTOR] Semantic match at 0x9363F
Snippet name: CTB_Locker_SearchProcessToInjectCodeAndInject
Snippet description: CTB-Locker::SearchProcessToInjectCodeAndInject search the right process for the code injection

[SNIPPET DETECTOR] Semantic match at 0x93D38
Snippet name: CTB_Locker__SearchStringInsideList
Snippet description: CTB-Locker::SearchStringInsideList searches for a specific string inside a list

[SNIPPET DETECTOR] Semantic match at 0xDD450
Snippet name: CTB_Locker__MemoryClear
Snippet description: CTB-Locker::MemoryClear

[SNIPPET DETECTOR] 2 syntactic snippet, 31 semantic snippet and 0 multiple matches has been found

Well, seems like nothing has changed inside the core of the malware. I can stop my analysis.

You can download the CTB-Locker local database for Snippet Detector here and try yourself.

By admin