Crypren

Crypren Ransomware Analysis

Overview

In this article we analyze Crypren, a piece of malware which at first looks like a typical Ransomware by encrypting the victim’s document files and asking for a ransom, in Bitcoins (BTC), but with a little surprise. If the victim actually pays the ransom, no file is restored. Fair to say, Crypren turns to be more like a fraud than a Ransomware at the end.

Infection vector

The infection vector starts by downloading a ZIP file available in the, already removed, YouTube video: h t t p s : / / www.youtube(.)com/watch?v=X_gFoqhP99k. In the video description we can find a link pointing to a supposed SKIDROW’s crack for the “Enter the Gungeon” videogame. The link to the cracking tool was recently deleted but originally pointing to: h t t p : / / www.mediafire.com/download/430i2vh9h4hldfc/Enter_the_Gungeon_SKIDROW.zip.

InfectionVector

Infection Analysis

Dropper

The ZIP file contains two files, one is the dropper and the other is a cURL library used for downloading the actual Ransomware binary.

Dropper1

The dropper’s main functionality is implemented by two functions. The first one downloads the Ransomware binary to the C:\ProgramData\krypt.exe folder. The second, adds a Registry launch point at Software\Microsoft\Windows\CurrentVersion for further persistence.

The Ransomware binary’s download URL points to: h t t p : / / www.qweasdzxc1425(.)cba(.)pl/x/k.exe .

Dropper2

PE Hash
NameHash
MD57273c6869d31e056c21fcda7a4cd7862
SHA178ae127436b873615b2dfd7668800ec09aa3261a
SHA2561202583cbe44fbf9fc607112844471c25af48db17fa2ea332bb6b3ae6443d784
Compile Time2016-03-29 18:27:23
PE Sections
NameRVAVirtualSizeRawDataSizeEntropy
.text0x10000x7913a4961286.64049861111
.rdata0x7b0000x2acc41756165.77174159966
.data0xa60000x14d0c691205.0644646639
.rsrc0xbb0000x1a6e41085442.95189948151
.reloc0xd60000x89a0353286.43558546889

Crypren

At the begining, the malware tries to enumerate all disk devices by scanning the mapped drive letters from B: to P: and leaving C: for the glorious end.

IDA1 IDA2

If a valid drive is found, a new thread is run to enumerate all the files with the following extensions:

'txt','jpg','png','xml','doc','docx','xls','xlsx','ppt','pptx','gif','bmp','sql','php','html','cs','cpp','docm','docb','rar','zip','xlm','py','mp3','mp4','xlsb','xla ','xlam ','xll ','xlw ','pdf','pps','pot','accdb','accde','accdt','accdr','cert','swf','mdb','rtf','gzip','tar','css'

Once the file enumeration is done, the malware generates a 64 bytes key to encrypt the files.

Key Gen

Then, it creates an HTML file with the user’s recovery instructions as follows.

ReadMe

Next, the file processing task continues by adding each matching file to a linked list for its later deletion, and creating a new file with the same name and extension as the original, but adding a second extension: .ENCRYPTED. The original file’s content is then encrypted with the key and stored in the newly created file.

Last step will delete the original files from the system.

Encryption1

Once the full encryption is completed, the malware will kindly ask to reboot the system, showing a welcoming Readme file on startup.

Encryption2

PE Hash
NameHash
MD5f6a8d7a4291c55020101d046371a8bda
SHA109b08e04ee85b26ba5297cf3156653909671da90
SHA256082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
Compile Time2016-03-26 20:11:42
PE Sections
NameRVAVirtualSizeRawDataSizeEntropy
.text0x10000x805265258246.63655386644
.rdata0x820000x2c4cc1817605.75334248077
.data0xaf0000x15668711684.96405425552
.rsrc0xc50000x1e05124.71229819329
.reloc0xc60000x9460384006.45523635215

Conclusions

Perhaps not the most sophisticated Ransomware ever, to the analysis’ author it looks more like a Frankenstein copycat born from the StackOverflow forums. To note, the use of the same compiler vc++ 2010 and OpenSSL libraries in both components suggest the dropper and the Ransomware may come from the same actor.

Moreover, the encryption routine is far simple and can be further read about here: https://github.com/mlwre/DecryptCrypren/blob/master/README.md .

Back