While I was checking my junk e-mail folder I found something resembling a CTB-Locker e-mail type. The e-mail text is in italian language without typo errors. Opening the attachment inside a safe environment I recognize the same infection method, everything starts from the word file (this time in French language) executed by the exe file inside the attached Zip (Sha256: BF0ED6937D3B8A882FCB4EB9F22B5B69FB1ED4E35F2692BF3B7C8CFBD7266543). The only thing I haven’t seen before is the fact that the exe file is using .NET library. I decided to go deep a little bit more into the file analisys raw dumping the running malware at two random points. Applying Snippet Detector I got the next results for the two dumps:

[SNIPPET DETECTOR] Semantic match at 0x401C44
Snippet name: CTB_Locker__DecryptDownloadedExeFile
Snippet description: CTB-Locker::DecryptDownloadedExeFile decrypts the file downloaded from the net

[SNIPPET DETECTOR] Semantic match at 0x401CBF
Snippet name: CTB_Locker__ShowErrorAndExitProcess
Snippet description: CTB-Locker::ShowErrorAndProcessEnd is called when an error occurs. It format the error message, it shows it and then it terminates the malware

[SNIPPET DETECTOR] Semantic match at 0x401E90
Snippet name: CTB_Locker__CabinetCallback
Snippet description: CTB-Locker::CabinetCallback used to format the .rtf complete file path

[SNIPPET DETECTOR] Semantic match at 0x401F4B
Snippet name: CTB_Locker__MoveUnicodeString
Snippet description: CTB-Locker::MoveUnicodeString moves one unicode string into another buffer

[SNIPPET DETECTOR] Syntactic match at 0x40242D
Snippet name: CTB_Locker__ChecksumOverDecryptedExeFile
Snippet description: CTB-Locker::ChecksumOverDecryptedExeFile applies a checksum over a sequence of bytes

[SNIPPET DETECTOR] 1 syntactic snippet, 4 semantic snippet and 0 multiple matches has been found

[SNIPPET DETECTOR] Semantic match at 0xC58F
Snippet name: CTB_Locker__UnicodeStringCompare
Snippet description: CTB-Locker::UnicodeStringCompare

[SNIPPET DETECTOR] Semantic match at 0x1CDF3
Snippet name: CTB_Locker__AESDecrypt
Snippet description: CTB_Locker__AESDecrypt decrypts applying the AES algo.

[SNIPPET DETECTOR] Semantic match at 0x1F9B8
Snippet name: CTB_Locker__SHA256
Snippet description: CTB-Locker::SHA256 hash function

[SNIPPET DETECTOR] Semantic match at 0x2A5DA
Snippet name: CTB_Locker__AESEncrypt
Snippet description: CTB-Locker::AESEncrypt encrypts applying the AES algo.

[SNIPPET DETECTOR] Semantic match at 0x2CF31
Snippet name: CTB_Locker__AESEncryptExpandKey
Snippet description: CTB-Locker::AESEncryptExpandKey function used at the beginning of the AES encryption process

[SNIPPET DETECTOR] Semantic match at 0x33A0C
Snippet name: CTB_Locker__AESDecryptExpandKey
Snippet description: CTB-Locker::AESDecryptExpandKey function used at the beginning of the AES decryption process.

[SNIPPET DETECTOR] Semantic match at 0x43BD0
Snippet name: CTB_Locker__ZLibDecompress
Snippet description: CTB-Locker::ZLibDecompress

[SNIPPET DETECTOR] Semantic match at 0x683F7
Snippet name: CTB_Locker__Curve_25519
Snippet description: CTB-Locker::Curve_25519 crypto

[SNIPPET DETECTOR] Semantic match at 0x8D3F0
Snippet name: CTB_Locker__MoveExtensionsFileIntoSeparateBuffers
Snippet description: CTB-Locker::MoveExtensionsFileIntoSeparateBuffers

[SNIPPET DETECTOR] Syntactic match at 0x8D487
Snippet name: CTB_Locker__UnicodeStringAppend
Snippet description: CTB-Locker::UnicodeStringAppend

[SNIPPET DETECTOR] Semantic match at 0x8D4B0
Snippet name: CTB_Locker__GenSecretAndPublicKeys
Snippet description: CTB-Locker::GenSecretAndPublicKeys generates two distinct keys for a future use.

[SNIPPET DETECTOR] Semantic match at 0x8D5F0
Snippet name: CTB_Locker__CRCChecksum
Snippet description: CTB-Locker::CRCChecksum, crc checksum used by CTB-Locker

[SNIPPET DETECTOR] Semantic match at 0x8D624
Snippet name: CTB_Locker__GetMachineGUIDMultibyte
Snippet description: CTB_Locker__GetMachineGUIDMultibyte converts the machineGUID into multibyte

[SNIPPET DETECTOR] Semantic match at 0x8D876
Snippet name: CTB_Locker__TryToDecryptCandidateFile
Snippet description: CTB-Locker::TryToDecryptCandidateFile tries to decrypt a file using one of the available keys

[SNIPPET DETECTOR] Semantic match at 0x8D92C
Snippet name: CTB_Locker__DecryptWithPrivateKey
Snippet description: CTB-Locker::DecryptWithPrivateKey using elliptic curve, sha256, AES and ZLib decompression algo

[SNIPPET DETECTOR] Semantic match at 0x8DCD2
Snippet name: CTB_Locker__DetectVM
Snippet description: CTB_Locker__DetectVM tries to detect VM. Return 1 if VM is detected, 0 otherwise

[SNIPPET DETECTOR] Semantic match at 0x8E090
Snippet name: CTB_Locker__GetSytemFileProcessesVMInfo
Snippet description: CTB-Locker::GetSytemFileProcessesVMInfo performs some checks over the malware file, the system and the VM

[SNIPPET DETECTOR] Semantic match at 0x8E32E
Snippet name: CTB_Locker__CreateInitialPartOfHIDDENINFO
Snippet description: CTB-Locker::CreateInitialPartOfHIDDENINFO create the initial part of the HiddenInfo file

[SNIPPET DETECTOR] Semantic match at 0x8E567
Snippet name: CTB_Locker__RenderTextOverButton
Snippet description: CTB_Locker__RenderTextOverButton writes a specific text over the dialog button

[SNIPPET DETECTOR] Semantic match at 0x8E85C
Snippet name: CTB_Locker__RenderInfoTextOnTheDialog
Snippet description: CTB-Locker::RenderInfoTextOnTheDialog

[SNIPPET DETECTOR] Semantic match at 0x8EE52
Snippet name: CTB_Locker__RenderGUIDialog
Snippet description: CTB-Locker::RenderGUIDialog

[SNIPPET DETECTOR] Semantic match at 0x8F28D
Snippet name: CTB_Locker__ShowCTBLockerDialogWindow
Snippet description: CTB-Locker::ShowCTBLockerDialogWindow shows one of the CTB-Locker dialogs

[SNIPPET DETECTOR] Syntactic match at 0x8F3AA
Snippet name: CTB_Locker__CreateRandomSevenCharsUnicodeStringFromDwordValue
Snippet description: CTB-Locker::CreateRandomSevenCharsUnicodeStringFromDwordValue

[SNIPPET DETECTOR] Semantic match at 0x8F3D0
Snippet name: CTB_Locker__ParseResponseFromServer
Snippet description: CTB_Locker__ParseResponseFromServer parses the reply obtained from the server

[SNIPPET DETECTOR] Semantic match at 0x90455
Snippet name: CTB_Locker__DecryptHiddenInfoFile
Snippet description: CTB-Locker::DecryptHiddenInfoFile decrypts the HiddenInfo file

[SNIPPET DETECTOR] Semantic match at 0x904D7
Snippet name: CTB_Locker__DecryptHiddenInfo
Snippet description: CTB-Locker::DecryptHiddenInfo, HiddenInfo file decryption routine

[SNIPPET DETECTOR] Semantic match at 0x9054E
Snippet name: CTB_Locker__EncryptHiddenInfo
Snippet description: CTB-Locker::EncryptHiddenInfo using AES

[SNIPPET DETECTOR] Semantic match at 0x91156
Snippet name: CTB_Locker__CreateBitmapImage
Snippet description: CTB-Locker::CreateBitmapImage creates a bitmap image

[SNIPPET DETECTOR] Semantic match at 0x9354B
Snippet name: CTB_Locker__IsProcessUnderWow64Process
Snippet description: CTB_Locker__IsProcessUnderWow64Process checks to see if the process runs under Wow64Process or not

[SNIPPET DETECTOR] Semantic match at 0x93594
Snippet name: CTB_Locker__Injection
Snippet description: CTB-Locker::Injection function

[SNIPPET DETECTOR] Semantic match at 0x9363F
Snippet name: CTB_Locker_SearchProcessToInjectCodeAndInject
Snippet description: CTB-Locker::SearchProcessToInjectCodeAndInject search the right process for the code injection

[SNIPPET DETECTOR] Semantic match at 0x93D38
Snippet name: CTB_Locker__SearchStringInsideList
Snippet description: CTB-Locker::SearchStringInsideList searches for a specific string inside a list

[SNIPPET DETECTOR] Semantic match at 0xDD450
Snippet name: CTB_Locker__MemoryClear
Snippet description: CTB-Locker::MemoryClear

[SNIPPET DETECTOR] 2 syntactic snippet, 31 semantic snippet and 0 multiple matches has been found

Well, seems like nothing has changed inside the core of the malware. I can stop my analysis.

You can download the CTB-Locker local database for Snippet Detector here and try yourself.