While I was checking my junk e-mail folder I found something resembling a CTB-Locker e-mail type. The e-mail text is in italian language without typo errors. Opening the attachment inside a safe environment I recognize the same infection method, everything starts from the word file (this time in French language) executed by the exe file inside the attached Zip (Sha256: BF0ED6937D3B8A882FCB4EB9F22B5B69FB1ED4E35F2692BF3B7C8CFBD7266543). The only thing I haven’t seen before is the fact that the exe file is using .NET library. I decided to go deep a little bit more into the file analisys raw dumping the running malware at two random points. Applying Snippet Detector I got the next results for the two dumps:
[SNIPPET DETECTOR] Semantic match at 0x401C44 Snippet name: CTB_Locker__DecryptDownloadedExeFile Snippet description: CTB-Locker::DecryptDownloadedExeFile decrypts the file downloaded from the net [SNIPPET DETECTOR] Semantic match at 0x401CBF Snippet name: CTB_Locker__ShowErrorAndExitProcess Snippet description: CTB-Locker::ShowErrorAndProcessEnd is called when an error occurs. It format the error message, it shows it and then it terminates the malware [SNIPPET DETECTOR] Semantic match at 0x401E90 Snippet name: CTB_Locker__CabinetCallback Snippet description: CTB-Locker::CabinetCallback used to format the .rtf complete file path [SNIPPET DETECTOR] Semantic match at 0x401F4B Snippet name: CTB_Locker__MoveUnicodeString Snippet description: CTB-Locker::MoveUnicodeString moves one unicode string into another buffer [SNIPPET DETECTOR] Syntactic match at 0x40242D Snippet name: CTB_Locker__ChecksumOverDecryptedExeFile Snippet description: CTB-Locker::ChecksumOverDecryptedExeFile applies a checksum over a sequence of bytes [SNIPPET DETECTOR] 1 syntactic snippet, 4 semantic snippet and 0 multiple matches has been found
[SNIPPET DETECTOR] Semantic match at 0xC58F Snippet name: CTB_Locker__UnicodeStringCompare Snippet description: CTB-Locker::UnicodeStringCompare [SNIPPET DETECTOR] Semantic match at 0x1CDF3 Snippet name: CTB_Locker__AESDecrypt Snippet description: CTB_Locker__AESDecrypt decrypts applying the AES algo. [SNIPPET DETECTOR] Semantic match at 0x1F9B8 Snippet name: CTB_Locker__SHA256 Snippet description: CTB-Locker::SHA256 hash function [SNIPPET DETECTOR] Semantic match at 0x2A5DA Snippet name: CTB_Locker__AESEncrypt Snippet description: CTB-Locker::AESEncrypt encrypts applying the AES algo. [SNIPPET DETECTOR] Semantic match at 0x2CF31 Snippet name: CTB_Locker__AESEncryptExpandKey Snippet description: CTB-Locker::AESEncryptExpandKey function used at the beginning of the AES encryption process [SNIPPET DETECTOR] Semantic match at 0x33A0C Snippet name: CTB_Locker__AESDecryptExpandKey Snippet description: CTB-Locker::AESDecryptExpandKey function used at the beginning of the AES decryption process. [SNIPPET DETECTOR] Semantic match at 0x43BD0 Snippet name: CTB_Locker__ZLibDecompress Snippet description: CTB-Locker::ZLibDecompress [SNIPPET DETECTOR] Semantic match at 0x683F7 Snippet name: CTB_Locker__Curve_25519 Snippet description: CTB-Locker::Curve_25519 crypto [SNIPPET DETECTOR] Semantic match at 0x8D3F0 Snippet name: CTB_Locker__MoveExtensionsFileIntoSeparateBuffers Snippet description: CTB-Locker::MoveExtensionsFileIntoSeparateBuffers [SNIPPET DETECTOR] Syntactic match at 0x8D487 Snippet name: CTB_Locker__UnicodeStringAppend Snippet description: CTB-Locker::UnicodeStringAppend [SNIPPET DETECTOR] Semantic match at 0x8D4B0 Snippet name: CTB_Locker__GenSecretAndPublicKeys Snippet description: CTB-Locker::GenSecretAndPublicKeys generates two distinct keys for a future use. [SNIPPET DETECTOR] Semantic match at 0x8D5F0 Snippet name: CTB_Locker__CRCChecksum Snippet description: CTB-Locker::CRCChecksum, crc checksum used by CTB-Locker [SNIPPET DETECTOR] Semantic match at 0x8D624 Snippet name: CTB_Locker__GetMachineGUIDMultibyte Snippet description: CTB_Locker__GetMachineGUIDMultibyte converts the machineGUID into multibyte [SNIPPET DETECTOR] Semantic match at 0x8D876 Snippet name: CTB_Locker__TryToDecryptCandidateFile Snippet description: CTB-Locker::TryToDecryptCandidateFile tries to decrypt a file using one of the available keys [SNIPPET DETECTOR] Semantic match at 0x8D92C Snippet name: CTB_Locker__DecryptWithPrivateKey Snippet description: CTB-Locker::DecryptWithPrivateKey using elliptic curve, sha256, AES and ZLib decompression algo [SNIPPET DETECTOR] Semantic match at 0x8DCD2 Snippet name: CTB_Locker__DetectVM Snippet description: CTB_Locker__DetectVM tries to detect VM. Return 1 if VM is detected, 0 otherwise [SNIPPET DETECTOR] Semantic match at 0x8E090 Snippet name: CTB_Locker__GetSytemFileProcessesVMInfo Snippet description: CTB-Locker::GetSytemFileProcessesVMInfo performs some checks over the malware file, the system and the VM [SNIPPET DETECTOR] Semantic match at 0x8E32E Snippet name: CTB_Locker__CreateInitialPartOfHIDDENINFO Snippet description: CTB-Locker::CreateInitialPartOfHIDDENINFO create the initial part of the HiddenInfo file [SNIPPET DETECTOR] Semantic match at 0x8E567 Snippet name: CTB_Locker__RenderTextOverButton Snippet description: CTB_Locker__RenderTextOverButton writes a specific text over the dialog button [SNIPPET DETECTOR] Semantic match at 0x8E85C Snippet name: CTB_Locker__RenderInfoTextOnTheDialog Snippet description: CTB-Locker::RenderInfoTextOnTheDialog [SNIPPET DETECTOR] Semantic match at 0x8EE52 Snippet name: CTB_Locker__RenderGUIDialog Snippet description: CTB-Locker::RenderGUIDialog [SNIPPET DETECTOR] Semantic match at 0x8F28D Snippet name: CTB_Locker__ShowCTBLockerDialogWindow Snippet description: CTB-Locker::ShowCTBLockerDialogWindow shows one of the CTB-Locker dialogs [SNIPPET DETECTOR] Syntactic match at 0x8F3AA Snippet name: CTB_Locker__CreateRandomSevenCharsUnicodeStringFromDwordValue Snippet description: CTB-Locker::CreateRandomSevenCharsUnicodeStringFromDwordValue [SNIPPET DETECTOR] Semantic match at 0x8F3D0 Snippet name: CTB_Locker__ParseResponseFromServer Snippet description: CTB_Locker__ParseResponseFromServer parses the reply obtained from the server [SNIPPET DETECTOR] Semantic match at 0x90455 Snippet name: CTB_Locker__DecryptHiddenInfoFile Snippet description: CTB-Locker::DecryptHiddenInfoFile decrypts the HiddenInfo file [SNIPPET DETECTOR] Semantic match at 0x904D7 Snippet name: CTB_Locker__DecryptHiddenInfo Snippet description: CTB-Locker::DecryptHiddenInfo, HiddenInfo file decryption routine [SNIPPET DETECTOR] Semantic match at 0x9054E Snippet name: CTB_Locker__EncryptHiddenInfo Snippet description: CTB-Locker::EncryptHiddenInfo using AES [SNIPPET DETECTOR] Semantic match at 0x91156 Snippet name: CTB_Locker__CreateBitmapImage Snippet description: CTB-Locker::CreateBitmapImage creates a bitmap image [SNIPPET DETECTOR] Semantic match at 0x9354B Snippet name: CTB_Locker__IsProcessUnderWow64Process Snippet description: CTB_Locker__IsProcessUnderWow64Process checks to see if the process runs under Wow64Process or not [SNIPPET DETECTOR] Semantic match at 0x93594 Snippet name: CTB_Locker__Injection Snippet description: CTB-Locker::Injection function [SNIPPET DETECTOR] Semantic match at 0x9363F Snippet name: CTB_Locker_SearchProcessToInjectCodeAndInject Snippet description: CTB-Locker::SearchProcessToInjectCodeAndInject search the right process for the code injection [SNIPPET DETECTOR] Semantic match at 0x93D38 Snippet name: CTB_Locker__SearchStringInsideList Snippet description: CTB-Locker::SearchStringInsideList searches for a specific string inside a list [SNIPPET DETECTOR] Semantic match at 0xDD450 Snippet name: CTB_Locker__MemoryClear Snippet description: CTB-Locker::MemoryClear [SNIPPET DETECTOR] 2 syntactic snippet, 31 semantic snippet and 0 multiple matches has been found
Well, seems like nothing has changed inside the core of the malware. I can stop my analysis.
You can download the CTB-Locker local database for Snippet Detector here and try yourself.