Blog and Information Technology Articles and News

(Reading time: 2 - 3 minutes)
Pin It

CryptoLocker (Trojan:Win32/Crilock.A)

Original post by Fabian Wosar » Tue Sep 10, 2013 9:29 am


Hi everyone,
Looks like there has been a new crypto malware on the loose for the past 2 - 3 days. The malware is referred to by its author as "CryptoLocker". Microsoft adopted the name Crilock. Sample is attached. Here are a few notes that I gathered so far. I am currently sick with the flu so take this information with a grain of salt:


  • Connection with the C&C server is established through either a hardcoded IP (, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that and are both active and point to
  • The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.
  • On first contact, the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return, it receives an RSA public key. In my case this has been:
    -----BEGIN PUBLIC KEY-----

    The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on CryptStringtoBinaryA.

  • The malware targets files using the following search masks:
    *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

    The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result, encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been replaced with "?". I haven't looked into the meaning of the DWORD value yet.

Feel free to add anything you find that I haven't covered in my notes yet. At least from what I can tell so far, decryption without paying the ransom is not feasible.

VirusTotal results: ... /analysis/

About us

9 Wilson Dr, Northfield, NJ 08225
Tel: 609.423.6979
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.


veteran minority woman owned            LGBT Friendly