Ransom:Win32/Simlosap (alias Cryakl)

[Aerosol]

Cryptographic ransom. Delivered via email.

Smart install maker -> Delphi. In attach dropper and extracted ransom. Installs to %Program Files%, runs via HKLM Run key.

Used https://github.com/SnakeDoctor/FGInt

Changing desktop wallpaper to it own with ransom message. Wallpaper can be found inside ransom resources.

Email: trojanencoder@aol.com

Target extensions

qic:wps:r3d:rwl:rx2:p12:sbs:sldasm:wps:sldprt:odc:odb:old:nbd:nx1:nrw:orf:ppt:mov:mpeg:csv:mdb:cer:arj:ods:mkv:avi:odt:pdf:docx:gzip:m2v:cpt:raw:cdr:3gp:7z:rar:db3:zip:xlsx:xls:rtf:doc:jpeg:jpg:

accdb:abf:a3d:asm:fbx:fbw:fbk:fdb:fbf:max:m3d:ldf:keystore:iv2i:gbk:gho:sn1:sna:spf:sr2:srf:srw:tis:tbl:x3f:ods:pef:pptm:txt:pst:ptx:pz3:odp:

Autoelevate in loop

 pExecInfo.cbSize = 60;
  pExecInfo.hwnd = GetFocus();
  pExecInfo.fMask = 1280;
  pExecInfo.lpVerb = "runas";
  pExecInfo.lpFile = (LPCSTR)sub_404E98();
  pExecInfo.lpParameters = (LPCSTR)sub_404E98();
  pExecInfo.nShow = 1;
  while ( !ShellExecuteExA(&pExecInfo) )
    Sleep_0(0x7D0u);

VT

https://www.virustotal.com/en/file/add92cb6047f2fb412dcbcb5a2d8ee7fad56091ccd6667105d977b010a33b561/analysis/1433824692/

https://www.virustotal.com/en/file/94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd/analysis/1433824702/

Derivative of this

https://securelist.ru/blog/issledovaniya/24070/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/ ( use google translate )

Download

pass:

infected

Source

Edited June 9, 2015 by Aerosol