New "CryptoLocker" samples; bypass CryptoPrevent?

For testing and training purposes, discuss where to obtain malware, and/or provide your own samples.
Forum rules
ALWAYS start a NEW thread for a NEW topic, or for a DIFFERENT malware sample than the thread is actually about.
ALWAYS zip your malware samples with a password and name it in the file comment, recommend: infected
NEVER post a working URL to download malware, always break it by replacing the HTTP:// with HXXP:// or similar, so that it can't be clicked on by accident!

New "CryptoLocker" samples; bypass CryptoPrevent?

Postby SimonZerafa » Tue Mar 04, 2014 6:05 am

Hi Nick,

Two new samples of CryptoLocker (or something that calls itself that and does a similar job) here:

https://dl.dropboxusercontent.com/u/321 ... le%20A.zip
https://dl.dropboxusercontent.com/u/321 ... le%20B.zip

[ Password for both is "infected" sans quotes - Take care when downloading or examining! :-) ]

These two samples are reported to bypass CryptoPrevent by running from the "Start Up" folders for ALL users (including SYSTEM level ones).

Not verified this myself as yet; will try to run these in a contained environment as soon as I can.

Thought you might like to take a look and see if you can update CryptoPrevent to work around this new version (if possible).

Kind Regards

Simon Zerafa
SimonZerafa
 
Posts: 53
Joined: Fri Feb 08, 2013 6:20 am

Re: New "CryptoLocker" samples; bypass CryptoPrevent?

Postby Nick » Wed Mar 05, 2014 11:05 am

thanks Simon! The last one I had was from Feb 10th. I will check these out ASAP.

Moved to Malware Exchange forum where malware samples should be shared. My fault for not posting a rule or anything, but I want to keep malware samples posted to this forum only which is not indexed by bots and the like, to keep some security 'features' from flagging the forums as potentially malicious.
Author of d7/d7II and other PC technician's tools. http://www.FoolishIT.com

Image
User avatar
Nick
Site Admin
 
Posts: 2718
Joined: Mon Nov 19, 2012 7:54 pm


Return to Malware Exchange