Ransom:Win32/Cribit.A

Installation

Trojan:Win32/Cribit.A drops itself into the %APPDATA% folder using a random file name of length 5 to 15 characters. For example, one file we looked at was named %APPDATA%\ylohf.exe.

It also creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bitcomint"
With data: "%APPDATA%\<malware file name>.exe"

For example:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bitcomint"
With data: "%APPDATA%\ylohf.exe"

It also drops these files as part of its installation process:

• bitcrypt.ccw - malware configuration file
• del.bat - batch file that it uses to run itself; once it has done its malicious routine, it again uses this file to delete itself so that it leaves no trace in your PC

Payload

Prevents you from running Task Manager and Registry Editor

Trojan:Win32/Cribit.A continuously checks to see if either of these processes are running, and if so, terminates them:

• taskmgr.exe (Task Manager)
• regedit.exe (Registry Editor)

Prevents you from starting in Safe Mode

This threat deletes these registry keys. Without these registry keys and settings, you cannot restart your PC in Safe Mode:

• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

It also runs these commands:

<system folder>\cmd.exe" /K bcdedit /set {bootmgr} displaybootmenu no - this command prevents Windows from displaying the Windows Boot Manager
<system folder>\cmd.exe" /K bcdedit /set {default} bootstatuspolicy ignoreallfailures - this command disables Windows System Recovery when you start up your PC

Encrypts files

Trojan:Win32/Cribit.A looks for files with these extensions in all disk drives:

• *.abw
• *.arj
• *.asm
• *.bpg
• *.cdr
• *.cdt
• *.cer
• *.css
• *.dbt
• *.dbx
• *.dfm
• *.djv
• *.djvu
• *.doc
• *.docm
• *.docx
• *.dpk
• *.dpr
• *.frm
• *.gz
• *.jpeg
• *.jpg
• *.key
• *.lzh
• *.lzo
• *.mdb
• *.mde
• *.odc
• *.pab
• *.pas
• *.pdf
• *.pgp
• *.php
• *.pps
• *.ppt
• *.pst
• *.rtf
• *.sql
• *.text
• *.txt
• *.vbp
• *.wri
• *.xfm
• *.xl
• *.xlc
• *.xlk
• *.xls
• *.xlsm
• *.xlw
• *.xsf
• *.xsn
• *.cdx
• *.dbf
• *.js
• *.vsd
• *.xlsx

For each file it finds, it encrypts the file with an AES key. The encrypted file has the extension .bitcrypt or .bitcrypt2.

Trojan:Win32/Cribit.A drops its ransom note as the file bitcrypt.txt into every folder that it encrypts files in.

Once it has encrypted all target files, it opens its ransom note and changes your desktop background to the following (note that the cut-off text is by design):

Analysis by Karthik Selvaraj