2014-12-28 - Geo-Focus
Critroni += NL and IT += DE += ES
 |
| CTB Locker += NL & IT |
Studying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear Pack
 |
| Revslider Case 3 - Path to Nuclear Pack delivering Critroni 2014-12-28 |
Decoded Payload : 10f0eaa794f48ad0b15034e0683cb15f
It's CTB Locker aka Critroni.
What is new to me here is the random encrypted file extension :
 |
| Encoded RTF with unique extension |
 |
| Files dropped in MyDocuments (background wallpaper and decryption explanation) |
And the integration of two Languages : NL and IT
 |
| Critroni - First Screen NL 2014-12-28 |
 |
| Critroni - First Screen IT 2014-12-28 |
 |
| Critroni - Test Explanation - NL 2014-12-28 |
 |
| Critroni - Test Explanation - IT 2014-12-28 |
 |
| Critroni - Decryption Test - NL 2014-12-28 |
 |
| Bitcoin Address Screen - NL 1AjhFhf7rE2V3sKmTxoK7t6M7aaymTrt5G |
 |
| BTC explanation - NL 2014-12-28 |
[Edit 2015-01-17]
+= DE
 |
| Critroni / CTB Locker in German - 2015-01-17 |
 |
| Critroni - German 2015-01-17 |
[/edit]
 |
| CTB Locker - FR |
Files: Critroni_NL_IT.zip (Fiddler and payload)
+= DE version (Sample : 82f941fbd483e0684daed99f006488f1)
+=FR ES LV version (sample f251200975ae1eb1df4fab9c1b715b77 - 2015-02-22 )