# CryptoLocker Ransomware **secureworks.com/research/cryptolocker-ransomware** Keith Jarvis Wednesday, December 18, 2013 By: Keith Jarvis ## Background In mid-September 2013, the SecureWorks® [CTU™ security intelligence research team, a thought leader](https://www.secureworks.com/about/counter-threat-unit) in IT Security services, observed a new ransomware malware family called CryptoLocker. Ransomware malware such as Reveton, Urausy, Tobfy, and Kovter has cost consumers considerable time and money over the past several years. Ransomware prevents victims from using their computer normally (e.g., by locking the screen) and uses social engineering to convince victims that failing to follow the malware authors' instructions will lead to real-world consequences. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion like pirating music or downloading illegal pornography. Victims of these traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware. CryptoLocker changes this dynamic by aggressively encrypting files on the victim's system and returning control of the files to the victim only after the ransom is paid. ## Infection vector The earliest CryptoLocker samples appear to have been released on the Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the samples were downloaded from a compromised website located in the United States, either by a version of CryptoLocker that has not been analyzed as of this publication, or by a custom downloader created by the same authors. Early versions of CryptoLocker were distributed through spam emails targeting business professionals (as opposed to home Internet users). The lure was often a "consumer complaint" against the email recipient or their organization. Attached to these emails was a ZIP archive with a random alphabetical filename containing 13 to 17 characters. Only the first character of the filename is capitalized. The archive contained a single executable with the same filename as the ZIP archive but with an EXE extension. Table 1 lists several examples observed by CTU researchers. **Compressed archive** **Included executable file** Jcgnbunudberrr.zip Jcgnbunudberrr.exe ----- Lmpjxmvheortt.zip Lmpjxmvheortt.exe Icmcobxksjghdlnnt.zip Icmcobxksjghdlnnt.exe Gfaiqhgtqakbxlbf.zip Gfaiqhgtqakbxlbf.exe _Table 1. Filenames of email-delivered malware samples._ On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns. Figure 1 shows a phishing email delivered by Cutwail on October 7, 2013. Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker. _Figure 1. Spam email containing the Upatre downloader. (Source: Dell SecureWorks)_ As of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker. In addition to being distributed by Cutwail, Gameover Zeus has also been distributed by the Blackhole and Magnitude exploit kits. ## Execution and persistence CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives. Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots. When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file. ----- CryptoLocker then creates an autorun registry key: ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CryptoLocker":.exe ``` Some versions of CryptoLocker create an additional registry entry: ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker":.exe ``` The asterisk at the beginning of the key name ensures that the malware executes even if the system is restarted in "safe mode." Additional configuration data is stored in the following registry key: ``` HKCU\SOFTWARE\CryptoLocker or HKCU\SOFTWARE\CryptoLocker_0388 ``` The VersionInfo value stored within this key contains configuration data encoded with the XOR key 0x819C33AE. The PublicKey value contains the RSA public key received from the C2 server during the initial network connection. The executable files in early CryptoLocker samples used a random filename formatted like a GUID: ``` {71257279-042B-371D-A1D3-FBF8D2FADFFA}.exe ``` However, the executable files in recent samples use the naming pattern shown in the second column of Table 1. ## Network Several early versions of CryptoLocker, thought to be part of a beta testing phase, included code to connect to 184.164.136.134. This IP address is located in a PhoenixNAP datacenter in Arizona, but it [was likely under the administrative control of Jolly Works Hosting. As of this publication, this IP address](http://blog.dynamoo.com/2013/07/jolly-works-hosting-is-it-really-jolly.html) is no longer active, and CryptoLocker samples released since mid-September no longer reference it. The malware's network communications use an internal domain generation algorithm (DGA) that produces 1,000 potential C2 domain addresses per day. The domain names contain 12 to 15 alphabetical characters and are within one of seven possible top-level domains (TLDs): com, net, org, info, biz, ru, and co.uk. An error in the algorithm prevents it from using 'z' in a generated domain name. The threat actors never registered a domain under the 'co.uk' TLD, and Nominet, the official registrar for the 'uk' ccTLD, began to sinkhole all potential addresses under this domain on October 18, 2013. As a result, the threat actors cannot use 'co.uk' domain names. The threat actors have also used static C2 servers embedded inside the malware. On October 17, a sample was distributed that first connected to inworkforallthen . com before cycling through the domains created by the DGA. Several days later, another sample was hard-coded to connect to ovenbdjnihhdlb . net prior to attempting other generated domains. Since that time, new samples frequently contain static addresses taken from the pool of domain names created by the DGA. ----- CryptoLocker cycles indefinitely until it connects to a C2 server via HTTP. After connecting to an attacker-controlled C2 server, CryptoLocker sends a phone-home message encrypted with an RSA public key embedded within the malware (see Figure 2). Only servers with the corresponding RSA private key can decrypt this message and successfully communicate with an infected system. _Figure 2. CryptoLocker's initial phone-home traffic. (Source: Dell SecureWorks)_ Analysis of the IP addresses used by the threat actors reveals several patterns of behavior. The first is that the threat actors use virtual private servers (VPS) located at different ISPs throughout the Russian Federation and in former Eastern bloc countries. The extended use of some of these hosts, such as 93.189.44.187, 81.177.170.166, and 95.211.8.39, suggests that they are located at providers that are indifferent to criminal activity on their networks or are complicit in its execution (such as so-called "bulletproof" hosting providers). The remaining servers appear to be used for several days before disappearing. The threat actors could be strategically using this pattern to remain a moving target, or some ISPs could be terminating their service. A complete list of network indicators is included in the Threat indicators section. ## Encryption Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft's [CryptoAPI. By using a sound](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-portal) implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent. The malware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" (MS_ENH_RSA_AES_PROV) to create keys and to encrypt data with the RSA (CALG_RSA_KEYX) and AES (CALG_AES_256) algorithms. The encryption process begins after CryptoLocker has established its presence on the system and successfully located, connected to, and communicated with an attacker-controlled C2 server. This communication provides the malware with the threat actors' RSA public key, which is used throughout the encryption process. The malware begins the encryption process by using the GetLogicalDrives() API call to enumerate the disks on the system that have been assigned a drive letter (e.g., C:). In early CryptoLocker samples, the GetDriveType() API call then determines if the drives are local fixed disks or network drives (DRIVE_FIXED and DRIVE_REMOTE, respectively). Only those two types of drives are selected for file encryption in early samples. Samples since late September also select removable drives (DRIVE_REMOVABLE), which can include USB thumb drives and external hard disks. After selecting a list of disks to attack, the malware lists all files on those disks that match the 72 file patterns shown in Table 2. Over time, the threat actors adjusted which types of files are selected for encryption; for example, PDF files were not encrypted in very early samples but were added in midSeptember. As a result, the list in Table 2 is subject to change. ----- *.odt *.ods *.odp *.odm *.odb *.doc *.docx *.docm *.wps *.xls *.xlsx *.xlsm *.xlsb *.xlk *.ppt *.pptx *.pptm *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.eps *.ai *.indd *.cdr ????????.jpg ????????.jpe img_*.jpg *.dng *.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr *.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf *.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f *.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c *.pdf *.odc _Table 2. File patterns selected for encryption._ Each file is encrypted with a unique AES key, which in turn is encrypted with the RSA public key received from the C2 server. The encrypted key, a small amount of metadata, and the encrypted file contents are then written back to disk, replacing the original file. Encrypted files can only be recovered by obtaining the RSA private key held exclusively by the threat actors. As a form of bookkeeping, the malware stores the location of every encrypted file in the Files subkey of the HKCU\SOFTWARE\CryptoLocker (or CryptoLocker_0388) registry key (see Figure 3). _Figure 3. List of encrypted files stored by CryptoLocker. (Source: Dell SecureWorks)_ After finishing the file encryption process, CryptoLocker periodically rescans the system for new drives and files to encrypt. The malware does not reveal its presence to the victim until all targeted files have been encrypted. The victim is presented with a splash screen containing instructions and an ominous countdown timer (see Figure 4). ----- _Figure 4. Splashscreen presented to victims. (Source: Dell SecureWorks)_ ## Payment The ransom amount varied in very early samples (see Table 3), but settled at $300 USD or 2 BTC (Bitcoins) within the few weeks after CryptoLocker's introduction. Dramatic Bitcoin price inflation in the latter months of 2013 prompted the threat actors to reduce the ransom to 1 BTC, 0.5 BTC, and then again to 0.3 BTC, where it remains as of this publication. Amount Currency (abbreviation) 100 U.S. Dollar (USD) 100 Euro (EUR) 100 Australian Dollar (AUD) 200 Brazilian Real (BRL) 100 Canadian Dollar (CAD) 2000 Czech Koruna (CZK) 1000 Danish Krone (DKK) ----- 100 British Pound Sterling (GBP) 1000 Mexican Peso (MXN) 1500 Norwegian Krone (NOK) 200 New Zealand Dollar (NZD) 500 Polish Zloty (PLN) 200 Romanian Leu (RON) 1500 Swedish Krona (SEK) _Table 3. Original ransom amounts in various denominations. (Source: Dell SecureWorks)_ The threat actors have offered various payment methods to victims since the inception of CryptoLocker. The methods are all anonymous or pseudo-anonymous, making it difficult to track the origin and final destination of payments. ## cashU _Figure 5. Payment options using the cashU service. (Source: Dell SecureWorks)_ ----- [The description of cashU shown in Figure 5 is taken directly from the Wikipedia entry about the method:](http://en.wikipedia.org/wiki/CashU) _cashU is a prepaid online and mobile payment method available in the Middle East and North Africa, a_ _region with a large and young population with very limited access to credit cards. Because of this, cashU_ _has become one of the most popular alternative payment option for young Arabic online gamers and e-_ _commerce buyers._ ## Ukash _Figure 6. Payment options using the Ukash service. (Source: Dell SecureWorks)_ The description of Ukash shown in Figure 6 is largely taken from a Facebook post about the product: _Ukash is electronic cash and e-commerce brand. Based on a prepaid system, Ukash allows users to_ _purchase and then spend money online._ _Money can be purchased from one of the reported 420,000 participating retail locations worldwide, or by_ _using the company's website. This electronic money can then be used to pay online, or loaded on to a_ _prepaid card or eWallet._ _You can combine multiple values of your Ukash into a single amount and have your new Ukash Code_ _and value emailed to you if you want. You will need to register at Ukash.com, login and then go to the_ _Manage Ukash area to use the Combine tool._ ----- ## Paysafecard A screenshot of the Paysafecard dialog was not immediately available for this publication, but the description states: _Paysafecard is an electronic payment method for predominantly online shopping and is based on a pre-_ _pay system. Paying with paysafecard does not require sharing sensitive bank account or credit card_ _details. Using paysafecard is comparable to paying with cash in a shop and it is currently available in_ _over 30 countries._ _Paysafecard works by purchasing a PIN code printed on a card, and entering this code at webshops._ _Paysafecard is available from many supermarkets, petrol stations, tobacconists and newsagents._ ## Bitcoin _Figure 7. Payment options using the Bitcoin service. (Source: Dell SecureWorks)_ The description of Bitcoin shown in Figure 7 is copied almost verbatim from several online resources: _Bitcoin is a cryptocurrency where the creation and transfer of bitcoins is based on an open-source_ _cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a_ _computer or smartphone without an intermediate financial institution._ ----- ## Green Dot MoneyPak _Figure 8. Payment options using the MoneyPak service. (Source: Dell SecureWorks)_ [The description of MoneyPak shown in Figure 8 is copied directly from the MoneyPak website:](https://www.moneypak.com/AboutMoneyPak.aspx) _MoneyPak is an easy and convenient way to send money to where you need it. The MoneyPak works_ _as a 'cash top-up card'._ **_Where can I purchase a MoneyPak?_** _MoneyPak can be purchased at thousands of stores nationwide, including major retailers such as_ _Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart and Kroger. Click here to find a store near you._ **_How do I buy a MoneyPak at the store?_** _Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and take it to the register._ _The cashier will collect your cash and load it onto the MoneyPak._ ## Current payment options ----- Although early versions of CryptoLocker included numerous payment options, the threat actors now only accept MoneyPak and Bitcoin. The Bitcoin option was originally marketed as the "most cheap option" [sic] for ransom payment based on the difference between the $300 USD ransom and the market rate of Bitcoins. From August to December 2013, the Bitcoin market experienced major volatility and dramatically increased in price, negating any monetary benefits for victims to choose this payment method. The variety of payment options and currency choices in early CryptoLocker versions suggests the threat actors originally anticipated a global infection pattern. For reasons unknown to CTU researchers, the threat actors elected to focus exclusively on English-speaking countries and removed the payment options less popular in these countries. Anecdotal reports from victims who elected to pay the ransom indicate that the CryptoLocker threat actors honor payments by instructing infected computers to decrypt files and uninstall the malware. Victims who submit payments are presented with the payment activation screen shown in Figure 9 until the threat actors validate the payment. During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process. _Figure 9. Payment activation screen. (Source: Dell SecureWorks)_ ## Late payment ----- In early November 2013, the threat actors introduced the CryptoLocker Decryption Service (see Figure 10). This service gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system. _Figure 10. The "CryptoLocker Decryption Service" landing page. (Source: Dell SecureWorks)_ The service uploads the first kilobyte of an encrypted file, which contains the header prepended by the malware. The threat actors use that data to query their database for the RSA private key that matches the RSA public key used during file encryption. If the private key is located, the threat actors present the victim with the page shown in Figure 11. The victim is given the option of sending payment to a randomly generated Bitcoin wallet. Early versions of this service charged 10 BTC, but the price was quickly reduced to 2 BTC. After receiving the payment, the threat actors redirect victims to a page that includes instructions on how to decrypt files. ----- _Figure 11. Page displayed when the private key is successfully located. (Source: Dell SecureWorks)_ ## Collected ransoms [In December 2013, Michele Spagnuolo published a thesis discussing a Bitcoin forensics framework](http://miki.it/pdf/thesis.pdf) [called BitIodine. He discusses identifying Bitcoin addresses controlled by the CryptoLocker threat actors](http://miki.it/articles/papers/#bitiodine) and tracing potential ransom payments made to those addresses. Figure 12 graphs the total number of ransoms paid per day (in gray) along with the total value of those payments in U.S. dollars on the day they were received (in blue). ----- _Figure 12. Ransoms paid through Bitcoin. (Source: Dell SecureWorks)_ Using the daily weighted BTC price, if the threat actors had sold the 1,216 total BTC collected over the period shown in Figure 12 immediately upon receiving them, they would have earned nearly $380,000. If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication based on the current weighted price of $804/BTC. These figures represent a conservative estimate of the number of ransoms collected by the CryptoLocker gang. Based on conversations with U.S.-based victims, the ease of payment with MoneyPak and the numerous technical barriers to obtaining Bitcoins led to most payments being made through the former method. CTU researchers suspect that a significant portion of Bitcoin payments are being made by individuals outside of the U.S., where MoneyPak is not available and Bitcoin is the only option. Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4%, and very likely many times that, of CryptoLocker victims are electing to pay the ransom. ## Victims Based on its design, deployment method, and empirical observations of its distribution, CryptoLocker appears to target English-speakers, specifically those located in the United States. Malware authors from Russia and Eastern Europe, where the CryptoLocker authors are thought to originate, commonly target victims in North America and Western Europe. Law enforcement cooperation between these regions is complicated by numerous factors, which often results in threat actors believing that they can operate with impunity. CTU researchers observed early infections occurring disproportionately at financial institutions, but anecdotal reports suggest that early victims were in verticals as diverse as hospitality and public utilities. As of this publication, there is no evidence the actors are targeting specific industries. The threat actors have also broadened their attacks to include home Internet users in addition to professionals. CTU researchers began actively monitoring the CryptoLocker botnet on September 18, 2013 and analyzed various data sources, including DNS requests, sinkhole data, and client telemetry, to build the approximate daily infection rates shown in Figure 13. Spikes coinciding with Cutwail spam campaigns ----- that resulted in increased CryptoLocker infections are clearly indicated, including the period of high activity from October through mid-November. Likewise, periodic lulls in activity have occurred frequently, including a span from late November through mid-December. _Figure 13. Approximated infection rates. (Source: Dell SecureWorks)_ The CTU research team registered multiple domains from the pool used by CryptoLocker to construct a sinkhole infrastructure and assess the malware's global impact. Between October 22 and November 1, 2013, 31,866 unique IP addresses contacted CTU sinkhole servers. Figure 14 shows the geographic distribution of these IP addresses. _Figure 14. Global distribution of CryptoLocker infections between October 22 and November 1, 2013._ _(Source: Dell SecureWorks)_ The United States was disproportionately represented among countries with measurable infection rates. Table 4 lists countries with the top ten infection rates. Country Number of infected systems Percentage of total United States 22,360 70.2% Great Britain 1,767 5.5% ----- India 818 2.6% Thailand 691 2.2% Peru 688 2.2% Canada 658 2.1% Philippines 645 2.0% Indonesia 427 1.3% Iran 333 1.0% Ecuador 264 0.8% _Table 4. Geographic breakdown of infection counts. (Source: Dell SecureWorks)_ The CTU research team implemented a similar sinkhole infrastructure between December 9 and December 16, which was during a period of limited malware activity. Additionally, recent samples use hard-coded C2 domains, which limits the conclusions that can be drawn from information gathered from sinkhole domains. During this observation period, 6,459 unique IP addresses contacted the CTU sinkhole servers. Figure 15 shows the geographic distribution of these IP addresses. _Figure 15. Global distribution of CryptoLocker infections between December 9 and December 16, 2013._ _(Source: Dell SecureWorks)_ [In the samples gathered by the December sinkhole, the United Kingdom and](https://www.secureworks.co.uk/) [Australia approached the](https://www.secureworks.com.au/) absolute infection numbers of the U.S, despite having much smaller populations. CTU researchers are unsure whether this change is an anomaly or represents a change in the threat actors' strategy. Table 5 lists countries with the top ten infection rates. ----- Country Number of infected systems Percentage of total United States 1,540 23.8% Great Britain 1,228 19.0% Australia 836 12.9% France 372 5.8% Brazil 309 4.8% Italy 204 3.2% Turkey 182 2.8% Spain 145 2.2% China 138 2.1% Canada 135 2.1% _Table 5. Geographic breakdown of infection counts. (Source: Dell SecureWorks)_ Based on the presented evidence, CTU researchers estimate that 200,000 to 250,000 systems were infected globally in the first 100 days of the CryptoLocker threat. ## Mitigation By incorporating the following components in a defense-in-depth strategy, organizations may be able to mitigate the CryptoLocker threat: Block executable files and compressed archives containing executable files before they reach a victim's inbox. Email remains a top infection vector for malware in general and this threat in particular. Consider aggressively blocking known indicators (see Table 6) from communicating with your network to temporarily neuter the malware until it can be discovered and removed. CryptoLocker does not encrypt files until it has successfully contacted an active C2 server. Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files. Regularly back up data with so-called "cold," offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because CryptoLocker encrypts these files in the same manner as those found on the system drive. [Implement Software Restriction Policies (SRPs) to prevent programs like CryptoLocker from](https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies) executing in common directories such as %AppData% or %LocalAppData%. Use Group Policy Objects (GPOs) to create and restrict permissions on registry keys used by CryptoLocker, such as HKCU\SOFTWARE\CryptoLocker (and variants). If the malware cannot open and write to these keys, it terminates before encrypting any files. ## Conclusion ----- CryptoLocker is neither the first ransomware nor the first destructive malware to wreak havoc on infected systems. However, the malware authors appear to have made sound design decisions that complicate efforts to mitigate this threat and have demonstrated a capable distribution system based on the Cutwail and Gameover Zeus botnets. Evidence collected by CTU researchers confirms the threat actors have previous experience in malware development and distribution, especially of ransomware. Based on the duration and scale of attacks, they also appear to have the established and substantial "real world" infrastructure necessary to "cash out" ransoms and launder the proceeds. ## Threat indicators To mitigate exposure to the CryptoLocker malware, CTU researchers recommend that clients use available controls to restrict access using the indicators in Table 6. The domains listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser. CTU researchers have attempted to remove IP addresses and domain names operated by security vendors and private researchers, but some non-malicious infrastructure may be included. Date gaps in domain name information represent periods when the threat actors elected not to register malicious domains or when CTU researchers had insufficient data to determine those domain names. **Indicator** **Type** **Context** qwlpubwopsyj.org Domain name sypdwysctilgr.net Domain name txeuntcemcwj.biz Domain name qqkoluhwexlr.biz Domain name xeogrhxquuubt.com Domain name qaaepodedahnslq.org Domain name vbitnxdgsiwg.biz Domain name sbfuwsxasjkp.net Domain name C2 domain, September 9, 2013 C2 domain, September 9, 2013 C2 domain, September 10, 2013 C2 domain, September 10, 2013 C2 domain, September 10, 2013 C2 domain, September 10, 2013 C2 domain, September 11, 2013 C2 domain, September 11, 2013 ----- afmkdchedjkcai.org Domain name jxjyndpaoofctm.com Domain name ueymssvirqnwqqs.net Domain name wojscmlfgvhw.net Domain name dakpicuylsrfcl.biz Domain name nuafhowbvpmgbn.net Domain name uoerpkaffwnds.org Domain name aycysyspcpvwgtw.biz Domain name qhqmhxuhapgkaq.biz Domain name wnoctmckyrtbou.org Domain name pahwvolnihur.biz Domain name rtqajjkivmltosy.org Domain name jyyfmnefedjogsh.biz Domain name qjtwguxajaqqhu.org Domain name C2 domain, September 11, 2013 C2 domain, September 11, 2013 C2 domain, September 11, 2013 C2 domain, September 12, 2013 C2 domain, September 12, 2013 C2 domain, September 13, 2013 C2 domain, September 13, 2013 C2 domain, September 16, 2013 C2 domain, September 16, 2013 C2 domain, September 16, 2013 C2 domain, September 16, 2013 C2 domain, September 17, 2013 C2 domain, September 17, 2013 C2 domain, September 17, 2013 ----- lrexdcwwpyny.biz Domain name nnpiceisyfgiprh.org Domain name xtagmlgwrrqsto.biz Domain name fyflgkbdydnf.biz Domain name jebounnlykpt.org Domain name dookhuvnmgamvgr.net Domain name vahroshwfnih.org Domain name rcoxshllfoldxie.org Domain name kdsdsapurvgf.biz Domain name phiiykytxrlfjx.info Domain name ubnxaasfigrbhj.biz Domain name lwxmytwfuwuk.net Domain name hefjkoscpbof.org Domain name wypqdsmpfvuq.org Domain name C2 domain, September 17, 2013 C2 domain, September 18, 2013 C2 domain, September 18, 2013 C2 domain, September 19, 2013 C2 domain, September 19, 2013 C2 domain, September 20, 2013 C2 domain, September 20, 2013 C2 domain, September 23, 2013 C2 domain, September 23, 2013 C2 domain, September 24, 2013 C2 domain, September 24, 2013 C2 domain, September 24, 2013 C2 domain, September 24, 2013 C2 domain, September 25, 2013 ----- kermcmfomqdnaw.biz Domain name fukpbxfgejfllr.biz Domain name jvpopwqdmhahho.info Domain name fsihpjionkbb.net Domain name lcvvmgpdfbty.biz Domain name ewkovrirsprw.org Domain name bkfekyhvftxkwd.biz Domain name nxosmtaifwud.org Domain name emrsmpipfrtu.biz Domain name qdbvwfnyurewx.com Domain name gaeaglgxkkws.biz Domain name jpkpiichjjdm.org Domain name cmjbewheycxmr.net Domain name rvkpjfyxpsocbsn.org Domain name C2 domain, September 25, 2013 C2 domain, September 25, 2013 C2 domain, September 25, 2013 C2 domain, September 25, 2013 C2 domain, September 25, 2013 C2 domain, September 25, 2013 C2 domain, September 26, 2013 C2 domain, September 26, 2013 C2 domain, September 27, 2013 C2 domain, September 27, 2013 C2 domain, September 28, 2013 C2 domain, September 29, 2013 C2 domain, September 29, 2013 C2 domain, September 30, 2013 ----- pwssoabbqtfs.net Domain name flavquyaoisq.info Domain name inveinqskeriapb.biz Domain name yoifiwpqreitpus.com Domain name vmkstanptubqm.net Domain name gkmlecoeshjxd.net Domain name gawpiclfrmnkb.org Domain name vvpbfbqpnaqq.net Domain name voafsbnewuxl.org Domain name tsgmgrofgsbqtuw.com Domain name myourlqubgdxles.org Domain name oxwqodvowcgr.biz Domain name suanecwngxhufr.biz Domain name axugjsdemnjuso.org Domain name C2 domain, September 30, 2013 C2 domain, September 30, 2013 C2 domain, September 30, 2013 C2 domain, September 30, 2013 C2 domain, September 20, 2013 C2 domain, October 1, 2013 C2 domain, October 1, 2013 C2 domain, October 1, 2013 C2 domain, October 1, 2013 C2 domain, October 1, 2013 C2 domain, October 2, 2013 C2 domain, October 3, 2013 C2 domain, October 3, 2013 C2 domain, October 3, 2013 ----- klnvbfainjtibmn.org Domain name oamurnwjrrap.net Domain name ueygwkeaamxvpc.com Domain name ybmdqshtbarpvxx.net Domain name jnnkdjixngmjtrk.org Domain name mydqpbcaqlppiqn.biz Domain name gykcghilthjy.com Domain name rntkondhjwybkja.com Domain name fycuscwcjmaqkl.org Domain name uobuwcfaoerojos.net Domain name odxrjkgnahebp.biz Domain name udvdjsdnmnisj.biz Domain name afuxiuwttqpk.net Domain name kdcvlslmyurory.biz Domain name C2 domain, October 4, 2013 C2 domain, October 4, 2013 C2 domain, October 5, 2013 C2 domain, October 5, 2013 C2 domain, October 5, 2013 C2 domain, October 5, 2013 C2 domain, October 6, 2013 C2 domain, October 6, 2013 C2 domain, October 6, 2013 C2 domain, October 7, 2013 C2 domain, October 7, 2013 C2 domain, October 10, 2013 C2 domain, October 10, 2013 C2 domain, October 10, 2013 ----- gktibioivpqbot.net Domain name vccpdadcaygc.biz Domain name dywpplmanlmsu.org Domain name rwyngtbvunfpk.org Domain name vaategmcgbpimoa.net Domain name cjlvuuhphnwbr.info Domain name cjlvuuhphnwbr.info Domain name wshufkvuruwxsua.com Domain name qvvmhsxxidvjmil.biz Domain name jcxyensduaeed.info Domain name ypvcyhohthmmm.info Domain name oobdujltidljprw.com Domain name ejelwtqlibhdof.org Domain name dfvoglnegikqvk.org Domain name C2 domain, October 10, 2013 C2 domain, October 11, 2013 C2 domain, October 14, 2013 C2 domain, October 15, 2013 C2 domain, October 15, 2013 C2 domain, October 15, 2013 C2 domain, October 16, 2013 C2 domain, October 16, 2013 C2 domain, October 17, 2013 C2 domain, October 17, 2013 C2 domain, October 18, 2013 C2 domain, October 18, 2013 C2 domain, October 18, 2013 C2 domain, October 18, 2013 ----- qtcexpbgcusfp.com Domain name bhxytqseirfat.net Domain name pksjdseiarkf.net Domain name ldtbbqvouqnn.com Domain name clpgukoesqcuvp.biz Domain name utjpwmskhwqk.com Domain name impkyvkcbfps.info Domain name mcbksstivjvn.org Domain name ovenbdjnihhdlb.net Domain name ctexrkpwsdnepo.org Domain name vhohfvimhpsqn.info Domain name qikshmnujoitxe.com Domain name lsjpkatguitaohx.biz Domain name fefanfdwdpeevoe.info Domain name C2 domain, October 18, 2013 C2 domain, October 18, 2013 C2 domain, October 18, 2013 C2 domain, October 18, 2013 C2 domain, October 19, 2013 C2 domain, October 19, 2013 C2 domain, October 20, 2013 C2 domain, October 20, 2013 C2 domain, October 21, 2013 C2 domain, October 21, 2013 C2 domain, October 21, 2013 C2 domain, October 21, 2013 C2 domain, October 22, 2013 C2 domain, October 22, 2013 ----- ciecxcsbdldwx.net Domain name pbxksllrmivxhjc.org Domain name cfuwtrfmyinvuo.org Domain name sptqapwrwcpclts.org Domain name qntptjfabhra.biz Domain name uoqkpgiygtmgi.net Domain name shryjqiaceibck.biz Domain name iimkdpysckqmot.org Domain name dmvhawouahhfsmj.org Domain name ariqhgoxrewhr.biz Domain name ofcxlybtofglm.org Domain name kwajtnjddqetolh.biz Domain name wifgslrwgvxwsy.com Domain name uvpevldfpfhoipn.info Domain name C2 domain, October 22, 2013 C2 domain, October 23, 2013 C2 domain, October 23, 2013 C2 domain, October 24, 2013 C2 domain, October 24, 2013 C2 domain, October 24, 2013 C2 domain, October 25, 2013 C2 domain, October 25, 2013 C2 domain, October 27, 2013 C2 domain, October 27, 2013 C2 domain, October 28, 2013 C2 domain, October 29, 2013 C2 domain, October 31, 2013 C2 domain, November 1, 2013 ----- ywculygjuxhxtsh.net Domain name byoluqqhvjsbnqa.org Domain name dilkqddvhstlnwe.net Domain name tyqhngggjijlpxh.info Domain name qgugwncykxuuiid.info Domain name xvaxsxbptmerjb.com Domain name wikjpwxhskgoc.ru Domain name tlsylihoxxmvc.org Domain name tbmeoaosvbwe.biz Domain name vqojwwmocssqa.org Domain name lwvpgiabehxt.org Domain name stmdjbsbhojxp.net Domain name prwxcrswstle.org Domain name cutwdfsdcbfco.biz Domain name C2 domain, November 1, 2013 C2 domain, November 1, 2013 C2 domain, November 2, 2013 C2 domain, November 2, 2013 C2 domain, November 3, 2013 C2 domain, November 4, 2013 C2 domain, November 4, 2013 C2 domain, November 5, 2013 C2 domain, November 6, 2013 C2 domain, November 6, 2013 C2 domain, November 8, 2013 C2 domain, November 8, 2013 C2 domain, November 12, 2013 C2 domain, November 12, 2013 ----- xqmrainncxrwho.net Domain name pasnepjktwbcmwo.org Domain name tquttkwcuemnpp.org Domain name qhanpujcdytu.biz Domain name mteyowfgnrbhgnm.org Domain name quykengjhtob.biz Domain name wbwcajwlqksl.org Domain name dltlqtwlioauuj.biz Domain name axxehlphcdss.org Domain name lhkbianumwfs.biz Domain name kqnvwyqyqqmkab.biz Domain name nqktirfigqfyow.org Domain name hwuiingqeuubi.org Domain name dclffueprfhkgf.biz Domain name C2 domain, November 12, 2013 C2 domain, November 12, 2013 C2 domain, November 13, 2013 C2 domain, November 13, 2013 C2 domain, November 14, 2013 C2 domain, November 14, 2013 C2 domain, November 14, 2013 C2 domain, November 15, 2013 C2 domain, November 15, 2013 C2 domain, November 16, 2013 C2 domain, November 16, 2013 C2 domain, November 17, 2013 C2 domain, November 18, 2013 C2 domain, November 19, 2013 ----- gtdipovkdxricgl.biz Domain name gtdipovkdxricgl.biz Domain name boexeicnsbbxbg.org Domain name fksuksvrqqdetlp.org Domain name qnprseyycdot.biz Domain name vtcyrmxkkxvrick.biz Domain name tpsjegnvxqmtk.biz Domain name ftltwlsqhegsnav.org Domain name pvfvmuveigjhmjc.biz Domain name xqjafpdyjcvjwp.biz Domain name ftltwlsqhegsnav.org Domain name nqygxdafeivtgb.org Domain name hntfarwlevtcxm.org Domain name axqrgervreovhhc.biz Domain name C2 domain, November 19, 2013 C2 domain, November 20, 2013 C2 domain, November 20, 2013 C2 domain, November 20, 2013 C2 domain, November 20, 2013 C2 domain, November 21, 2013 C2 domain, November 21, 2013 C2 domain, November 22, 2013 C2 domain, November 22, 2013 C2 domain, November 23, 2013 C2 domain, November 23, 2013 C2 domain, November 23, 2013 C2 domain, November 24, 2013 C2 domain, November 25, 2013 ----- axqrgervreovhhc.biz Domain name tnaujeuilsia.org Domain name vexnudbnovttaj.org Domain name rttvxygkmwlqmq.net Domain name jknuotworuebip.org Domain name cajqhxcwxbaap.biz Domain name lbmuvpwgcmquc.org Domain name wwfcogdgntlxw.biz Domain name usyusdoctfpnee.org Domain name swmbolrxyflhwm.biz Domain name yebdbfsomgdbqu.biz Domain name usyusdoctfpnee.org Domain name msncwipuqpxxoqa.org Domain name dhjicdgfykqoq.org Domain name C2 domain, November 26, 2013 C2 domain, November 26, 2013 C2 domain, November 27, 2013 C2 domain, November 29, 2013 C2 domain, December 1, 2013 C2 domain, December 1, 2013 C2 domain, December 1, 2013 C2 domain, December 2, 2013 C2 domain, December 3, 2013 C2 domain, December 3, 2013 C2 domain, December 4, 2013 C2 domain, December 4, 2013 C2 domain, December 4, 2013 C2 domain, December 5, 2013 ----- pkakvsexbmxpwxw.org Domain name ghvoersorwsrgef.org Domain name dhjicdgfykqoq.org Domain name wjbodchhlgidofm.org Domain name bsngfunwcpkjt.org Domain name tmphandchtcnffy.org Domain name qnsoiclrikwj.org Domain name agwwcjhinwyl.org Domain name osmhvqijsiedt.org Domain name nfnfskbniyajd.org Domain name cmidahhutlcx.org Domain name emttankkwhqsoe.org Domain name ypxnqheckgjkbu.org Domain name ormyfnlykajkdr.org Domain name C2 domain, December 5, 2013 C2 domain, December 6, 2013 C2 domain, December 6, 2013 C2 domain, December 6, 2013 C2 domain, December 6, 2013 C2 domain, December 6, 2013 C2 domain, December 7, 2013 C2 domain, December 7, 2013 C2 domain, December 7, 2013 C2 domain, December 7, 2013 C2 domain, December 8, 2013 C2 domain, December 8, 2013 C2 domain, December 9, 2013 C2 domain, December 9, 2013 ----- vsjotulrsjhyf.org Domain name cpapfioutwypmh.org Domain name kmjqcsfxnyeuo.org Domain name xivexnrjahpfk.org Domain name gavhopncgfmdq.org Domain name ykmccdhpgavm.org Domain name slbugcihgrgny.org Domain name wpowcdntgoye.org Domain name rkmmrxbpafgnplt.org Domain name fpvpnoqmgntmc.org Domain name ahqnsclgckkpho.org Domain name mqagyenfbebsau.org Domain name gavhopncgfmdq.org Domain name urkitujgkhsjl.org Domain name C2 domain, December 10, 2013 C2 domain, December 10, 2013 C2 domain, December 10, 2013 C2 domain, December 10, 2013 C2 domain, December 11, 2013 C2 domain, December 11, 2013 C2 domain, December 11, 2013 C2 domain, December 11, 2013 C2 domain, December 12, 2013 C2 domain, December 12, 2013 C2 domain, December 13, 2013 C2 domain, December 13, 2013 C2 domain, December 13, 2013 C2 domain, December 14, 2013 ----- kgvmmylyflrqml.org Domain name 93.189.44.187 IP address 81.177.170.166 IP address 95.211.8.39 IP address 188.93.210.164 IP address 91.218.121.139 IP address 173.246.105.23 IP address 217.12.219.32 IP address 109.120.150.95 IP address 194.28.174.119 IP address 91.203.145.13 IP address 46.254.16.22 IP address 91.234.33.198 IP address 134.0.118.114 IP address 91.226.213.198 IP address 91.226.212.198 IP address 176.123.0.54 IP address 176.119.0.216 IP address C2 domain, December 14, 2013 C2 server, Russia C2 server, Russia C2 server, Netherlands C2 server, Russia C2 server, United States C2 server, United States C2 server, Ukraine C2 server, Russia C2 server, Ukraine C2 server, Ukraine C2 server, Russia C2 server, Ukraine C2 server, Russia C2 server, Ukraine C2 server, Ukraine C2 server, Moldova C2 server, Ukraine ----- 188.65.211.137 IP address 31.131.18.101 IP address 185.22.64.72 IP address 195.2.77.48 IP address 188.190.101.82 IP address 62.76.191.48 IP address 95.59.26.43 IP address 144.76.192.130 IP address 194.28.174.119 IP address 46.149.111.28 IP address 83.69.233.25 IP address 91.213.233.189 IP address 109.234.154.254 IP address bc11c93f1b6dc74bf4804a35b34d9267 MD5 hash a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72 SHA256 hash b17603f401719f1d99ad6472f8d6682a MD5 hash 0be1f445537f124b5175e1f2d1da87e2e57aa4ba09ea5fe72b7bafaf0b8f9ad2 SHA256 hash f1e2de2a9135138ef5b15093612dd813 MD5 hash 136e8991816b958bb76aaf22fefd18194cf78a80e95d572754f95e1f86149a65 SHA256 hash C2 server, Russia C2 server, Ukraine C2 server, Kazakhstan C2 server, Russia C2 server, Ukraine C2 server, Russia C2 server, Kazakhstan C2 server, Germany C2 server, Ukraine C2 server, Ukraine C2 server, Russia C2 server, Kyrgyzstan C2 server, Russia Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- a93d75cb6f72c1847c3f5afc9c94bbbb MD5 hash 724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425 SHA256 hash df06f3263088fc9f7fde03fc8d2969fc MD5 hash 39fd73f1d19201497233bbb320c1d7a63e33748c94d94653c3b5e64c0ef6b8b0 SHA256 hash de400607d06b41a6f8b0935c3607541d MD5 hash 9ec4697891cc6c9add803044a29bdd9d05701509b9eddc370d4caf00c15ef734 SHA256 hash 012d9088558072bc3103ab5da39ddd54 MD5 hash 0dd7f3dffe8c6e69df6137cb413ad25c474d73a86f1d46d52846990aa66e6f43 SHA256 hash 8acecb8a6ccec5631e990273ee1c96bb MD5 hash c5fdc30a67fbba53b710e6ff8d8e38ed4fb5e44eeced2efc370f906710602840 SHA256 hash ccc9e5f7e53eaf6124df45bb14eccf8f MD5 hash d4adf29d2b50945896734bafb66ada120b53f5dd98f1a8ad3d30dcf69a98325e SHA256 hash 16f0e31ac53b98411dd6719ff995872f MD5 hash 3df9806a5cc986619f96755151cdbc23e1943280c1874c58b2758da2d7be6e64 SHA256 hash 04fb36199787f2e3e2135611a38321eb MD5 hash d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 SHA256 hash 57ae3d79ee697d2c382fdea56827e65f MD5 hash 31327f225492ee58d7b47889e619d36cd380a908c1761fe376a185877f813894 SHA256 hash 180753f31b8295751aa3d5906a297511 MD5 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- b264f35ff932fc5a100f7c2b4bd4888fe61db9878ef149279c3ad4bef2bdd8ed SHA256 hash 551e4c94cd17860a7f49db5ec65ba58c MD5 hash d73d6964d2b1e3e466436fb981b6658d8e1fb5d0ddc43e7f24365cad2339842d SHA256 hash 60ce367abdf38a35bb304253dd03da5d MD5 hash e0702fdeef58461133ef70efa25d258b1eaa089b26d57485106d0fea671e3afb SHA256 hash 9cbb128e8211a7cd00729c159815cb1c MD5 hash bb12757c6a14207d8a9cd4d42ff93747795f8a09186752b1c94b5b373abbaf11 SHA256 hash d2b1dc9cae99cd4c511a0df9af948639 MD5 hash e38edbea38a47560bff7f48e23ba9eb7c872e180f16abb3482c021cac3cbfaed SHA256 hash 04fc7ffc8439e27a51b5241e8bd00e75 MD5 hash 8bfe5d3d7e089cecb0238da7ae7d456702508003a91a417e5069b86592bc03e8 SHA256 hash 374f74def24ea6afad4e5f4b15dcd263 MD5 hash f2181881d6ab133323dba5fecbf0cc4236f794ed1261406712b13307e98b90a1 SHA256 hash 444c339f422420bc317711dac06f3545 MD5 hash cb7ce90b9de59004b2177e7a912c324ef4cec0262e181c83fff866113356e607 SHA256 hash fec5a0d4dea87955c124f2eaa1f759f5 MD5 hash 4f3220da017e7be3e0b168a958134aae6dc96458cb12118e849465e2af752629 SHA256 hash a5d1e987629cf939121f3bfb202c7d6a MD5 hash cc4350d0919d192bdad9ae262fc524d9d230b11dfc8d3c5886147caa0fdda465 SHA256 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- 0204332754da5975b6947294b2d64c92 MD5 hash 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8 SHA256 hash 7ea2c970326af64b1b196c4dd12e61dc MD5 hash 651f451aaf9a9694884322d91a225294af145006219c346d1a9b50a2d92db6d9 SHA256 hash e1f6706fe8bdd3c63fc15cdfe3fdf723 MD5 hash 826fb87209f4538ff9a0d11c8a21d6df738956ab7ba8d6965cb8f46021013ae4 SHA256 hash 1eac61ee26db9242ba47437a027c47d4 MD5 hash 876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b SHA256 hash 0a6bd33f3d37809e92f272eaf304eab3 MD5 hash 58def7649806f63ce1dbd9d886ce200716209240b90b57dccf3941012c438784 SHA256 hash e9cd494b249cea7b968fa89f1e7d40de MD5 hash 76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a SHA256 hash 31a09770fea2d2ad58709b9a2f0e78c1 MD5 hash 931708bffa6eed76585c166a080ea6b544f32951cb5dbc2d2065088ee9ebad95 SHA256 hash a8e0d4771c1f71709ddb63d9a75dc895 MD5 hash b3530b7519660996d28eb31a8d5b585ec60601843c77dd9f2b712812c99843e4 SHA256 hash dae2d96628ff94e65a35ae9a929ad7ba MD5 hash 21c7a8f2ffdd80834fb9b82df5c02748ca08c48583b903d584c124b916d17a37 SHA256 hash bbb445901d3ec280951ac12132afd87c MD5 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- ed95b1a888710f3ca4acacb49250fb6c21722e2882e31784bd2049d15f97d4de SHA256 hash 62808c6de7ee1e9bb3e1aedf543a5549 MD5 hash 2f89ebdcc33bc0ec253e9d1bb9a5b252cc8dc0e90b78d7c464a487dab3b387a6 SHA256 hash 53a93128e59385dba9301a2a3d636899 MD5 hash 7925550392f06655abbc9ed66fa37e1754bf6612439cc7a6332db28fd8878b42 SHA256 hash 4cd6c47bfdfd5f3b6aba203326f9c615 MD5 hash f26bc4c0e23430c444214bd32e5ae0dacee93c4409fa574e91f4204e691c5799 SHA256 hash 354f7ec15741db7fcdfe7b158c14dfaa MD5 hash 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c SHA256 hash 9acf753845e32f40631a51fa53746766 MD5 hash 433717fd1916ba3ae569d9334c400ac8740fe7870e05bf57d2b05fd4023b2451 SHA256 hash 9605ca26b5f27f04c7a91fda86b3c489 MD5 hash 003c64fa11ea18a00c3e0bf2adf1a2b80287fb072d1f8108d1d55cbda17e60cb SHA256 hash aa6425695964d9c39a6adce54899abf3 MD5 hash b2e6ba8776232da078e4d7648525b5dc97e70744ffbcae871048306f7fe9aba1 SHA256 hash d81a9ebae58461f13404e4434be9a567 MD5 hash c37dd01eaac834a0f2618e54e3f67b03484b3e36d491011334f3646b66fe0e56 SHA256 hash 2dfddacd5394e6994067c06075353c1b MD5 hash 36ec7a5bcdd2685af78cdef08687584192545348355a6510132644541f4c4749 SHA256 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- 038e049f03ee9e2e0f424a3848d0acbb MD5 hash 2ff9b57a16c7da6699be588b6239296576b6b5805db7a27e5f2dec243e0da75b SHA256 hash e0863465caf7d670a3385614290f27b2 MD5 hash 684051fd30d38f3d03c65e80087183ea1cbe1fc8f5dc03ebf7269498e9bffb98 SHA256 hash cbd77dca77917bc800a8438b3e82f7e2 MD5 hash 44f62555fdfd1067de4ef55a8deb916e24832a80a28b91ba59b0aad527b565a4 SHA256 hash 5df84af6d39442e1b72dcc62f64e6cd0 MD5 hash 9f6443788563472c0280ad5b16ae7c1a918f1f2ce6e44d4d1a09a87a1f3412a8 SHA256 hash 81c8c8ccf5c493863832d5813d6036f4 MD5 hash 248e0103a5027800d92d517d4d6721c4b6dc0b533ee22f8452c79d5f48128fdc SHA256 hash 8bcc561ef4d0ceaed3cdc3ae0c77575a MD5 hash 1dec40385522800dfed483b645da71c1ee3afbbdec27e567662972d59c5cbf25 SHA256 hash 05a70f12f819c746bdc23791bc821346 MD5 hash 201131fb20d85b71765e5634821a2b35303643212c36023843485c56f47ac400 SHA256 hash ab789367cc97965b7c4024040ff8a5f8 MD5 hash cc4c212dcfe4bf82e60eaa0d220444f0f6dbf22c5f7a79be83fe28f2f00b89b5 SHA256 hash 4c23cabcb529721e349568581f730586 MD5 hash 2bff9d483420df2f41c7eba232c6d90853df6acfe9f9b163af5d3495ea082229 SHA256 hash 7c68b89340b21aed5a708cc9e9c3b392 MD5 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- d4062e34b2ebd654b3dca215ec740c6f1a305ea567f6d65ddee58f540ec5beea SHA256 hash 66e6f022ac8f3cdce9128aa0c5bbbbd2 MD5 hash 530fe2e0f839c4b601627a1100e38708ff95a69d8382b11cefce45149c30ddef SHA256 hash 58e947d184f23bd86fba141fe64f5fc2 MD5 hash 59f0e747d6241c1013526c7e76ecd95ab2a22aaced595cd65c5ef3955a63bf92 SHA256 hash 758ed8f5044feeb7caeed96cfa4a929b MD5 hash 3e42ded1cd2447b921b41afa53f36bf645a21193ed24e3adeaef1a7217210545 SHA256 hash 0a92daa19f2cc77a21cdbf8db6d8bb68 MD5 hash ab097e8b19ec166a2ff65d10ab06a8d572216cee2b0c44ebe183a8cb60b2bae7 SHA256 hash 504beaa3730a60f65a4c55c5d0fd0f8d MD5 hash b1ea7524a80b9740df7e51c1010ba1a04f11c15d6392f5054dc40c8952290474 SHA256 hash f549afdef741a0d6b2090c1192ab7a6c MD5 hash 602da3639eeb39cdbc657aa5e75eba74735314e8a54727697abcd3884c8b6d8c SHA256 hash 804cab7d5c46d27529b2af821d16564b MD5 hash c820fc37abaf946804b09033f51216a28cdefe17020722d2fc2f1f74b4963ef5 SHA256 hash 07b04f23fa69d5043cc9b082430cacc4 MD5 hash 683b7b2abf9dc1e9fdf04e33570f5d8bfbb465dac613570200c2ec92201cc85d SHA256 hash 80dd41609ba3c3a43babe9fbd5d7480e MD5 hash 04d2326212724fdfa41c8e7ee64e32b60ba5e058e54d3fa0cf756b1378e948b9 SHA256 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- 0e0e9422103858d89f4b49d66f32e29a MD5 hash 9f8db7e1320389297c451ca762edc8b8c990cab86f1c976b63e8312408e2a554 SHA256 hash 7991ecbd1e532f67c2e9139097eb41f4 MD5 hash 821bb1dcc6c7c529f3865f7c3e3b45ef058e32723d8300adea743d39864b3d9c SHA256 hash 7f9c454a2e016e533e181d53eba113bc MD5 hash c7dc529d8aae76b4e797e4e9e3ea7cd69669e6c3bb3f94d80f1974d1b9f69378 SHA256 hash 879a7a2069bd5764704c72c3ee974cd8 MD5 hash b24ea7ef47994c2ee340e1bc971eaa9e1992f0d2aaece99f3a9381655509047b SHA256 hash 69d514f0609e232044794a84f4dd51d9 MD5 hash 23c41bbb1055ba7b15dcb1d1ba9bf426ef73f57641b47865c656b9338181e67b SHA256 hash d6443e691b7608eae245943e3535fc25 MD5 hash 4287592dc66083613b642bd04b1c8c49df56edc7691d79de0bca645d3af0d5c3 SHA256 hash 7a502a032b0e56e2190752e50102c8cf MD5 hash 7ff292c689c421394483c7bc4c0b6620b8cedd4fd70f8f8ef1f4fa334d418be8 SHA256 hash 7f3cc059ffc6c11fe42695e5f19553ab MD5 hash b4c05e0e065058ae79d3ce9d51a470946aae036d2b163f85adcef10a6343246a SHA256 hash 5f876124a2f53c93eff9509d36a936b2 MD5 hash e4febefe210e39c3570ac71e41b66557c257713d386acd7898af195a1bacf83d SHA256 hash 1856df9370ada9569a1afb6b52863d6d MD5 hash Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample Malware sample ----- 77ea107525233afa3f43b8695b39bfc41919f026ab3526bb3b9841737bbb20c7 SHA256 hash 2a1609ef72f07abc97092cb456998e43 MD5 hash 038d31670f03d386e6f3affe331bf76cb894d695b0f9012d828db9413c223a07 SHA256 hash 2271eeaeeebfb638f74c5b60c32fc98b MD5 hash 4da7781d443ffde85e0aaf3d6e8effb6fc8cdffeead56b5ba3183472c40bf6ff SHA256 hash _Table 6. Indicators for the CryptoLocker malware._ Malware sample Malware sample Malware sample Malware sample Malware sample -----