# HDDCryptor: Subtle Updates, Still a Credible Threat ### Appendix ##### TrendLabs Security Intelligence Blog Stephen Hilt and Fernando Mercês November 2016 ----- TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. ----- ## Indicators of Compromise (IoCs) ###### Each file has a unique function, although most of them are part of DiskCryptor open source software. Below are indicators of compromise we’ve observed over the past few months: #### MD5s for “mount.exe” ###### MD5 Compilation PDB string Timestamp 1 c43a77d0fe42be421fa5f4b8adaa2e09 24 Apr 03:00:35 e:\localsave\trunk\crp\crp\release\ 2016 mount.pdb 2 e5470280d0229e45d87690b93659f646 10 Apr 07:08:03 e:\localsave\trunk\crp\crp\release\ 2016 mount.pdb 3 e540c93c2fae8f0d8ccee182704378ea 14 Oct 03:21:21 c:\users\public.unkonw\desktop\crp_95\ 2016 crp_95_02_05_v3\crp\release\mount.pdb 4 74f6bb93888a0b54fd0e0ed6d45da7cc 21 Nov 17:32:39 c:\users\public.unkonw\desktop\ 2016 crp_95_08_30_v3\crp\release\mount.pdb 5 2472e8c0532996acbaa21c46d1a84fda 23 Nov 10:37:15 c:\users\public.unkonw\desktop\ 2016 crp_95_08_30_v3\crp\release\mount.pdb #### MD5s for RANSOM_HDDCRYPTOR |Col1|MD5|Compilation Timestamp|Col4|PDB string| |---|---|---|---|---| |1|c43a77d0fe42be421fa5f4b8adaa2e09|24 Apr 2016|03:00:35|e:\localsave\trunk\crp\crp\release\ mount.pdb| |2|e5470280d0229e45d87690b93659f646|10 Apr 2016|07:08:03|e:\localsave\trunk\crp\crp\release\ mount.pdb| |3|e540c93c2fae8f0d8ccee182704378ea|14 Oct 2016|03:21:21|c:\users\public.unkonw\desktop\crp_95\ crp_95_02_05_v3\crp\release\mount.pdb| |4|74f6bb93888a0b54fd0e0ed6d45da7cc|21 Nov 2016|17:32:39|c:\users\public.unkonw\desktop\ crp_95_08_30_v3\crp\release\mount.pdb| |5|2472e8c0532996acbaa21c46d1a84fda|23 Nov 2016|10:37:15|c:\users\public.unkonw\desktop\ crp_95_08_30_v3\crp\release\mount.pdb| |MD5|File Name|Ver|Compilation Timestamp|Col5|Ransomnote (modified dcapi.dll - from DiskCryptor open source software)|"mount.exe" MD5 (*1)| |---|---|---|---|---|---|---| |498bdcfb93d13fecaf92e96f 77063abf|123.exe|Ver 1|24 Apr 2016|03:00:40|You are Hacked !!!! Your H.D.D Encrypted, Contact Us For Decryption Key (w889901665[ at ]yandex [.]com) YOURID: 123123|1| |409d80bb94645fbc4a1fa61 c07806883|139.exe|Ver 1|24 Apr 2016|03:00:40|You are Hacked !!!! Your H.D.D Encrypted, Contact Us For Decryption Key (w889901665[ at ]yandex [.]com) YOURID: 123139|1| |e0358edb797489ffc585e8f5 17b30f1c|141.exe|Ver 1|24 Apr 2016|03:00:40|You are Hacked !!!! Your H.D.D Encrypted, Contact Us For Decryption Key (w889901665[ at ]yandex [.]com) YOURID: 123141|1| |37c0d7f81f6cb81d50505d9c 2d17133b|144.exe|Ver 1|24 Apr 2016|03:00:40|You are Hacked !!!! Your H.D.D Encrypted, Contact Us For Decryption Key (w889901665[ at ]yandex [.]com) YOURID: 123144|1| 3 ----- |MD5|File Name|Ver|Compilation Timestamp|Col5|Ransomnote (modified dcapi.dll - from DiskCryptor open source software)|"mount.exe" MD5 (*1)| |---|---|---|---|---|---|---| |34fc48ef36d9159b2cd44e2b eb8f8d86|152.exe|Ver 1|24 Apr 2016|03:00:40|You are Hacked !!!! Your H.D.D Encrypted, Contact Us For Decryption Key (w889901665[ at ]yandex[.]com) YOURID: 123152|2| |acab552b552725cba7516070 ca6fb673|output.exe|Ver 2|10 Apr 2016|07:26:06|You are Hacked! H.D.D Encrypted, Contact Us For Decryption Key(cryptom27[ at ]yandex [.]com) YOURID: 123180|3| |97ea571579f417e8b1c7bf9cb ac21994|dsd.exe|Ver 3|21 Nov 2016|17:32:45| s/enter key: /enter_key/|4| |682cfb092865e779e0133132 5130b123|output.exe|Ver 3|23 Nov 2016|10:37:28|You Hacked,ALL Data Encrypted,Contact For Key(cryptom27[ at ]yandex [.]com) ID:60019|5| |38529ecca6f8857442331c40e 1bd5f9d|output.exe|Ver 3|23 Nov 2016|10:37:28|You Hacked,ALL Data Encrypted,Contact For Key(cryptom27[ at ]yandex [.]com) ID:601|5| ###### *1: The MD5 refers to MD5s in the first table (MD5s for “mount.exe”). 4 ----- Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. ©2016 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10101 N. De Anza Blvd. Cupertino, CA 95014 U.S. toll free: 1 +800.228.5651 Phone: 1 +408.257.1500 Fax: 1 +408.257.2003 -----