{
	"id": "61f59eec-f6dd-4e12-93fc-eeb6cead7aa2",
	"created_at": "2026-04-06T00:14:33.66308Z",
	"updated_at": "2026-04-10T13:12:52.964086Z",
	"deleted_at": null,
	"sha1_hash": "e30f34b01c01581d17eb1dd5ce2c1cd640478d29",
	"title": "Encrypted Chaos: Analysis of Crytox Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224574,
	"plain_text": "Encrypted Chaos: Analysis of Crytox Ransomware\r\nPublished: 2023-06-01 · Archived: 2026-04-05 23:04:28 UTC\r\nCrytox Ransomware is a 64 bit executable, developed in C and usually deployed by packing the compiled\r\nexecutable with UPX. On unpacking, the size of the payload is around 2.9 MB, which is unusually high for a\r\nmalware. On analyzing the binary we came to know that an entire uTox client was embedded at the start of the\r\n.text section.\r\nFigure 1: Embedded uTox binary\r\nOn execution, the ransomware decrypts a configuration file using AES algorithm, drops the uTox application in\r\nthe path mentioned in the configuration file and injects a shellcode into a native Windows process mentioned in\r\nthe configuration. This shellcode deletes the volume shadow copies and then injects a new shellcode into another\r\nnative process which runs with a specific cmdline argument (in our case svchost with netsvcs cmdline was\r\ntargeted). The final injected shellcode is responsible for encrypting the user files on disk with a “.waiting”\r\nextension. \r\nAnalysis\r\nStage – 1\r\nAPI Resolving\r\nWin32 APIs are dynamically resolved at runtime, it uses ROR7 for calculating module/DLL name hash, and\r\nROR5 for calculating the export API hash. The binary contains hardcoded values which are the sum of module\r\nhash and API hash it needs to resolve and call, the equivalent code converted to python is shown below.  \r\n””“””“””“””“””“””“””“””\r\nCrytox API Resolving\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 1 of 7\n\n“””“””“””“””“””“””“””“””\r\n# https://www.geeksforgeeks.org/rotate-bits-of-an-integer/\r\ndef rightRotate(n, d):\r\n return (n \u003e\u003e d) | (n \u003c\u003c (INT_BITS - d)) \u0026 0xFFFFFFFF\r\ndef calculateHash(moduleName, moduleAPIList):\r\n moduleName = moduleName.upper()\r\n moduleName_bytes = moduleName.encode(\"utf-16le\") + b'\\x00\\x00'\r\n moduleHash = 0\r\n for byte in moduleName_bytes:\r\n val = ord(chr(int(byte)))\r\n moduleHash = (val + ((rightRotate(moduleHash, 7)) \u0026 0xFFFFFFFF)) \u0026 0xFFFFFFFF\r\n for api in moduleAPIList:\r\n api_bytes = api.encode(\"utf-8\") + b'\\x00'\r\n apiHash = 0\r\n for byte in api_bytes:\r\n val = ord(chr(int(byte)))\r\n apiHash = (val + ((rightRotate(apiHash, 5)) \u0026 0xFFFFFFFF)) \u0026 0xFFFFFFFF\r\n exp = hex((moduleHash + apiHash) \u0026 0xFFFFFFFF)\r\n if int(exp, 0) in Hash_present_in_Binary:\r\n print(f\"{api} = {exp}\")\r\nComplete List of API’s that are resolved by the file, can be seen in Appendix A. \r\nStage – 1 Configuration and Key Generation\r\nThe AES encrypted configuration is present in the .data section with size 0x1c0, the key to decrypt the\r\nconfiguration is “A5 C6 63 63 84 F8 7C 7C 99 EE 77 77 8D F6 7B 7B 0D FF F2 F2 BD D6 6B 6B B1 DE 6F 6F\r\n54 91 C5 C5”.\r\nFigure 2: Stage – 1 configuration\r\nThe extracted configuration contains the RSA public key, persistence registry, key and data value for ransom note,\r\nnative process to inject the next stage into and location to drop the uTox client respectively.\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 2 of 7\n\nOnce the configuration is decrypted, it checks the value “en” under subkey “.waiting\\\\shell\\\\open\\\\command\\\\”, if\r\nfound, the corresponding data is the RSA public key and value “n” contains RSA private key encrypted using the\r\npublic key present in the configuration. \r\nFigure 3: RSA Key Pair saved in registry\r\nIf registry value is not found, a key pair is generated using CryptGenKey API with Algid (0x1 – RSA key\r\nexchange). The private key is exported to memory using CryptExportKey with dwBlobType parameter set as\r\n0x7(PRIVATEKEYBLOB) and it is encrypted in chunks of 0xF4 bytes using CryptEncrypt. The public key is\r\nexported in a similar manner using CryptExportKey with dwBlobType parameter set 0x6(PUBLICKEYBLOB).\r\nFigure 4: Private key stream\r\nProcess Injection\r\nAfter the generation of public and private key pairs, the malware enumerates all the active processes and targets\r\nthe first svchost.exe process to inject into. The shellcode is injected into this target process, using the conventional\r\nAPI’s VirtualAllocEx, WriteProcessMemory, and NtCreateThreadEx is invoked to execute the shellcode in a new\r\nthread.\r\nStage – 2 \r\nDeleting the Trace\r\nThe injected shellcode checks if the target process has “SeDebugPrivilege” Enabled. If it is, then the Access Token\r\nis updated to NTAuthority/SYSTEM. It waits until the stage-1 process exits, to obtain a handle to the stage – 1\r\nfile. It reads the stage – 1 file from disk using MapViewOfFile, copies 0x4400 bytes from offset 0x135CA4 into a\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 3 of 7\n\nnew heap which is nothing but the stage – 2’s encrypted configuration. Probably to evade memory forensic, the\r\nstage-1 file is completely filled with NULL bytes and saved, before deleting it from disk.\r\nStage – 2 Configuration \r\nThe stage-2 configuration is decrypted using AES with key “50 60 30 30 03 02 01 01 A9 CE 67 67 7D 56 2B 2B\r\n19 E7 FE FE 62 B5 D7 D7 E6 4D AB AB 9A EC 76 76”. The extracted configuration contains a bat file and its\r\nname to be dropped on disk and executed.\r\nFigure 5: Stage – 2 Configuration\r\nDeleting Shadow Copies\r\n The bat file to delete the volume shadow copies is dropped in the Windows directory and executed using\r\nShellExecute.\r\nProcess Injection into Explorer and Svchost\r\nThe shellcode enumerates all the active processes and on each enumeration ROR13 hashes the process name. If\r\nthe calculated hash is equal to 0xDCF164CD(EXPLORER.EXE) or 0x561F1820(SVCHOST.EXE), but for\r\nsvchost, it performs the following to target only specific service.\r\n1. Obtain the handle using OpenProcess\r\n2. Retrieves the PEB of the target process using NtQueryInformationProcess with ProcessInformationClass\r\nparameter set to 0.\r\n3. Reads the cmdline argument from target process PEB using ReadProcessMemory\r\nIf the cmdline argument of the target process contains the parameter “netsvcs”, it is chosen for the injection of\r\nfinal stage shellcode. The Process id of the identified target process is copied to a Heap, followed by the encrypted\r\nfinal stage payload which is present in the stage-1 resource section under RCDATA.\r\nA mutex with name “itkd\u003c 4_characters_generated_based_on_targetPID\u003e” is created, then the encrypted resource\r\ndata is decrypted using the same AES Key “50 60 30 30 03 02 01 01 A9 CE 67 67 7D 56 2B 2B 19 E7 FE FE 62\r\nB5 D7 D7 E6 4D AB AB 9A EC 76 76” used before. The decrypted payload is the final stage shellcode which is\r\ninjected into target process and executed using NtCreateThreadEx\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 4 of 7\n\nFigure 6: Final Stage Shellcode\r\nStage – 3 (Final Ransomware)\r\nThe Final stage creates a new heap, and decrypts another configuration which is present at offset 0x14FF with size\r\n0x2F11 using the same AES key used in stage – 1. The configuration contains the entire ransom note which is\r\ndropped to disk in .hta format, the same public key present in stage-1 configuration and the extension to encrypt\r\nfiles with.\r\nFigure 7: Ransomware Configuration\r\nA new thread is created for each logical disk, the files are encrypted using AES algorithm, with a new private key\r\ngenerated for every file and it is encrypted with the hardcoded public key and appended at the end of each file.\r\nThe files are encrypted with the .waiting extension. The uTox application allows the victims to communicate with\r\nthe attacker with the unique id displayed in the ransom note.\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 5 of 7\n\nFigure 8: Crytox Ransom Note\r\nIOCs\r\nHash: 823E4C4E47E8DABE32FC700409A78537\r\nK7 Detection Name: Trojan ( 00564c011 )\r\nReferences\r\n1. https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\r\nAppendix A (Dynamically Resolved API’s)\r\nAdjustTokenPrivileges 0x34F2E741 RtlMoveMemory 0x97465417\r\nCryptAcquireContextA 0x3F954B63 Sleep 0x32661A6D\r\nCryptDestroyKey 0xD7397F82 TerminateProcess 0xB92BD08\r\nCryptEncrypt 0x835A425D UnmapViewOfFile 0x672A2B80\r\nCryptExportKey 0x16E52981 VirtualAllocEx 0xD18887FC\r\nCryptGenKey 0x8483E097 VirtualFreeEx 0x4F2BA5CE\r\nCryptImportKey 0xC052981 VirtualProtectEx 0x94955ED7\r\nLookupPrivilegeValueA 0x43AA560B WaitForSingleObject 0x2671BB8F\r\nOpenProcessToken 0xA3628BFF WriteFile 0x70E3C54A\r\nRegCloseKey 0x56F03636 WriteProcessMemory 0xF6E87FBA\r\nRegCreateKeyA 0x5E723FC0 lstrcatA 0x8A1D9BCA\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 6 of 7\n\nRegOpenKeyExA 0xFDE81F1E lstrcmpiA 0xB1DC3443\r\nRegQueryValueExA 0x7829A4A1 lstrcmpiW 0x61DC3443\r\nRegSetValueExA 0x170C3FCB NtCreateThreadEx 0x58A71ECB\r\nCloseHandle 0xF2B7C89A NtQueryInformationProcess 0xE650C32F\r\nCreateFileA 0x9EB8EB8F CreateFileW 0x4EB8EB8F\r\nCreateFileMappingA 0x87C4720C FileTimeToSystemTime 0x74C1905A\r\nCreateMutexA 0xD648D4DD FindClose 0x92A140B\r\nCreateRemoteThread 0x4583365E FindFirstFileW 0xD7CE34E1\r\nCreateThread 0xE888AE7A FindNextFileW 0xD1FDC87F\r\nCreateToolhelp32Snapshot 0x99F5245 GetDateFormatA 0x82D70B24\r\nDeleteFileA 0xA2EDAD8F GetLogicalDrives 0xBA21023\r\nGetExitCodeThread 0xFBD76D17 GetSystemTimeAsFileTime 0x8FBB53E7\r\nGetFileSize 0x4966632A GetSystemTimes 0xFE2CDA22\r\nGetLastError 0x87E43BC GetTickCount 0x20841296\r\nGetWindowsDirectoryA 0x63061FFC GlobalMemoryStatus 0x74C9FD10\r\nGlobalAlloc 0x5287A129 MoveFileW 0x9BDBE590\r\nGlobalFree 0x8CEF887D ReadFile 0xCE2BC47E\r\nLoadLibraryA 0x2EB89E41 SetEndOfFile 0xCC719466\r\nMapViewOfFile 0xA48A2B6F SetFileAttributesW 0xB0DB724A\r\nOpenProcess 0xBF2A3840 SetFilePointerEx 0xD90CDB68\r\nProcess32First 0x6CB1F1E6 SetThreadPriority 0x704F3375\r\nProcess32Next 0x2D65D010 ShellExecute 0x3A6952BF\r\nReadProcessMemory 0xF08369FA lstrcatW 0x3A1D9BCB\r\nReleaseMutex 0x36C87830 lstrlenW 0x38A62BCB\r\nSource: https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nhttps://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/\r\nPage 7 of 7\n\nThe injected shellcode is updated to NTAuthority/SYSTEM. checks if the target process It waits until has “SeDebugPrivilege” the stage-1 process Enabled. exits, to obtain If it is, a handle then the Access to the stage Token – 1\nfile. It reads the stage-1 file from disk using MapViewOfFile, copies 0x4400 bytes from offset 0x135CA4 into a\n   Page 3 of 7    \n\nCreateRemoteThread CreateThread 0x4583365E 0xE888AE7A FindFirstFileW FindNextFileW 0xD7CE34E1 0xD1FDC87F\nCreateToolhelp32Snapshot 0x99F5245 GetDateFormatA 0x82D70B24\nDeleteFileA 0xA2EDAD8F GetLogicalDrives 0xBA21023\nGetExitCodeThread 0xFBD76D17 GetSystemTimeAsFileTime 0x8FBB53E7\nGetFileSize 0x4966632A GetSystemTimes 0xFE2CDA22\nGetLastError 0x87E43BC GetTickCount 0x20841296\nGetWindowsDirectoryA 0x63061FFC GlobalMemoryStatus 0x74C9FD10\nGlobalAlloc 0x5287A129 MoveFileW 0x9BDBE590\nGlobalFree 0x8CEF887D ReadFile 0xCE2BC47E\nLoadLibraryA 0x2EB89E41 SetEndOfFile 0xCC719466\nMapViewOfFile 0xA48A2B6F SetFileAttributesW 0xB0DB724A\nOpenProcess 0xBF2A3840 SetFilePointerEx 0xD90CDB68\nProcess32First 0x6CB1F1E6 SetThreadPriority 0x704F3375\nProcess32Next 0x2D65D010 ShellExecute 0x3A6952BF\nReadProcessMemory 0xF08369FA lstrcatW 0x3A1D9BCB\nReleaseMutex 0x36C87830 lstrlenW 0x38A62BCB\nSource: https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/   \n  Page 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/"
	],
	"report_names": [
		"encrypted-chaos-analysis-of-crytox-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e30f34b01c01581d17eb1dd5ce2c1cd640478d29.pdf",
		"text": "https://archive.orkl.eu/e30f34b01c01581d17eb1dd5ce2c1cd640478d29.txt",
		"img": "https://archive.orkl.eu/e30f34b01c01581d17eb1dd5ce2c1cd640478d29.jpg"
	}
}