2032
Home > Detailed Technical Analysis Of Crybrazil Ransomware
Detailed Technical Analysis of Crybrazil Ransomware Attack!!! Detailed Technical Analysis of Crybrazil Ransomware Attack!!!
Malware Analysis,Ransomware | 06/05/2018

Detailed Technical Analysis of Crybrazil Ransomware Attack!!!


In this technical analysis of the Crybrazil Ransomware, our (HTRI TEAM) security experts review the details of the ransomware campaign and steps to take to protect against such Crybrazil ransomware attacks.

Crybrazil Ransomware Overview

CRYBRAZIL is a part of the ransomware family. This ransomware is currently targeting the Spain Country, found by the security researcher; it encrypts the victim's machine by using AES Encryption method.

It appends the filename of the affected file by adding .CRYBRAZIL extension in the last. It Only targets the C Drive along with more than 250+ file extensions.

This ransomware uses Hidden Tear Library which is easily available on GitHub.

This ransomware doesn’t contain any ransom amount information. It changes the desktop background wallpaper with the ransom note.

Flow Chart

  Flow Chart

 

Free Checkup & fix for your PC! Get rid of malicious programs instantly!

Free Malware Scan & Fix Limited time offer*

 

Technical Analysis of CRYBRAZIL Ransomware

File Name: crybrazil.exe

MD5: 10597E7C2E644D9BD346844F08328C0B

File Type: .EXE

Spread Via Not Known Yet.

 

Detail Description of CRYBRAZIL Ransomware with Screenshots

 

Static Analysis

This ransomware has minimum requirement Dot Net Framework 4.0

Assembly Info

Figure 1 Assembly Information

 

As shown below, this ransomware gathers the Username, Computer Name and targets the User Directory C:\Users; Once an encryption completed it appends the filename with .CRYBRAZIL Extension.

This ransomware also downloads the ransom note from the mentioned URL in the code.

This ransomware using the Hidden Tear Library which is easily available on the GitHub.

 

Gather Information

Figure 2 Gathers Information

As shown below, as per the code this ransomware is using a predefined password

(“AA151257B1462D642E7E21FF9C80F83CAF043C3572D5ED59BD283D20641E3C9D”) for encrypting files and move the ransomware to specific location C:\admin\Rand123\local.exe

Thereupon, this ransomware starts encrypting the folder based on their specific target directory, extension list, and password.

 Crybrazil Process

Figure 3 Encryption Process

 

As shown below, this ransomware encrypts the files based on the extension list. It has more than 256 file extensions list.

.dat .keychain .sdf .vcf .jpg .png .tiff .tif .gif .jpeg .jif .jfif .jp2 .jpx .j2k .j2c .fpx .pcd .bmp .svg .3dm .3ds .max .obj .dds .psd .tga .thm .yuv .ai .eps .ps .indd .pct .mp4 .avi .mkv .3g2 .3gp .asf .flv .m4v .mov .mpg .rm .srt .swf .vob .wmv .doc .docx .txt .pdf .log .msg .odt .pages .rtf .tex .wpd .wps .csv .ged .key .pps .ppt .pptx .xml .json .xlsx .xlsm .xlsb .xls .mht .mhtml .htm .html .xltx .prn .dif .slk .xlam .xla .ods .docm .dotx .dotm .xps .ics .mp3 .aif .iff .m3u .m4a .mid .mpa .wav .wma .msi .php .apk .app .bat .cgi .com .asp .aspx .cer .cfm .css .js .jsp .rss .xhtml .c .class .cpp .cs .h .java .lua .pl .py .sh .sln .swift .vb .vcxproj .dem .gam .nes .rom .sav .tgz .zip .rar .tar .7z .cbr .deb .gz .pkg .rpm .zipx .iso .accdb .db .dbf .mdb .sql .fnt .fon .otf .ttf .cfg .prf .bak .old .tmp .torrent .der .pfx .crt .csr .p12 .pem .ott .sxw .stw .uot .ots .sxc .stc .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .odb .frm .myd .myi .ibd .mdf .ldf .suo .pas .asm .cmd .ps1 .vbs .dip .dch .sch .brd .rb .jar .fla .mpeg .m4u .djvu .nef .cgm .raw .vcd .backup .tbk .bz2 .PAQ .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .edb .potm .potx .ppam .ppsx .ppsm .pot .pptm .xltm .xlc .xlm .xlt .xlw .dot .docb .snt .onetoc2 .dwg .wk1 .wks .123 .vsdx .vsd .eml .ost .pst

It searches an above extension in the target drive and encrypts it.

This ransomware also drops SUA_CHAVE.html in C:\users\%username%\Desktop

While opening the SUA_CHAVE.html in browser it contains the one hyperlink text O QUE ESTÁ ACONTECENDO? it redirects to the hxxp://3e24c23r2213122c1cxdsxsd[.]unaux[.]com/

Once the files are encrypted this ransomware it appends the filename by adding .Crybrazil extension in the last and also changes the desktop background wallpaper.

 Ransom Note

As shown above, it contains the message in Spanish language, after translation:

he who is the clown, but it is I who set fire to the circus.

Attention children

All your files have been encrypted, to retrieve them back please contact: losalphagroup@protonmail.com

IOC’s

Hash

10597E7C2E644D9BD346844F08328C0B

Associated Email: 

losalphagroup@protonmail.com 

Associated Network Activity

3e24c23r2213122c1cxdsxsd[.]unaux[.]com/crybrazil/write[.]php?info=PC-admin%20AA151257B1462D642E7E21FF9C80F83CAF043C3572D5ED59BD283D20641E3C9D

4[.]bp[.]blogspot[.]com/-11m8rWaFmWs/WuhochGTK0I/AAAAAAAAFTY/VkbbVhxYZDgW_jlbQ5lPbV8AEhyd4ihgQCK4BGAYYCw/s1600/ranso4[.]jpg

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Free PC Checkup & fix


Tips to Prevent virus and malware from Infecting Your System:

  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Download now downloads time: less than 1 minute
Is this page helpful?

Also on How To Remove It



1

indicatorImg_logo
fmrtblog2setup
2

3

1

2

3

1

2

3