 |
| CTB Locker += NL & IT |
Studying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear Pack
 |
| Revslider Case 3 - Path to Nuclear Pack delivering Critroni 2014-12-28 |
Decoded Payload : 10f0eaa794f48ad0b15034e0683cb15f
It's CTB Locker aka Critroni.
What is new to me here is the random encrypted file extension :
 |
| Encoded RTF with unique extension |
 |
| Files dropped in MyDocuments (background wallpaper and decryption explanation) |
And the integration of two Languages : NL and IT
 |
| Critroni - First Screen NL 2014-12-28 |
 |
| Critroni - First Screen IT 2014-12-28 |
 |
| Critroni - Test Explanation - NL 2014-12-28 |
 |
| Critroni - Test Explanation - IT 2014-12-28 |
 |
| Critroni - Decryption Test - NL 2014-12-28 |
 |
| Bitcoin Address Screen - NL 1AjhFhf7rE2V3sKmTxoK7t6M7aaymTrt5G |
 |
| BTC explanation - NL 2014-12-28 |
Files: Critroni_NL_IT.zip (Fiddler and payload)