zCrypt Ransomware


I didn't find this one, but haven't noticed anyone mentioning it. Not digging into this much deeper, so I will dump the main aspects and move on.

This ransomware is called "zCrypt", which is based on the extension left on encrypted files as well as other artifacts. zCrypt has been observed being delivered via malspam. zCrypt utilizes a command and control server to check-in infected bots and also pass the encryption key from the server to the infected machine.

When executed, the malware creates a pop-up that appears to be benign-- likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running.

Ransom Note Details

There is a clickable link in the HTML note: "Click Here to Show Bitcoin Address". It appears the ransom note HTML will look for a locally created file "btc.addr" in "C:\Roaming" but the file is actually created in %APPDATA%\Roaming. The browser will throw an error when it cannot find it. I manually moved the file to the location it was looking for and it worked and revealed another BTC payment address.

Currently both wallets are empty.

Encrypted files

Files will be appended with the ".zcrypt" extension.

Network Communications


Mutex: zcrypt1.0
Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt
Dropped file: C:\Users[UserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zcrypt.lnk
Dropped file: C:\Users[UserName]\AppData\Roaming\zcrypt.exe
Dropped file: C:\Users[UserName]\AppData\Roaming\btc.addr
Dropped file: C:\Users[UserName]\AppData\Roaming\public.key
Dropped file: How to decrypt files.html
Encrypted file extention: .zcrypt

Preliminary Malware Analysis

File name: invoice-order.exe
File size: 791.0 KB ( 809984 bytes )
MD5 hash: d1e75b274211a78d9c5d38c8ff2e1778
Detection ratio: 20 / 57
First submission: 2016-05-22 17:59:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f/analysis/

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates.