Subscribe via feed.

Trojan.CryptoLocker Code Execution

Posted by deepcore on May 7, 2022 – 5:01 am

Cryptolocker ransomware drops a PE file in the AppDataRoaming directory which then tries to load a DLL named “netapi32.dll”. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL checks if the current directory is “C:WindowsSystem32” and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware’s flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.