CryptoLocker Associated Sites.

So earlier this month one of my customers got bitten by the CryptoLocker malware.

They lost all their files as they were not willing to pay the ransom and they didn’t really mind starting fresh. It could have been a different outcome ending in payments to the CryptoLocker malware authors had they been more attached to their files.

Anyway.. I did some digging. It appears my customer opened an email containing a zip attachment which in turn contained a .exe file.

This exe file is a dropper that downloads files from:

DONOTCLICK:// (currently on IPs and
DONOTCLICK:// (currently at

I’ve contacted the UK homes company and asked them to clean up their hacked server as soon as possible.

It is interesting that the malware authors are using https sites.. It makes tracking down the real malware difficult as not many people know how to look into HTTPS requests. Google shows a few results referencing the DNS requests to the domain but nobody has shown the full url to the malware files hosted on the servers.

At the time of writing both the droppers and the above malware files are detected by Avast. They certainly were not when they were initially sent to the customer.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s