Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

EggLocker

From Malware Wiki
Jump to: navigation, search
EggLocker
Egglocker.jpg
TypeRansomware, Trojan
CreatorKrystofoxik :^)
DateMarch 22nd, 2018
OriginCzechia
Programming LanguageAssembly
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Trojan.Ransom.EggLocker(ALYac)
MD5612ba5a52038141dd5c571a4b0dc6b86
SHA-1ff512e15a2f7d81cdd48d8ed8e86f92d91b51083
SHA-25692eba603d5719268d85be5e1b3b3cc61869d6c1d170678276f69ae7e882f6552
SSDEEP3072:zoYMAXoByD3/G5Y2R/hXHNfiCaBiTe0La0/ybDm5mgoerZyP5:d3UhdhaETe0W0/ybDbgG
Authentihashb5e116f5a9d8ab192fbbba2174fa44738179fd019e5b7de63da8e5a3a72e3d09
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
This box: view  talk  edit

EggLocker is a ransomware that encrypts files. It was created in Assembly just like other ransomwares. EggLocker was designed to attack computer users in Czech-speaking regions due to the content and document associated with EggLocker attack.

However, this cyber threat is more of a joke than a real ransomware virus. It does not actually encrypt data; it only renames copied files.

Payload

EggLocker runs as an executable named 'EGG.exe' on the targeted computers. EggLocker will rename the files it affects by adding the file extension '.EGG' to the end of each affected file's name. EggLocker infection has been linked to a fake DirectX notification, which claims that this application encountered a problem and needs to close, which aids EggLocker in its attack. 

The following are some of the file types that are typically encrypted in these attacks:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, 
.as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, 
.dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, 
.dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, 
.indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, 
.max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, 
.pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj,
.pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, 
.py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, 
.sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, 
.wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, 
.xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

EggLocker can still make some changes to the system and make it vulnerable to other cyber threats. Additionally, it might be updated any minute and start functioning as a real crypto-malware. Hence, immediate elimination is needed.

Egglocker would kill Skype just like some other ransomwares

Soon after making a mess with files on the targeted computer, EggLocker changes the desktop picture and tries to threaten victims into paying a ransom:

EGG LOCKED

Your files has been locked due evil 
chicken, your only way to get them 
back is pay for chicken killers.

Bitcoin address: [redacted]

Any tries to remove chicken will just damage your files.
Be carefully with your decisions.

Malware continues pretending ransomware behavior and also creates a ransom note in the text file. However, the author of malware forgot to tell the size of the ransom:

Your Windows might not support this software
Issues
Chicken has just awoken!
Your pc has to pay for all files otherwise
small chicken is going to eat them all!
There is no way to kill chicken.
Your attack means her respond

When the victims close the fake DirectX notification, the website 'chickenluck.win' will be loaded automatically on their Web browser. This website is dedicated to a person named 'Krysto Foxik' with several social media and website accounts. It is unclear if the person featured in this page is involved in the EggLocker attack directly or if it is an individual that has been chosen by the people responsible for EggLocker as part of their infection.