JS/Filecoder.RAA [Threat Name] go to Threat

JS/Filecoder.RAA.A [Threat Variant Name]

Category trojan
Size 572952 B
Detection created Jun 23, 2016
Detection database version 13697
Aliases Trojan-Ransom.JS.RaaCrypt.b (Kaspersky)
  Ransom:JS/CryptoRaa.A (Microsoft)
Short description

JS/Filecoder.RAA.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

The trojan does not create any copies of itself.


The following file is dropped into the %mydocuments% folder:

  • st.exe (138752 B, Win32/PSW.Fareit.A)

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%malwarefilepath% argument"
Payload information

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­VSS\­*]

JS/Filecoder.RAA.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files which contain any of the following strings in their file name:

  • .doc
  • .xls
  • .rtf
  • .pdf
  • .dbf
  • .jpg
  • .dwg
  • .cdr
  • .psd
  • .cd
  • .mdb
  • .png
  • .lcd
  • .zip
  • .rar
  • csv

It avoids those with any of the following strings in their names:

  • .locked
  • ~
  • $

It avoids files which contain any of the following strings in their path:

  • WINDOWS
  • RECYCLER
  • Program Files
  • Program Files (x86)
  • Windows
  • Recycle.Bin
  • RECYCLE.BIN
  • Recycler
  • TEMP
  • APPDATA
  • AppData
  • Temp
  • ProgramData
  • Microsoft

The trojan encrypts the file content.


The AES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • .locked

To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan drops the file !!!README!!!"%variable%.rtf into the root folder of all available drives.


A string with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­RAA\­Raa-fnl]
    • "(Default)" = "beenFinished"
Information stealing

The following information is collected:

  • unique identifier of infected computer

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The following file is dropped into the %mydocuments% folder:

  • doc_attached_%variable% (12796 B)

A string with variable content is used instead of %variable% .


The trojan tries to open the file using "wordpad.exe" application.

The trojan creates copies of the following files (source, destination):

  • C:\­!!!README!!!"%variable%.rtf, %desktop%\­!!!README!!!"%variable%.rtf

A string with variable content is used instead of %variable% .


The trojan tries to open the file using "wordpad.exe" application.

Please enable Javascript to ensure correct displaying of this content and refresh this page.