Python/Filecoder [Threat Name] go to Threat

Python/Filecoder.A [Threat Variant Name]

Category trojan
Detection created Sep 23, 2014
Detection database version 10454
Short description

Python/Filecoder.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service. The file is run-time compressed using RAR SFX .

Installation

The trojan extracts the archive content into the following folder:

  • %currentfolder%

The trojan creates the following files:

  • %currentfolder%\­atk.pyd (208384 B)
  • %currentfolder%\­back.png (3417 B)
  • %currentfolder%\­bz2.pyd (68608 B)
  • %currentfolder%\­cairo._cairo.pyd (69632 B)
  • %currentfolder%\­Crypto.Cipher._AES.pyd (29184 B)
  • %currentfolder%\­favicon.png (3675 B)
  • %currentfolder%\­final-step.png (21592 B)
  • %currentfolder%\­freetype6.dll (538324 B)
  • %currentfolder%\­gdiplus.dll (1351168 B)
  • %currentfolder%\­gio._gio.pyd (263168 B)
  • %currentfolder%\­glib._glib.pyd (58368 B)
  • %currentfolder%\­gobject._gobject.pyd (113152 B)
  • %currentfolder%\­gtk._gtk.pyd (1882624 B)
  • %currentfolder%\­intl.dll (152489 B)
  • %currentfolder%\­libatk-1.0-0.dll (163476 B)
  • %currentfolder%\­libcairo-2.dll (1294335 B)
  • %currentfolder%\­libexpat-1.dll (143096 B)
  • %currentfolder%\­libfontconfig-1.dll (279059 B)
  • %currentfolder%\­libgdk-win32-2.0-0.dll (932373 B)
  • %currentfolder%\­libgdk_pixbuf-2.0-0.dll (285194 B)
  • %currentfolder%\­libgio-2.0-0.dll (1222182 B)
  • %currentfolder%\­libglib-2.0-0.dll (1242929 B)
  • %currentfolder%\­libgmodule-2.0-0.dll (36986 B)
  • %currentfolder%\­libgobject-2.0-0.dll (341594 B)
  • %currentfolder%\­libgthread-2.0-0.dll (44287 B)
  • %currentfolder%\­libgtk-win32-2.0-0.dll (4939820 B)
  • %currentfolder%\­libpango-1.0-0.dll (333729 B)
  • %currentfolder%\­libpangocairo-1.0-0.dll (104729 B)
  • %currentfolder%\­libpangoft2-1.0-0.dll (815421 B)
  • %currentfolder%\­libpangowin32-1.0-0.dll (108945 B)
  • %currentfolder%\­libpng14-14.dll (230529 B)
  • %currentfolder%\­library.zip (818391 B)
  • %currentfolder%\­msvcr90.dll (653120 B)
  • %currentfolder%\­nextGD.png (3365 B)
  • %currentfolder%\­pango.pyd (111616 B)
  • %currentfolder%\­pangocairo.pyd (17920 B)
  • %currentfolder%\­pay.png (3233 B)
  • %currentfolder%\­python27.dll (2454016 B)
  • %currentfolder%\­pythoncom27.dll (396800 B)
  • %currentfolder%\­pywintypes27.dll (110080 B)
  • %currentfolder%\­rugui.glade (31363 B)
  • %currentfolder%\­select.pyd (10240 B)
  • %currentfolder%\­step-1.png (28293 B)
  • %currentfolder%\­step-3.png (25308 B)
  • %currentfolder%\­step-4.png (22171 B)
  • %currentfolder%\­step2-2.png (27033 B)
  • %currentfolder%\­unicodedata.pyd (686080 B)
  • %currentfolder%\­wall.bmp (68056 B)
  • %currentfolder%\­win32api.pyd (100352 B)
  • %currentfolder%\­win32com.shell.shell.pyd (381952 B)
  • %currentfolder%\­win32file.pyd (119808 B)
  • %currentfolder%\­win32gui.pyd (167936 B)
  • %currentfolder%\­win32wnet.pyd (25088 B)
  • %currentfolder%\­windbyit.exe (734208 B)
  • %currentfolder%\­zlib1.dll (100352 B)
  • %currentfolder%\­_ctypes.pyd (87552 B)
  • %currentfolder%\­_hashlib.pyd (715264 B)
  • %currentfolder%\­_socket.pyd (46080 B)
  • %currentfolder%\­_ssl.pyd (1160704 B)
  • %currentfolder%\­CryptoLocker\­favicon.ico (2550 B)
  • %currentfolder%\­CryptoLocker\­index.html (12192 B)
  • %currentfolder%\­CryptoLocker\­assets\­css\­style.css (8472 B)
  • %currentfolder%\­CryptoLocker\­assets\­css\­img\­info.png (686 B)
  • %currentfolder%\­CryptoLocker\­assets\­css\­img\­warning.png (607 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­1.jpg (376395 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­2.jpg (447613 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­3.jpg (375404 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­4.jpg (77567 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­5.jpg (45489 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­6.jpg (432011 B)
  • %currentfolder%\­CryptoLocker\­assets\­images\­btc.png (4348 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­jquery.easing.js (8097 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­jquery.js (247823 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­jquery.scrollTo.js (2252 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­script.js (3741 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­google-code-prettify\­prettify.css (815 B)
  • %currentfolder%\­CryptoLocker\­assets\­js\­google-code-prettify\­prettify.js (13632 B)
  • %appdata%\­Seatle202141\­l00000iiiiillll.blc

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "seattle" = "%currentfolder%\­windbyit.exe"

The trojan displays the following dialog boxes:

Payload information

The trojan encrypts files on local disks.


The trojan searches local drives for all files except those with the following file extensions:

  • .pyd
  • .blc
  • .lnk
  • .avi
  • .dat
  • .reg
  • .ico
  • .flv
  • .m4v
  • .mov
  • .mp4
  • .mpg
  • .rm
  • .swf
  • .vob
  • .wmv
  • .3gp
  • .xvid
  • .divx
  • .bsf
  • .mpeg
  • .mkv
  • .sys
  • .edb
  • .dmp
  • .dll
  • .exe
  • .msi
  • .ini
  • .cab
  • .cpl
  • .tmp
  • .torrent
  • .bat
  • .com
  • .drv
  • .fnt
  • .fon

The trojan encrypts the file content.


The AES encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan saves the list of encrypted files into the following file:

  • %appdata%\­Seatle202141\­fileorglist%drive%.blc
Information stealing

The trojan collects the following information:

  • computer name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The trojan moves the following files (source, destination):

  • %currentfolder%\­wall.bmp, %appdata%\­wall.bmp (68056 B)

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%appdata%\­wall.bmp"
    • "WallpaperStyle" = 0
    • "TileWallpaper" = 0

Please enable Javascript to ensure correct displaying of this content and refresh this page.