Win32/Filecoder.CryptoDefense [Threat Name] go to Threat

Win32/Filecoder.CryptoDefense.A [Threat Variant Name]

Category trojan
Size 228352 B
Detection created Mar 30, 2017
Detection database version 15175
Aliases Ransom:Win32/Crowti.A (Microsoft)
Short description

Win32/Filecoder.CryptoDefense.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed the trojan copies itself in the following locations:

  • %systemdrive%\­%variable1%\­%variable1%.exe
  • %appdata%\­%variable1%.exe
  • %startup%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­%variable1%.exe"
    • "%variable2%" = "%systemdrive%\­%variable1%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable3%" = "%systemdrive%\­%variable1%\­%variable1%.exe"
    • "%variable4%" = "%appdata%\­%variable1%.exe"

A string with variable content is used instead of %variable1-4% .


After the installation is complete, the trojan deletes the original executable file.

Payload information

Win32/Filecoder.CryptoDefense.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches local, removable and network drives for files with one of the following extensions:

  • .3dm
  • .3ds
  • .3fr
  • .3g2
  • .3gp
  • .accdb
  • .ai
  • .arw
  • .asf
  • .asp
  • .aspx
  • .asx
  • .avi
  • .back
  • .bay
  • .bmp
  • .c
  • .cdr
  • .cer
  • .cfm
  • .class
  • .cpp
  • .cr2
  • .crt
  • .crw
  • .cs
  • .db
  • .dbf
  • .dcr
  • .dds
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dtd
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .fla
  • .flac
  • .flv
  • .gif
  • .h
  • .hpp
  • .indd
  • .java
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .kdc
  • .key
  • .lua
  • .m
  • .m4v
  • .max
  • .mdb
  • .mdf
  • .mef
  • .mov
  • .mp3
  • .mp4
  • .mpg
  • .mrw
  • .msg
  • .nef
  • .nrw
  • .obj
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pages
  • .pas
  • .pct
  • .pdb
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pps
  • .ppt
  • .pptm
  • .pptx
  • .prf
  • .ps
  • .psd
  • .pspimage
  • .pst
  • .ptx
  • .py
  • .r3d
  • .raf
  • .raw
  • .rm
  • .rtf
  • .rw2
  • .rwl
  • .sql
  • .sr2
  • .srf
  • .srt
  • .srw
  • .svg
  • .swf
  • .tex
  • .tga
  • .thm
  • .tif
  • .tiff
  • .txt
  • .vb
  • .vob
  • .wb2
  • .wmv
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xlr
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .yuv

The trojan encrypts the file content.


The RSA-2048 encryption algorithm is used.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

The following text is displayed:

  • All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
  • Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
  • The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet;
  • the server will destroy the key after a month. After that, nobody and never will be able to restore files.
  • In order to decrypt the files, open your personal page on the site %url% and follow the instructions.
  • If %url% is not opening, please follow the steps below:
  • 1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
  • 2. After installation, run the browser and enter the address: %torserviceurl%
  • 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
  • IMPORTANT INFORMATION:
  • Your Personal PAGE: %url%
  • Your Personal PAGE(using TorBrowser): %torserviceurl%
  • Your Personal CODE(if you open site directly): %usercode%

The following files are dropped into the %desktop%, %startup% folder:

  • HOW_DECRYPT.TXT
  • HOW_DECRYPT.HTML
  • HOW_DECRYPT.URL

The trojan opens the file using the default associated application.


Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • CPU information
  • volume serial number

The trojan attempts to send gathered information to a remote machine.


Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • send gathered information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe -k netsvcs

The trojan executes the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures

The following services are disabled:

  • wscsvc
  • WinDefend
  • wuauserv
  • BITS
  • ERSvc
  • WerSvc

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­ShellServiceObjects\­{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­%variable5%]
    • "pub" = %binarydata1%
    • "start" = 1
    • "finish" = 1
    • "text" = "%variable6%"
    • "html" = "%variable7%"
    • "weblink" = "%variable8%"
  • [HKEY_CURRENT_USER\­Software\­%variable5%\­DISKS\­%variable9%]
    • "%variable10%" = 0
  • [HKEY_CURRENT_USER\­Software\­%variable5%\­PROTECTED]
    • "%variable11%" = %binarydata2%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1

A string with variable content is used instead of %variable5-12% .


The trojan may attempt to download files from the Internet.


The file is stored in the following location:

  • %temp%\­%variable12%

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.