Win32/Filecoder.CryptoWall [Threat Name] go to Threat

Win32/Filecoder.CryptoWall.A [Threat Variant Name]

Category trojan
Size 180736 B
Detection created Apr 10, 2014
Detection database version 12910
Aliases Trojan-Ransom.Win32.Cryptodef.fm (Kaspersky)
  Win32/Crowti.A (Microsoft)
  Lebros.KT (AVG)
Short description

Win32/Filecoder.CryptoWall.A is a trojan that encrypts files on local drives.

Installation

When executed the trojan copies itself in the following locations:

  • %systemdrive%\­%variable%\­%variable%.exe
  • %appdata%\­%variable%.exe
  • %startup%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%systemdrive%\­%variable%\­%variable%.exe"
    • "%variable%" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%systemdrive%\­%variable%\­%variable%.exe"
    • "%variable%" = "%appdata%\­%variable%.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_CURRENT_USER\­Software\­%variable%]
    • "1" = %config%
    • "2" = "%data%"
    • "3" = "%data%"
    • "4" = "%data%"
Information stealing

The trojan collects various information related to the operating system.


The trojan attempts to send gathered information to a remote machine.

Payload information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used.


The trojan encrypts files on local disks.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan stores the list of encrypted files in the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­%variable%\­CRYPTLIST]

The trojan drops one of the following files in the %desktop%, %startup%, %driveroot% folder:

  • DECRYPT_INSTRUCTION.TXT
  • DECRYPT_INTSRUCTION.HTML
  • DECRYPT_INSTRUCTION.URL

The file is then executed.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe

The trojan may execute the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures

The following services are disabled:

  • wscsvc
  • WinDefend
  • wuauserv
  • BITS
  • ERSvc
  • WerSvc

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­ShellServiceObjects]
    • {FD6905CE-952F-41F1-9A6F-135D9C6622CC}

The trojan can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­%variable%

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.