Win32/Filecoder.Crysis [Threat Name] go to Threat

Win32/Filecoder.Crysis.P [Threat Variant Name]

Category trojan
Size 94720 B
Detection created Oct 19, 2017
Detection database version 16267
Aliases Trojan-Ransom.Win32.Crusis.to (Kaspersky)
  Trojan.Encoder.3953 (Dr.Web)
  Ransom:Win32/Wadhrama (Microsoft)
Short description

Win32/Filecoder.Crysis.P is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­system32\­­%originalmalwarefilename%
  • %userprofile%\­appdata\­roaming\­microsoft\­windows\­start menu\­programs\­startup\­%originalmalwarefilename%
  • %programdata%\­microsoft\­windows\­start menu\­programs\­startup\­­%originalmalwarefilename%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%windir%\­system32\­%originalmalwarefilename%"
    • "%originalmalwarefilename%" = "%appdata%\­%originalmalwarefilename%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%windir%\­system32\­%originalmalwarefilename%"
    • "%originalmalwarefilename%" = "%appdata%\­%originalmalwarefilename%"

This causes the trojan to be executed on every system start.

Payload information

Win32/Filecoder.Crysis.P is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files which contain any of the following strings in their path:

  • c:\­windows
  • .arrow

It avoids files with the following filenames:

  • %originalmalwarefilename%
  • boot.ini
  • bootfont.bin
  • FILES_ENCRYPTED.txt
  • info.hta
  • io.sys
  • ntdetect.com
  • ntldr

The trojan encrypts the file content.


An additional ".id-%variable%.[%emailaddress%].arrow" extension is appended.


A string with variable content is used instead of %variable% .


The RSA, AES encryption algorithm is used.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The following files are dropped:

  • %desktop%\­FILES ENCRYPTED.txt
  • %commondesktop%\­FILES ENCRYPTED.txt
  • %drive%\­FILES ENCRYPTED.txt

It contains the following text:

all your data has been locked us You want to return? write email %emailaddress1% or %emailaddress2%

The following files are dropped:

  • %appdata%\­info.hta
  • %commonstartup%\­info.hta
  • %startup%\­info.hta
  • %windir%\­system32\­info.hta

The trojan executes the following commands:

  • mshta.exe %commonstartup%\­info.hta
  • mshta.exe %startup%\­info.hta

Some examples follow.

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%appdata%\­info.hta" = "mshta.exe\­"%appdata%\­info.hta\­""
    • "%windir%\­system32\­info.hta" = "mshta.exe\­"%windir%\­system32\­info.hta\­""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%appdata%\­info.hta" = "mshta.exe\­"%appdata%\­info.hta\­""
    • "%windir%\­system32\­info.hta" = "mshta.exe\­"%windir%\­system32\­info.hta\­""
Other information

The trojan executes the following commands:

  • mode con cp select=1251
  • vssadmin delete shadows /all /quiet
  • exit

The trojan terminates processes with any of the following strings in the name:

  • 1c8.exe
  • 1cv77.exe
  • mysqld.exe
  • mysqld-nt.exe
  • outlook.exe
  • postgres.exe
  • sqlservr.exe

The following services are disabled:

  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • mssqlserver
  • sqlserveradhelper
  • sqlwriter

Please enable Javascript to ensure correct displaying of this content and refresh this page.