Win32/Filecoder.Enigma [Threat Name] go to Threat

Win32/Filecoder.Enigma.A [Threat Variant Name]

Category trojan
Size 562688 B
Detection created May 05, 2016
Detection database version 13441
Aliases Trojan-Ransom.Win32.Crypmod.xst (Kaspersky)
  Trojan.Encoder.4457 (Dr.Web)
  RDN/Ransom (McAfee)
Short description

Win32/Filecoder.Enigma.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MyProgram" = "%malwarefilepath%"

The trojan creates the following files:

  • %desktop%\­enigma_encr.txt
  • %desktop%\­enigma.hta
  • %desktop%\­ENIGMA_%variable%.RSA
  • %desktop%\­allfilefinds.dat

It creates other Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MyProgramOk" = "%desktop%\­enigma.hta"

A variable numerical value is used instead of %variable% .

Payload information

Win32/Filecoder.Enigma.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .001
  • .002
  • .1cd
  • .2d
  • .3dc
  • .7z
  • .aes
  • .asm
  • .asp
  • .asp
  • .aspx
  • .avi
  • .bat
  • .bmp
  • .bz
  • .bz2
  • .bza
  • .bzip
  • .bzip2
  • .cad
  • .cd
  • .cdr
  • .cmd
  • .cpp
  • .crt
  • .csr
  • .csv
  • .czip
  • .dat
  • .dbf
  • .dif
  • .djv
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dwg
  • .fla
  • .gif
  • .gz
  • .gz
  • .gz2
  • .gza
  • .gzi
  • .gzip
  • .hdoc
  • .html
  • .hwp
  • .java
  • .jpeg
  • .jpg
  • .key
  • .kwm
  • .lzma
  • .max
  • .mdb
  • .mdb
  • .mkv
  • .mml
  • .mov
  • .mpeg
  • .mpg
  • .ms11(Security copy)
  • .MYD
  • .MYI
  • .odg
  • .odp
  • .ods
  • .odt
  • .odt
  • .otg
  • .otp
  • .ots
  • .ott
  • .pas
  • .pem
  • .php
  • .php
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .ppt
  • .pptm
  • .pptx
  • .pptx
  • .psd
  • .rar
  • .rtf
  • .rtf
  • .slk
  • .sln
  • .sql
  • .sqlite
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .sqlitedb
  • .sqx
  • .sqz
  • .srep
  • .stc
  • .std
  • .sti
  • .stw
  • .swf
  • .sxc
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .taz
  • .tbk
  • .tbz
  • .tbz2
  • .tg
  • .tgz
  • .tif
  • .tiff
  • .tlz
  • .tlzma
  • .tsk
  • .tx_
  • .txt
  • .txz
  • .tz
  • .uc2
  • .uot
  • .vbs
  • .vdi
  • .wks
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xz
  • .zi
  • .zip
  • .zip
  • .zipx
  • .zix

It avoids files which contain any of the following strings in their path:

  • $Recycle.Bin
  • $WINDOWS.~BT
  • $WINDOWS.~WS
  • AppData
  • Application Data
  • Boot
  • enigma_encr.txt
  • Program Files
  • Program Files(x86)
  • Recycle
  • RECYCLER
  • System Volume Information
  • temp
  • thumbs.db
  • tmp
  • WINDOWS
  • Windows
  • Windows.old
  • winnt

The trojan encrypts the file content.


The AES encryption algorithm is used.


An additional .enigma extension is appended.


To restore files to their original state the user is requested to visit a specified internet address with instructions.


The trojan opens the following files:

  • %desktop%\­enigma.hta

The trojan opens the file using the default associated application.


Some examples follow.

Information stealing

The trojan collects the following information:

  • user name
  • network adapter information
  • operating system version

The data is saved in the following file:

  • %desktop%\­ENIGMA_%variable%.RSA

The trojan encrypts the file content.


The trojan saves the list of encrypted files into the following file:

  • %desktop%\­allfilefinds.dat

The trojan encrypts the file content.


The RSA encryption algorithm is used.

Other information

The trojan executes the following command:

  • cmd.exe /C "vssadmin.exe delete shadows /all /quiet"

The trojan searches for files with the following file extensions:

  • .$db
  • .001
  • .001
  • .002
  • .113
  • .73b
  • .aba
  • .abf
  • .abk
  • .acp
  • .as4
  • .asd
  • .ashbak
  • .asvx
  • .ate
  • .ati
  • .bac
  • .bak
  • .bak
  • .bak~
  • .bak2
  • .bak3
  • .bakx
  • .bbb
  • .bbz
  • .bck
  • .bckp
  • .bcm
  • .bk1
  • .bk1
  • .bkc
  • .bkf
  • .bkp
  • .bks
  • .blend1
  • .blend2
  • .bm3
  • .bpa
  • .bpb
  • .bpm
  • .bpn
  • .bps
  • .bup
  • .bup
  • .cbk
  • .cbu
  • .ck9
  • .crds
  • .da0
  • .dash
  • .dba
  • .dbk
  • .diy
  • .dna
  • .dov
  • .fbc
  • .fbf
  • .fbk
  • .fbk
  • .fbu
  • .fbw
  • .fh
  • .fhf
  • .flka
  • .flkb
  • .fpsx
  • .ftmb
  • .ful
  • .fza
  • .gb1
  • .gb2
  • .gbp
  • .gho
  • .ghs
  • .icf
  • .ipd
  • .iv2i
  • .jbk
  • .jdc
  • .kb2
  • .lcb
  • .llx
  • .mbk
  • .mbw
  • .mddata
  • .mdinfo
  • .mem
  • .mig
  • .mpb
  • .mv_
  • .nb7
  • .nba
  • .nbak
  • .nbd
  • .nbd
  • .nbf
  • .nbf
  • .nbi
  • .nbk
  • .nbs
  • .nbu
  • .nco
  • .nfb
  • .nfc
  • .npf
  • .nps
  • .nrbak
  • .nrs
  • .nwbak
  • .obk
  • .oeb
  • .old
  • .onepkg
  • .ori
  • .orig
  • .paq
  • .pbb
  • .pbj
  • .qba.tlg
  • .qbb
  • .qbk
  • .qbm
  • .qbmb
  • .qbmd
  • .qbx
  • .qic
  • .qsf
  • .qv~
  • .rbc
  • .rbf
  • .rbk
  • .rbs
  • .rdb
  • .rgmb
  • .rmbak
  • .rrr
  • .sbb
  • .sbs
  • .sbu
  • .skb
  • .sn1
  • .sn2
  • .sna
  • .sns
  • .spf
  • .spg
  • .spi
  • .srr
  • .stg
  • .sv$
  • .sv2i
  • .tbk
  • .tdb
  • .tig
  • .tis
  • .tlg
  • .tmr
  • .trn
  • .ttbk
  • .uci
  • .v2i
  • .vbk
  • .vbm
  • .vrb
  • .wbb
  • .wbcat
  • .win
  • .win
  • .wjf
  • .wpb
  • .wspak
  • .xlk
  • .yrcbck

The trojan then deletes the found files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.