Win32/Filecoder.Erebus [Threat Name] go to Threat

Win32/Filecoder.Erebus.A [Threat Variant Name]

Category trojan
Size 1249280 B
Detection created Feb 08, 2017
Detection database version 14901
Aliases Ransom.CryptXXX (Symantec)
  Trojan-Ransom.Win32.Erebus.a (Kaspersky)
  Ransom:Win32/Erebus.A!rsm (Microsoft)
Short description

Win32/Filecoder.Erebus.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %malwarefolder%\­%variable%.exe

A string with variable content is used instead of %variable% .


The trojan creates the following files:

  • C:\­Users\­%username%\­Desktop\­README.html
  • C:\­Users\­%username%\­Documents\­README.html
  • C:\­Documents and Settings\­%username%\­Desktop\­README.html
  • C:\­Documents and Settings\­%username%\­Documents\­README.html
  • %temp%\­y

The following Registry entry is deleted:

  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile]

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile\­shell\­open\­command]
    • "(Default)" = "%malwarefolder%\­%variable%.exe"

Win32/Filecoder.Erebus.A installs the following software:

  • Tor

The trojan tries to download a file from the Internet.


The file is stored in the following location:

  • %temp%\­tor.zip

The trojan extracts the archive content into the following folder:

  • %temp%\­tor\­Tor
Payload information

Win32/Filecoder.Erebus.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches local, removable and network drives for files with one of the following extensions:

  • .3fr
  • .accd
  • .ai
  • .arw
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .jpe
  • .jpg
  • .kdc
  • .mdb
  • .mdf
  • .mef
  • .mp3
  • .mp4
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pef
  • .pem
  • .pfx
  • .png
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .raw
  • .rtf
  • .rwl
  • .srf
  • .srw
  • .txt
  • .wb2
  • .wpd
  • .wps
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx

It avoids files which contain any of the following strings in their path:

  • Windows

The trojan encrypts the file content.


The AES-256 encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %variableextension%

A string with variable content is used instead of %variableextension% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan removes all of the volume shadow copies in order to prevent restoring the original files.


The trojan creates the following files:

  • C:\­Users\­%username%\­Desktop\­README.html
  • C:\­Users\­%username%\­Documents\­README.html
  • C:\­Documents and Settings\­%username%\­Desktop\­README.html
  • C:\­Documents and Settings\­%username%\­Documents\­README.html

The file is then opened in web browser.


It contains the following text:

The trojan displays the following dialog box:

Information stealing

The trojan collects the following information:

  • hardware information
  • computer IP address
  • country code

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The SOCKS5, HTTP, TOR protocol is used in the communication.


The trojan opens some SOCKS5 ports:

  • 9050

The trojan executes the following files:

  • %system%\­System32\­eventvwr.exe
  • %temp%\­tor\­Tor\­tor.exe

Win32/Filecoder.Erebus.A attempts to gain administrative privileges on the system.


Trojan is able to bypass User Account Control (UAC).


The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.