Win32/Filecoder.HydraCrypt [Threat Name] go to Threat

Win32/Filecoder.HydraCrypt.C [Threat Variant Name]

Category trojan
Size 30748 B
Detection created Mar 29, 2016
Detection database version 13251
Aliases Ransom:Win32/Tescrypt.T (Microsoft)
  Trojan.Cryptlock.AL!gm (Symantec)
Short description

Win32/Filecoder.HydraCrypt.C is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­AdobeFlashPlayer_%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Adobe Reader Update" = "%malwarefilepath%"
    • "AdobeFlashPlayers" = "%appdata%\­AdobeFlashPlayer_%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "*Adobe Reader Update" = "%malwarefilepath%"
    • "*AdobeFlashPlayers" = "%appdata%\­AdobeFlashPlayer_%variable%.exe"

The trojan may delete the following files:

  • %malwarefilepath%
Payload information

Win32/Filecoder.HydraCrypt.C is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .3g2
  • .3gp
  • .7z
  • .ab4
  • .ach
  • .adb
  • .ads
  • .ait
  • .al
  • .apj
  • .apk
  • .arch00
  • .asf
  • .asm
  • .asp
  • .asset
  • .asx
  • .back
  • .bank
  • .bar
  • .bc6
  • .bc7
  • .bgt
  • .big
  • .bik
  • .bkf
  • .bkp
  • .blob
  • .bpw
  • .bsa
  • .c
  • .cas
  • .cdf
  • .cdr
  • .cdx
  • .ce1
  • .ce2
  • .cer
  • .cfp
  • .cfr
  • .cgm
  • .class
  • .cls
  • .cmt
  • .cpi
  • .cpp
  • .craw
  • .crt
  • .crw
  • .cs
  • .csh
  • .csl
  • .csv
  • .d3dbsp
  • .dac
  • .das
  • .dazip
  • .db0
  • .dba
  • .dbr
  • .dcs
  • .ddd
  • .der
  • .des
  • .desc
  • .dgc
  • .dmp
  • .dng
  • .drf
  • .dtd
  • .dxg
  • .ebd
  • .eml
  • .epk
  • .esm
  • .exf
  • .ff
  • .ffd
  • .fff
  • .fh
  • .fhd
  • .fla
  • .flac
  • .flv
  • .fm
  • .forge
  • .fos
  • .fpk
  • .fsh
  • .gho
  • .gray
  • .grey
  • .grw
  • .gry
  • .h
  • .hkdb
  • .hkx
  • .hplg
  • .hpp
  • .hvpl
  • .ibd
  • .icxs
  • .iif
  • .indd
  • .itdb
  • .itl
  • .itm
  • .iwd
  • .java
  • .js
  • .key
  • .kf
  • .laccdb
  • .layout
  • .lbf
  • .litemod
  • .lrf
  • .lua
  • .lvl
  • .m
  • .m2
  • .m3u
  • .m4a
  • .m4v
  • .maf
  • .mam
  • .map
  • .mar
  • .maw
  • .mcmeta
  • .mdbackup
  • .mdc
  • .mddata
  • .mde
  • .menu
  • .mfw
  • .mlx
  • .mmw
  • .mov
  • .mp4
  • .mpg
  • .mpp
  • .mpqge
  • .mrw
  • .mso
  • .ncf
  • .ndd
  • .nef
  • .nk2
  • .nsd
  • .nsg
  • .nsh
  • .ntl
  • .nwb
  • .nx1
  • .nx2
  • .odc
  • .odf
  • .odg
  • .odp
  • .ods
  • .oil
  • .one
  • .oth
  • .otp
  • .ots
  • .p12
  • .p7b
  • .p7c
  • .pak
  • .pas
  • .pat
  • .pbo
  • .pcd
  • .pct
  • .pem
  • .pfx
  • .php
  • .pip
  • .pkpass
  • .pl
  • .plc
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .prf
  • .ps
  • .psafe3
  • .psk
  • .pspimage
  • .pub
  • .puz
  • .py
  • .qba
  • .qbw
  • .qdf
  • .r3d
  • .raf
  • .rar
  • .rat
  • .raw
  • .rb
  • .re4
  • .rgss3a
  • .rim
  • .rm
  • .rofl
  • .rwz
  • .sas7bdat
  • .say
  • .sb
  • .scan
  • .sd0
  • .sda
  • .sid
  • .sidd
  • .sidn
  • .sie
  • .sis
  • .slm
  • .snp
  • .snx
  • .srf
  • .srt
  • .srw
  • .st4
  • .st5
  • .st6
  • .st7
  • .st8
  • .stc
  • .std
  • .sti
  • .stx
  • .sum
  • .sxc
  • .sxi
  • .sxm
  • .syncdb
  • .t12
  • .t13
  • .tax
  • .tor
  • .unrec
  • .upk
  • .vcf
  • .vdf
  • .vfs0
  • .vob
  • .vpk
  • .vpp_pc
  • .vsd
  • .vsx
  • .vtf
  • .vtx
  • .w3x
  • .wallet
  • .wav
  • .wb2
  • .wll
  • .wma
  • .wmo
  • .wmv
  • .wotreplay
  • .wpd
  • .x11
  • .xla
  • .xlam
  • .xlb
  • .xlc
  • .xll
  • .xlm
  • .xlr
  • .xlsb
  • .xlsm
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xpp
  • .xsn
  • .xxx
  • .yuv
  • .zip
  • .zip
  • .ztmp

It avoids files which contain any of the following strings in their path:

  • cache
  • default pictures
  • games
  • help_your_files.html
  • help_your_files.txt
  • iconcache.db
  • inetcache
  • nvidia
  • packages
  • program files
  • program files(x86)
  • sample music
  • sample picture
  • sample videos
  • temp
  • temporary internet files
  • thumbs.db
  • user account pictures
  • webcache
  • windows

It avoids files with the following filenames:

  • help_your_files.html
  • help_your_files.txt
  • iconcache.db
  • thumbs.db

The trojan encrypts the file content.


The AES encryption algorithm is used.


The name of the encrypted file is changed to:

  • %originalfilename%.id_%variable%_email_%emailaddress%.scl

A string with variable content is used instead of %variable% .


The following files are dropped in the same folder:

  • help_your_files.html
  • help_your_files.txt

The trojan executes the following files:

  • %mydocuments%\­help_your_files.html

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The password is stored on the attacker's server.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Adobe Reader Licension]

Please enable Javascript to ensure correct displaying of this content and refresh this page.