JS/Filecoder.RAA [Threat Name] go to Threat
JS/Filecoder.RAA.A [Threat Variant Name]
| Category | trojan |
| Size | 572952 B |
| Aliases | Trojan-Ransom.JS.RaaCrypt.b (Kaspersky) |
| Ransom:JS/CryptoRaa.A (Microsoft) |
Short description
JS/Filecoder.RAA.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
The trojan does not create any copies of itself.
The following file is dropped into the %mydocuments% folder:
- st.exe (138752 B, Win32/PSW.Fareit.A)
The file is then executed.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "(Default)" = "%malwarefilepath% argument"
Payload information
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\*]
JS/Filecoder.RAA.A is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files which contain any of the following strings in their file name:
- .doc
- .xls
- .rtf
- .dbf
- .jpg
- .dwg
- .cdr
- .psd
- .cd
- .mdb
- .png
- .lcd
- .zip
- .rar
- csv
It avoids those with any of the following strings in their names:
- .locked
- ~
- $
It avoids files which contain any of the following strings in their path:
- WINDOWS
- RECYCLER
- Program Files
- Program Files (x86)
- Windows
- Recycle.Bin
- RECYCLE.BIN
- Recycler
- TEMP
- APPDATA
- AppData
- Temp
- ProgramData
- Microsoft
The trojan encrypts the file content.
The AES encryption algorithm is used.
The extension of the encrypted files is changed to:
- .locked
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan drops the file !!!README!!!"%variable%.rtf into the root folder of all available drives.
A string with variable content is used instead of %variable% .
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\RAA\Raa-fnl]
- "(Default)" = "beenFinished"
Information stealing
The following information is collected:
- unique identifier of infected computer
The trojan attempts to send gathered information to a remote machine.
The trojan contains a URL address. The HTTP protocol is used in the communication.
Other information
The following file is dropped into the %mydocuments% folder:
- doc_attached_%variable% (12796 B)
A string with variable content is used instead of %variable% .
The trojan tries to open the file using "wordpad.exe" application.
The trojan creates copies of the following files (source, destination):
- C:\!!!README!!!"%variable%.rtf, %desktop%\!!!README!!!"%variable%.rtf
A string with variable content is used instead of %variable% .
The trojan tries to open the file using "wordpad.exe" application.
