PowerShell/Filecoder [Threat Name] go to Threat

PowerShell/Filecoder.A [Threat Variant Name]

Category trojan
Size 3084890 B
Aliases Trojan-Ransom.Win32.ElPolock.a (Kaspersky)
  VBS/PowerSSH.c.trojan (McAfee)
  Ransom:.PowerShell/Polock.A (Microsoft)
Short description

PowerShell/Filecoder.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan creates the following files:

  • C:\­1\­t.dll
  • C:\­1\­reflect.dll
  • C:\­1\­locked.bmp
  • %desktop%\­seckeys.DONOTDELETE
  • %desktop%\­customer.Id
  • %desktop%\­qwer.html
  • %desktop%\­qwer2.html
  • %desktop%\­encrypted.htm
  • %desktop%\­decrypted.htm

The trojan does not create any copies of itself.

Payload information

PowerShell/Filecoder.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .ai
  • .crt
  • .csv
  • .db
  • .doc
  • .docm
  • .docx
  • .dotx
  • .gif
  • .jpeg
  • .jpg
  • .jpg
  • .lnk
  • .mp3
  • .msi
  • .ods
  • .one
  • .ost
  • .p12
  • .pdf
  • .pem
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .psd
  • .pst
  • .pub
  • .rar
  • .raw
  • .rtf
  • .tif
  • .txt
  • .vsdx
  • .wma
  • .xls
  • .xlsm
  • .xlsx
  • .xml
  • .zip

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • .ha3

To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan displays the following dialog box:

Some examples follow.

This file/image is set as a wallpaper.

Information stealing

The trojan collects the following information:

  • computer name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The following file is dropped into the %currentfolder% folder:

  • penalty.pdf (99037 B)

The trojan opens the file using the default associated application.

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "C:\­1\­locked.bmp"
    • "WallpaperStyle" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1

The trojan opens the following URLs in Microsoft Internet Explorer :

  • https://www.youtube.com/watch?v=8zCpQZPX1IA

The trojan executes the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit /set "{default}" recoveryenabled No
  • bcdedit /set "{default}" bootstatuspolicy ignoreallfailures;

Please enable Javascript to ensure correct displaying of this content and refresh this page.