Win32/Diskcoder [Threat Name] go to Threat
Win32/Diskcoder.C [Threat Variant Name]
| Category | trojan |
| Size | 362360 B |
| Aliases | Ransom:Win32/Petya (Microsoft) |
| Trojan-Ransom.Win32.ExPetr.a (Kaspersky) | |
| Ransom.Petya (Symantec) |
Short description
Win32/Diskcoder.C is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service. The trojan spreads itself by exploiting various vulnerabilities in the operating system of the targeted machines.
Installation
The trojan does not create any copies of itself.
The trojan creates the following files:
- C:\Windows\perfc
- C:\Windows\dllhost.dat
After the installation is complete, the trojan deletes the original executable file.
Win32/Diskcoder.C replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.
The trojan stores the first sector of the original MBR in sector 34 of the new MBR.
Spreading
Win32/Diskcoder.C is a trojan that spreads via shared folders.
The following names of the shared network folders are used:
- admin$
The trojan spreads by exploiting a vulnerability in the operating system of the targeted machine. It exploits the MS17-010 vulnerability.
Payload information
Win32/Diskcoder.C is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- .3ds
- .7z
- .accdb
- .ai
- .asp
- .aspx
- .avhd
- .back
- .bak
- .c
- .cfg
- .conf
- .cpp
- .cs
- .ctl
- .dbf
- .disk
- .djvu
- .doc
- .docx
- .dwg
- .eml
- .fdb
- .gz
- .h
- .hdd
- .kdbx
- .mdb
- .msg
- .nrg
- .ora
- .ost
- .ova
- .ovf
- .php
- .pmf
- .ppt
- .pptx
- .pst
- .pvi
- .py
- .pyc
- .rar
- .rtf
- .sln
- .sql
- .tar
- .vbox
- .vbs
- .vcb
- .vdi
- .vfd
- .vmc
- .vmdk
- .vmsd
- .vmx
- .vsdx
- .vsv
- .work
- .xls
- .xlsx
- .xvd
- .zip
It avoids files from the following directories:
- C:\Windows
The trojan encrypts the file content.
The RSA, AES encryption algorithm is used.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan creates the following file:
- %drive%\README.TXT
It contains the following text:
- Ooops, your important files are encrypted.
- If you see this text, then your files are no longer accessible, because
- they have been encrypted. Perhaps you are busy looking for a way to recover
- your files, but don't waste your time. Nobody can recover your files without
- our decryption service.
- We guarantee that you can recover all your files safely and easily.
- All you need to do is submit the payment and purchase the decryption key.
- Please follow the instructions:
- 1. Send $300 worth of Bitcoin to following address:
- 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
- 2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.
- Your personal installation key:
- AQIAAA5mAAAApAAAJ0quN3lfqin4N84edPIoM70cTN5bF7ck/a/KpXuiGavQlL0k
- fVtzLu/4yc2GdhMia2ZmwH2F3jDTFQtUqkGafuGNmDzOzEM2D/1ASSMkq3Lg99zv
- TF4iCK2qGEIa4l6/S9uKEFnxsSg1mQOnCLqw89vgpA0ITLbImqV/H1sHDno5ODy2
- fjDe3bMXVzfxqy42bD93uQVCRx7/YSUkQ3p5Zn1efVdpDwhcRfLBbj6EClzET23S
- /PKQWNQzqdfNcgpyzVSlBpqAq7Dt+0o06tzIhPWT4ErwMux2+qXT4KEgu4YEI65P
- x+woUQLvG7RX/CAmZHrZI/vNISRJIBjpL3OiwA==
The trojan may perform operating system restart.
Win32/Diskcoder.C is a trojan that encrypts specific parts of drives.
The trojan displays a fake error message:
Other information
The trojan may execute the following commands:
- C:\Windows\dllhost.dat\\%computer% -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\%malwarename%,#1
- wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %drive%:
- schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "shutdown.exe /r /f" /ST %time%
- at %time% shutdown.exe /r /f