Win32/Diskcoder.Petya [Threat Name] go to Threat
Win32/Diskcoder.Petya.D [Threat Variant Name]
| Category | trojan |
Short description
Win32/Diskcoder.Petya.D is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\{%randomuuid%}\%variable%.exe
A string with variable content is used instead of %randomuuid%, %variable% .
This copy of the trojan is then executed.
The trojan creates the following files:
- %temp%\%variable1%\%variable2%.dll
- %systemroot%\system32\%variable3%\%variable4%.exe
- %systemroot%\system32\%variable3%\%variable2%.dll
A string with variable content is used instead of %variable1-4% .
The trojan may create the text file:
- YOUR_FILES_ARE_ENCRYPTED.txt (778 B)
The file is copied in the following folders as well:
- %userprofile%
- %userprofile%\Desktop\
- %userprofile%\Downloads\
- %userprofile%\Documents\
- %public%
- %remotedrive%
- %removabledrive%
Win32/Diskcoder.Petya.D replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Payload information
The trojan searches local, removable and network drives for files with one of the following extensions:
- 3dm
- 3ds
- 3fr
- 3g2
- 3ga
- 3gp
- a2c
- aa
- aa3
- aac
- accdb
- aepx
- ai
- aif
- amr
- ape
- apnx
- ari
- arw
- asf
- asp
- aspx
- asx
- avi
- azw
- azw1
- azw3
- azw4
- bak
- bat
- bay
- bin
- bmp
- camproj
- cat
- ccd
- cdi
- cdr
- cer
- cert
- cfg
- cgi
- class
- cmf
- cnf
- conf
- config
- cpp
- cr2
- crt
- crw
- crwl
- cs
- csv
- cue
- dash
- dat
- db
- dbf
- dcr
- dcu
- dds
- default
- der
- dfm
- directory
- disc
- dmg
- dng
- doc
- docm
- docx
- dtd
- dvd
- dwg
- dxf
- eip
- emf
- eml
- eps
- epub
- erf
- fff
- flv
- frm
- gfx
- gif
- gzip
- h
- htm
- html
- idl
- iiq
- indd
- inf
- iso
- jar
- java
- jfif
- jge
- jpe
- jpeg
- jpg
- js
- json
- jsp
- k25
- kdc
- key
- ldf
- lit
- localstorage
- m3u
- m4a
- m4v
- max
- mdb
- mdf
- mef
- mkv
- mobi
- mov
- movie
- mp1
- mp2
- mp3
- mp4
- mp4v
- mpa
- mpe
- mpeg
- mpg
- mpv2
- mrw
- msg
- mts
- mui
- myi
- nef
- nrg
- nri
- nrw
- number
- obj
- odb
- odc
- odf
- odm
- odp
- ods
- odt
- ogg
- orf
- ost
- p12
- p12
- p7b
- p7c
- pages
- pas
- pbk
- pdd
- pef
- pem
- pfx
- php
- png
- po
- pps
- ppt
- pptm
- pptx
- prf
- props
- ps
- psd
- pspimage
- pst
- ptx
- pub
- py
- qt
- r3d
- ra
- raf
- ram
- rar
- raw
- result
- rll
- rm
- rpf
- rtf
- rw2
- rwl
- sql
- sqlite
- sqllite
- sr2
- srf
- srt
- srw
- svg
- swf
- tga
- tiff
- toast
- ts
- txt
- vbs
- vcd
- vlc
- vmdk
- vmx
- vob
- wav
- wb2
- wdb
- wma
- wmv
- wpd
- wps
- x3f
- xlk
- xls
- xlsb
- xlsm
- xlsx
- xml
- xps
- xsl
- yml
- yuv
- zip
The trojan encrypts the file content.
The AES-256 encryption algorithm is used.
The extension of the encrypted files is changed to:
- %variableextension%
A string with variable content is used instead of %variableextension% .
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Win32/Diskcoder.Petya.D is a trojan that encrypts specific parts of drives.
The Salsa20 encryption algorithm is used.
The trojan disguises itself as the "chkdsk.exe" application.
The trojan displays a fake error message:
Some examples follow.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.
Trojan is able to bypass User Account Control (UAC).
The trojan may perform operating system restart.