Win32/Filecoder.AESNI [Threat Name] go to Threat

Win32/Filecoder.AESNI.B [Threat Variant Name]

Category	trojan
Size	1028096 B
Aliases	Trojan-Ransom.Win32.AecHu.b (Kaspersky)
	Ransom:Win32/Xdatrypt.A (Microsoft)
	Trojan.DownLoader24.60953 (Dr.Web)

Short description

Win32/Filecoder.AESNI.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

The trojan does not create any copies of itself.

The trojan creates and runs a new thread with its own program code within the following processes:

%system%\svchost.exe

The trojan then removes itself from the computer.

Payload information

Win32/Filecoder.AESNI.B is a trojan that encrypts files on fixed, removable and network drives.

To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

The trojan searches local drives for all files except those with the following file extensions:

.cab
.decrypr_helper@freemail_hu
.lnk
.log
.msi
.mui
.sys
.wim

It avoids files from the following directories:

%desktop%
%windir%
CryptnetUrlCache
Temp
Windows

The trojan encrypts the file content.

The RSA, AES encryption algorithm is used.

The extension of the encrypted files is changed to:

%filepath%.decrypr_helper@freemail_hu

When searching the drives, the trojan creates the following file in every folder visited:

!!! READ THIS - IMPORTANT !!!.hta

Some examples follow.

Information stealing

The trojan collects the following information:

computer name
operating system version
user name
external IP address of the network device

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. It communicates via the TOR anonymity network.

Other information

The trojan creates the following files:

%temp%\%tempfile%.bat

The trojan executes the following commands:

%temp%\%tempfile%.bat
%system%\vssadmin.exe Delete Shadows /All

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "LegalNoticeCaption" = "Microsoft Windows Security Center"
- "LegalNoticeText" = "Dear Owner. Bad news: your server was hacked.
- For more information and recommendations, write to our experts by e-mail.
- When you start Windows, Windows Defender works to help protect
- your PC by scanning for malicious or unwanted software."
[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Terminal Server]
- "AllowTSConnections" = 1
[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- "MaxConnectionTime" = 0
- "MaxDisconnectionTime" = 0
- "MaxIdleTime" = 0
- "SecurityLayer" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
- "fDenyTSConnections" = 0
- "fAllowUnsolicited" = 1
- "UserAuthentication" = 0
- "MaxDisconnectionTime" = 0
- "MaxIdleTime" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe]
- "Debugger" = "c"

The trojan may create the following files:

%commonappdata%\%variable%.key.decrypr_helper@freemail_hu

A string with variable content is used instead of %variable% .

The trojan may delete the following files:

%malwarefolder%\auth.txt
%malwarefolder%\info.txt
%malwarefolder%\ip.txt

The trojan may delete the following folders:

%systemdrive%\$RECYCLE.BIN

The following services are disabled:

Acronis VSS Provider
AcronisAgent
AcronisFS
AcronisPXE
AcrSch2Svc
ADHelper100
AdobeARMservice
Agent.exe
Altaro
Altaro.SubAgent.exe
Altaro.UI.Service.exe
AMS
Apache2.2
Apache2.4
ARSM
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDeviceMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
bedbg
Browser
cbVSCService11
CertPropSvc
CertSvc
CobianBackup11
ComarchAutomatSynchronizacji
ComarchML
ComarchUpdateAgentService
CrashPlanService
dashboardMD Sync
DataCollectorSvc
dbupdate
dbupdatem
DbxSvc
DLOAdminSvcu
DLOMaintenanceSvc
DomainManagerProviderSvc
EDBSRVR
eXchange POP3 6.0
FBSServer
FBSWorker
FirebirdGuardianDefaultInstance
FirebirdServerDefaultInstance
GenetecSecurityCenterMobileServer
GenetecServer
GenetecWatchdog
HyperV
KAORCMP999467066507407
LMIRfsDriver
LogisticsServicesHost800
MELCS
memcached Server
MEMTAS
MEPOCS
MEPOPS
MESMTPCS
MicroMD AutoDeploy
MicroMD Connection Service
MICROMD72ONCOEMR
MMS
MsDtsServer
MsDtsServer100
MSExchangeADTopology
MSExchangeAntispamUpdate
MSExchangeEdgeSync
MSExchangeFBA
MSExchangeFDS
MSExchangeImap4
MSExchangeIS
MSExchangeMailboxAssistants
MSExchangeMailSubmission
MSExchangeMonitoring
MSExchangePop3
MSExchangeRep
MSExchangeRepl
MSExchangeSA
MSExchangeSearch
MSExchangeServiceHost
MSExchangeTransport
MSExchangeTransportLogSearch
msftesql$SBSMONITORING
msftesql-Exchange
MSSQL$ACRONIS
MSSQL$BKUPEXEC
MSSQL$MICROSOFT##SSEE
MSSQL$MICROSOFT##WID
MSSQL$PROBA
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SQL2005
MSSQL$SQLEXPRESS
MSSQL$VEEAMSQL2008R2
MSSQLFDLauncher
MSSQLFDLauncher$PROBA
MSSQLFDLauncher$SBSMONITORING
MSSQLFDLauncher$SHAREPOINT
MSSQLServer
MSSQLServerADHelper
MSSQLServerADHelper100
MSSQLServerADHelper100
MSSQLServerOLAPService
MSSQLServerOLAPService
MSSQLSERVR
MySQL
MySQL56
NAVSERVER
ONCOEMR2MICROMD7
PleskControlPanel
PleskSQLServer
plesksrv
PopPassD
postgresql-8.4.spiceworks.QuickBooksDB23
PRIMAVERAWindowsService
PrimaveraWS800
PrimaveraWS900
QBCFMonitorService
QBFCService
QBVSS
QuickBooksDB25
RBMS_OptimaBI
RBSS_OptimaBI
RemoteService.exe
RemoteSystemMonitorService
ReportServer
SBOClientAgent
ServerService
sesvc
ShadowProtectSvc
SPAdminV4
SPSearch4
SPTimerV3
SPTrace
SPTraceV4
SPWriter
SPWriterV4
SQLAgent$PROBA
SQLAgent$SBSMONITORING
SQLAgent$SHAREPOINT
SQLAgent$SQLEXPRESS
SQLAgent$VEEAMSQL2008R2
SQLBrowser
SQLSERVERAGENT
SQLWriter
stc_raw_agent
StorageNode
swprv
TeamViewer
TTESCheduleServer800
vds
Veeam Backup and Replication Service
Veeam Backup Catalog Data Service
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploymentService
VeeamMountSvc
VeeamNFSSvc
VeeamTransportSvc
vmicvss
vmms
VSNAPVSS
VSS
W32Time
W3SVC
WAN
WinVNC4
wsbexchange
WSearch
WseComputerBackupSvc
WseEmailSvc
WseHealthSvc
WseMediaSvc
WseMgmtSvc
WseNtfSvc
WseStorageSvc
WSS_ComputerBackupProviderSvc
WSS_ComputerBackupSvc
zBackupAssistService
ZWCService

The following programs are terminated:

acrobat.exe
acrord32.exe
acrotray.exe
agentmon.exe
apcsystray.exe
autodeployservice.exe
cbinterface.exe
cobian.exe
comarch opt!ma.exe
conime.exe
couchpotato.exe
crashplantray.exe
dbxsvc.exe
dns.exe
dropbox.exe
edgetransport.exe
excel.exe
fb_inet_server.exe
fbsserver.exe
fbsworker.exe
fdhost.exe
fdlauncher.exe
googlecrashhandler.exe
googlecrashhandler64.exe
googleupdate.exe
httpd.exe
iexplore.exe
ilsvc.exe
inetinfo.exe
ismserv.exe
javaw.exe
jucheck.exe
jusched.exe
lc2.exe
lua.exe
lync.exe
mad.exe
mainserv.exe
melsc.exe
memcached.exe
mepops.exe
mesmtpc.exe
microsoft.exchange.antispamupdatesvc.exe
microsoft.exchange.contentfilter.wrapper.exe
microsoft.exchange.search.exsearch.exe
microsoft.exchange.servicehost.exe
mmc.exe
mqsvc.exe
msaccess.exe
msdtssrvr.exe
msexchangefds.exe
msexchangemailboxassistants.exe
msexchangemailsubmission.exe
msexchangetransportlogsearch.exe
msftefd.exe
msftesql.exe
msmdsrv.exe
msoia.exe
mysqld.exe
mysqld-nt.exe
nssm.exe
nvidia web helper.exe
onenoteim.exe
onenotem.exe
outlook.exe
php.exe
php-cgi.exe
plex media server.exe
plexscripthost.exe
powershell.exe
pvlsvr.exe
python.exe
qbcfmonitorservice.exe
qbdbmgrn.exe
qbupdate.exe
qbw32.exe
rdrcef.exe
regedit.exe
reportingservicesservice.exe
sabnzbd.exe
sap business one.exe
servermanager.exe
sharedservicehost.exe
skype.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlwriter.exe
srvany.exe
ssms.exe
steam.exe
steamwebhelper.exe
store.exe
subiekt.exe
synchronizationservice.exe
systemsettings.exe
tabtip.exe
tabtip32.exe
teamviewer_service.exe
terminal.exe
trayapplication.exe
vds.exe
vssvc.exe
w3wp.exe
winvnc4.exe
winword.exe
wordpad.exe
wscript.exe