Win32/Filecoder.Avaddon [Threat Name] go to Threat

Win32/Filecoder.Avaddon.C [Threat Variant Name]

Category trojan
Size 736608 B
Aliases Trojan.Win32.DelShad.esz (Kaspersky)
  Ransom:Win32/Avaddon.C!MTB (Microsoft)
Short description

Win32/Filecoder.Avaddon.C is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan may create copies of itself in the folder:

  • %appdata%\­Microsoft\­Windows\­%malwarefile%

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­Microsoft\­Windows\­%malwarefile%
Payload information

Win32/Filecoder.Avaddon.C is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • %public%\­
  • %systemdrive%\­­program files (x86)\­­
  • %systemdrive%\­­program files\­­
  • %systemdrive%\­­windows\­­
  • %temp%\­
  • %userprofile%\­­appdata\­

It avoids files which contain any of the following strings in their path:

  • MSOCache
  • ProgramData
  • Tor Browser

It avoids files with the following extensions:

  • .bin
  • .dat
  • .dll
  • .drv
  • .exe
  • .ini
  • .lnk
  • .prf
  • .rdp
  • .swp
  • .sys

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


An additional .%variable01% extension is appended.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The following file is created in the same folders:

  • %variable02%_readme_.txt

It contains the following text:

-------===    Your network has been infected!    ===------- *****************    DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED    ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .%redacted% You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | |  1. Download Tor browser - %redacted% | |  2. Install Tor browser | |  3. Open link in Tor browser - %redacted% | |  4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- %redacted% -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * %redacted%

A string with variable content is used instead of %variable01-02% .

Other information

The trojan can terminate the following processes:

  • 360doctor.exe
  • 360se.exe
  • axlbridge.exe
  • Culture.exe
  • Defwatch.exe
  • fdhost.exe
  • fdlauncher.exe
  • GDscan.exe
  • httpd.exe
  • java.exe
  • MsDtSrvr.exe
  • QBCFMonitorService.exe
  • QBDBMgr.exe
  • QBIDPService.exe
  • qbupdate.exe
  • QBW32.exe
  • RAgui.exe
  • RTVscan.exe
  • sqlbrowser.exe
  • sqlmangr.exe
  • sqlservr.exe
  • supervise.exe
  • tomcat6.exe
  • wdswfsafe.exe
  • winword.exe
  • wxServer.exe
  • wxServerView.exe

The following services are disabled:

  • ccEvtMgr
  • ccSetMgr
  • Culserver
  • dbeng8
  • dbsrv12
  • DefWatch
  • Intuit.QuickBooks.FCS
  • msmdsrv
  • QBCFMonitorService
  • QBIDPService
  • RTVscan
  • SavRoam
  • sqladhlp
  • SQLADHLP
  • sqlagent
  • sqlbrowser
  • sqlservr
  • sqlwriter
  • tomcat6
  • VMAuthdService
  • VMnetDHCP
  • VMUSBArbService
  • vmware-converter
  • VMwareHostd
  • vmware-usbarbitator64

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLinkedConnections" = 1
    • "EnableLUA" = 0
    • "ConsentPromptBehaviorAdmin" = 0

The trojan may execute the following commands:

  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit.exe /set {default} recoveryenabled No
  • vssadmin.exe Delete Shadows /All /Quiet
  • wbadmin DELETE SYSTEMSTATEBACKUP
  • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • wmic.exe SHADOWCOPY /nointeractive

Please enable Javascript to ensure correct displaying of this content and refresh this page.