Win32/Filecoder.Avaddon [Threat Name] go to Threat
Win32/Filecoder.Avaddon.C [Threat Variant Name]
Category | trojan |
Size | 736608 B |
Aliases | Trojan.Win32.DelShad.esz (Kaspersky) |
Ransom:Win32/Avaddon.C!MTB (Microsoft) |
Short description
Win32/Filecoder.Avaddon.C is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan may create copies of itself in the folder:
- %appdata%\Microsoft\Windows\%malwarefile%
The trojan schedules a task that causes the following file to be executed repeatedly:
- %appdata%\Microsoft\Windows\%malwarefile%
Payload information
Win32/Filecoder.Avaddon.C is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- %public%\
- %systemdrive%\program files (x86)\
- %systemdrive%\program files\
- %systemdrive%\windows\
- %temp%\
- %userprofile%\appdata\
It avoids files which contain any of the following strings in their path:
- MSOCache
- ProgramData
- Tor Browser
It avoids files with the following extensions:
- .bin
- .dat
- .dll
- .drv
- .exe
- .ini
- .lnk
- .prf
- .rdp
- .swp
- .sys
The trojan encrypts the file content.
The RSA, AES encryption algorithm is used.
An additional .%variable01% extension is appended.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The following file is created in the same folders:
- %variable02%_readme_.txt
It contains the following text:
A string with variable content is used instead of %variable01-02% .
Other information
The trojan can terminate the following processes:
- 360doctor.exe
- 360se.exe
- axlbridge.exe
- Culture.exe
- Defwatch.exe
- fdhost.exe
- fdlauncher.exe
- GDscan.exe
- httpd.exe
- java.exe
- MsDtSrvr.exe
- QBCFMonitorService.exe
- QBDBMgr.exe
- QBIDPService.exe
- qbupdate.exe
- QBW32.exe
- RAgui.exe
- RTVscan.exe
- sqlbrowser.exe
- sqlmangr.exe
- sqlservr.exe
- supervise.exe
- tomcat6.exe
- wdswfsafe.exe
- winword.exe
- wxServer.exe
- wxServerView.exe
The following services are disabled:
- ccEvtMgr
- ccSetMgr
- Culserver
- dbeng8
- dbsrv12
- DefWatch
- Intuit.QuickBooks.FCS
- msmdsrv
- QBCFMonitorService
- QBIDPService
- RTVscan
- SavRoam
- sqladhlp
- SQLADHLP
- sqlagent
- sqlbrowser
- sqlservr
- sqlwriter
- tomcat6
- VMAuthdService
- VMnetDHCP
- VMUSBArbService
- vmware-converter
- VMwareHostd
- vmware-usbarbitator64
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLinkedConnections" = 1
- "EnableLUA" = 0
- "ConsentPromptBehaviorAdmin" = 0
The trojan may execute the following commands:
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- bcdedit.exe /set {default} recoveryenabled No
- vssadmin.exe Delete Shadows /All /Quiet
- wbadmin DELETE SYSTEMSTATEBACKUP
- wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
- wmic.exe SHADOWCOPY /nointeractive