Win32/Filecoder.Cerber [Threat Name] go to Threat
Win32/Filecoder.Cerber.A [Threat Variant Name]
| Category | trojan |
| Size | 114688 B |
| Detection created | Mar 03, 2016 |
| Detection database version | 13124 |
| Aliases | Trojan.Win32.SelfDel.buhy (Kaspersky) |
| Ransom:.Win32/Cerber.A (Microsoft) | |
| Trojan.Cryptolocker.AH (Symantec) | |
| Trojan.Encoder.4171 (Dr.Web) |
Short description
Win32/Filecoder.Cerber.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%guid%\%pickedfilenamefromsystem32folder%
The trojan creates the following files:
- %startup%\%pickedfilenamefromsystem32folder%.lnk
The file is a shortcut to a malicious file.
After the installation is complete, the trojan deletes the original executable file.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%pickedfilenamefromsystem32folder%" = "%appdata%\%guid%\%pickedfilenamefromsystem32folder%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "%pickedfilenamefromsystem32folder%" = "%appdata%\%guid%\%pickedfilenamefromsystem32folder%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "Run" = "%appdata%\%guid%\%pickedfilenamefromsystem32folder%"
- [HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
- "AutoRun" = "%appdata%\%guid%\%pickedfilenamefromsystem32folder%"
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "SCRNSAVE.EXE" = "%appdata%\%guid%\%pickedfilenamefromsystem32folder%"
The trojan schedules a task that causes the following file to be executed repeatedly:
- %appdata%\%guid%\%pickedfilenamefromsystem32folder%
Payload information
Win32/Filecoder.Cerber.A is a trojan that encrypts files on fixed, removable and network drives.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan searches for files with the following file extensions:
- .1cd
- .3dm
- .3ds
- .3fr
- .3g2
- .3gp
- .3pr
- .7z
- .7zip
- .aac
- .ab4
- .accdb
- .accde
- .accdr
- .accdt
- .ach
- .acr
- .act
- .adb
- .adp
- .ads
- .agdl
- .ai
- .aiff
- .ait
- .al
- .aoi
- .apj
- .arw
- .asf
- .asm
- .asp
- .aspx
- .asx
- .avi
- .awg
- .back
- .backup
- .backupdb
- .bak
- .bank
- .bay
- .bdb
- .bgt
- .bik
- .bin
- .bkp
- .blend
- .bmp
- .bpw
- .c
- .cdf
- .cdr
- .cdr3
- .cdr4
- .cdr5
- .cdr6
- .cdrw
- .cdx
- .ce1
- .ce2
- .cer
- .cfg
- .cgm
- .cib
- .class
- .cls
- .cmt
- .config
- .contact
- .cpi
- .cpp
- .cr2
- .craw
- .crt
- .crw
- .cs
- .csh
- .csl
- .css
- .csv
- .dac
- .dat
- .db
- .db_journal
- .db3
- .dbf
- .dbx
- .dc2
- .dcr
- .dcs
- .ddd
- .ddoc
- .ddrw
- .dds
- .der
- .des
- .design
- .dgc
- .dit
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .drf
- .drw
- .dtd
- .dwg
- .dxb
- .dxf
- .dxg
- .edb
- .eml
- .eps
- .erbsql
- .erf
- .exf
- .fdb
- .ffd
- .fff
- .fh
- .fhd
- .fla
- .flac
- .flf
- .flv
- .flvv
- .fpx
- .fxg
- .gif
- .gray
- .grey
- .groups
- .gry
- .h
- .hbk
- .hdd
- .hpp
- .html
- .ibank
- .ibd
- .ibz
- .idx
- .iif
- .iiq
- .incpas
- .indd
- .java
- .jnt
- .jpe
- .jpeg
- .jpg
- .js
- .kc2
- .kdbx
- .kdc
- .key
- .kpdx
- .kwm
- .laccdb
- .ldf
- .lit
- .log
- .lua
- .m
- .m2ts
- .m3u
- .m4p
- .m4v
- .mapimail
- .max
- .mbx
- .md
- .mdb
- .mdc
- .mdf
- .mef
- .mfw
- .mid
- .mkv
- .mlb
- .mmw
- .mny
- .moneywell
- .mos
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .mrw
- .msg
- .myd
- .nd
- .ndd
- .ndf
- .nef
- .nk2
- .nop
- .nrw
- .ns2
- .ns3
- .ns4
- .nsd
- .nsf
- .nsg
- .nsh
- .nvram
- .nwb
- .nx2
- .nxl
- .nyf
- .oab
- .obj
- .odb
- .odc
- .odf
- .odg
- .odm
- .odp
- .ods
- .odt
- .ogg
- .oil
- .orf
- .ost
- .otg
- .oth
- .otp
- .ots
- .ott
- .p12
- .p7b
- .p7c
- .pab
- .pages
- .pas
- .pat
- .pcd
- .pct
- .pdb
- .pdd
- .pef
- .pem
- .pfx
- .php
- .pif
- .pl
- .plc
- .plus_muhd
- .png
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptm
- .pptx
- .prf
- .ps
- .psafe3
- .psd
- .pspimage
- .pst
- .ptx
- .pwm
- .py
- .qba
- .qbb
- .qbm
- .qbr
- .qbw
- .qbx
- .qby
- .qcow
- .qcow2
- .qed
- .r3d
- .raf
- .rar
- .rat
- .raw
- .rdb
- .rm
- .rtf
- .rvt
- .rw2
- .rwl
- .rwz
- .s3db
- .safe
- .sas7bdat
- .sav
- .save
- .say
- .sd0
- .sda
- .sdf
- .sldm
- .sldx
- .sql
- .sqlite
- .sqlite3
- .sqlitedb
- .sr2
- .srf
- .srt
- .srw
- .st4
- .st5
- .st6
- .st7
- .st8
- .stc
- .std
- .sti
- .stm
- .stw
- .stx
- .svg
- .swf
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .tex
- .tga
- .thm
- .tlg
- .txt
- .vbox
- .vdi
- .vhd
- .vhdx
- .vmdk
- .vmsd
- .vmx
- .vmxf
- .vob
- .wab
- .wad
- .wallet
- .wav
- .wb2
- .wma
- .wmv
- .wpd
- .wps
- .x11
- .x3f
- .xis
- .xla
- .xlam
- .xlk
- .xlm
- .xlr
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .ycbcra
- .yuv
- .zip
It avoids files with the following filenames:
- bootsect.bak
- iconcache.db
- thumbs.db
- wallet.dat
It avoids files which contain any of the following strings in their path:
- :\$recycle.bin\
- :\$windows.~bt\
- :\boot\
- :\drivers\
- :\program files\
- :\program files (x86)\
- :\programdata\
- :\users\all users\
- :\windows\
- \appdata\local\
- \appdata\locallow\
- \appdata\roaming\
- \public\music\sample music\
- \public\pictures\sample pictures\
- \public\videos\sample videos\
- \tor browser\
The trojan encrypts the file content.
The RSA, RC4 encryption algorithm is used.
The name of the encrypted file is changed to:
- %11randomchars%.cerber
The following files are dropped in the same folder:
- # DECRYPT MY FILES #.txt
- # DECRYPT MY FILES #.html
- # DECRYPT MY FILES #.vbs
The following files are dropped into the %desktop% folder:
- # DECRYPT MY FILES #.txt
- # DECRYPT MY FILES #.html
- # DECRYPT MY FILES #.vbs
The files are then executed.
The following text is displayed:
The trojan uses the Microsoft Speech technology.
It may play the following text in a spoken voice:
- Attention! Attention! Attention!
- Your documents, photos, databases and other important files have been encrypted!
When files encryption is finished, the trojan removes itself from the computer.
Information stealing
The trojan collects the following information:
- operating system version
The trojan attempts to send gathered information to a remote machine.
The trojan contains a URL address. The HTTP protocol is used in the communication.
Other information
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Printers\Defaults\%guid%]
- "Component_00" = "%data1%"
- "Component_01" = "%data2%"
The trojan executes the following commands:
- vssadmin.exe Delete Shadows /All /Quiet
- bcdedit.exe /set {default} recoveryenabled no
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Trojan can detect presence of virtual environments and sandboxes.