Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.DN [Threat Variant Name]
| Category | trojan |
| Size | 12288 B |
| Aliases | Trojan-Ransom.MSIL.Cryptolock.a (Kaspersky) |
Short description
Win32/Filecoder.DN is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan does not create any copies of itself.
The trojan is probably a part of other malware.
The trojan creates the following files:
- %desktop%\Ваш консультант.lnk
Payload information
The trojan encrypts files on local disks.
The trojan searches local drives for files with the following file extensions:
- .3gp
- .7z
- .7zip
- .aac
- .accdb
- .ape
- .avi
- .bmp
- .bz
- .cpp
- .cs
- .css
- .csv
- .djv
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotx
- .flac
- .flv
- .gif
- .htm
- .html
- .jnt
- .jpeg
- .jpg
- .js
- .mov
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .ogg
- .ogg
- .php
- .pl
- .png
- .pot
- .potm
- .potx
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptx
- .psd
- .pub
- .qt
- .rar
- .raw
- .rtf
- .shtml
- .smk
- .tar
- .tga
- .tiff
- .txt
- .wav
- .wma
- .wmv
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xlw
- .zip
Only following folders are searched:
- %desktop%
- %mydocuments%
- %systemdrive%\Documents and Settings\All Users\Desktop\
- %systemdrive%\users\*\desktop\
- %systemdrive%\users\*\music\
- %systemdrive%\users\*\videos\
- %systemdrive%\users\*\pictures\
- %systemdrive%\users\*\documents\
- %systemdrive%\users\*\downloads\
- %nonsystemdrive%\*
Only folders which do not contain one of the following string in their path are searched:
- %systemdrive%\users\default\
The trojan encrypts the file content.
The AES encryption algorithm is used.
The trojan changes the file extension to the following:
- .AES256
The trojan creates the following file:
- %currentfolder%\ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt
It contains the following text:
- Здравствуйте, все ваши файлы повреждены, свяжитесь с нами для их восстановления.
- Для этого откройте ярлык 'Ваш консультант', который находится на рабочем столе или кликните два раза левой кнопкой мыши на любой зашифрованный файл.
- Если по каким-то причинам вы не можете связаться с нами через 'Онлайн чат', свяжитесь с нами через оффлайн контакты.
- TOR: https://www.t%removed%t.org/ | Видео инструкция: http://y%removed%0
- url_1: http://c%removed%7/pay.html
- url_2: http://4%removed%7/pay.html
- HashKey: %removed%
- ID: %removed%
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Information stealing
The trojan collects the following information:
- computer IP address
- operating system version
The data is saved in the following file:
- %appdata%\Microsoft DB\Profile
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URL addresses. The TOR, HTTP protocol is used in the communication.
Trojan requires the Microsoft .NET Framework to run.