Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.DN [Threat Variant Name]

Category trojan
Size 12288 B
Detection created Oct 02, 2014
Detection database version 10499
Aliases Trojan-Ransom.MSIL.Cryptolock.a (Kaspersky)
Short description

Win32/Filecoder.DN is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The trojan is probably a part of other malware.


The trojan creates the following files:

  • %desktop%\­Ваш консультант.lnk
Payload information

The trojan encrypts files on local disks.


The trojan searches local drives for files with the following file extensions:

  • .3gp
  • .7z
  • .7zip
  • .aac
  • .accdb
  • .ape
  • .avi
  • .bmp
  • .bz
  • .cpp
  • .cs
  • .css
  • .csv
  • .djv
  • .djvu
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotx
  • .flac
  • .flv
  • .gif
  • .htm
  • .html
  • .jnt
  • .jpeg
  • .jpg
  • .js
  • .mov
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .ogg
  • .ogg
  • .pdf
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptx
  • .psd
  • .pub
  • .qt
  • .rar
  • .raw
  • .rtf
  • .shtml
  • .smk
  • .tar
  • .tga
  • .tiff
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xlw
  • .zip

Only following folders are searched:

  • %desktop%
  • %mydocuments%
  • %systemdrive%\­Documents and Settings\­All Users\­Desktop\­
  • %systemdrive%\­users\­*\­desktop\­
  • %systemdrive%\­users\­*\­music\­
  • %systemdrive%\­users\­*\­videos\­
  • %systemdrive%\­users\­*\­pictures\­
  • %systemdrive%\­users\­*\­documents\­
  • %systemdrive%\­users\­*\­downloads\­
  • %nonsystemdrive%\­*

Only folders which do not contain one of the following string in their path are searched:

  • %systemdrive%\­users\­default\­

The trojan encrypts the file content.


The AES encryption algorithm is used.


The trojan changes the file extension to the following:

  • .AES256

The trojan creates the following file:

  • %currentfolder%\­ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt

It contains the following text:

  • Здравствуйте, все ваши файлы повреждены, свяжитесь с нами для их восстановления.
  • Для этого откройте ярлык 'Ваш консультант', который находится на рабочем столе или кликните два раза левой кнопкой мыши на любой зашифрованный файл.
  • Если по каким-то причинам вы не можете связаться с нами через 'Онлайн чат', свяжитесь с нами через оффлайн контакты.
  • TOR: https://www.t%removed%t.org/ | Видео инструкция: http://y%removed%0
  • url_1: http://c%removed%7/pay.html
  • url_2: http://4%removed%7/pay.html
  • HashKey: %removed%
  • ID: %removed%

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Information stealing

The trojan collects the following information:

  • computer IP address
  • operating system version

The data is saved in the following file:

  • %appdata%\­Microsoft DB\­Profile
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URL addresses. The TOR, HTTP protocol is used in the communication.


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.