Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.FH [Threat Variant Name]

Category trojan
Size 84992 B
Detection created Nov 03, 2015
Detection database version 12508
Aliases Trojan-Ransom.Win32.Scatter.a (Kaspersky)
  Trojan.Encoder.2843 (Dr.Web)
  FileCryptor.EUF.trojan (AVG)
  Win32:Stoberox-A (Avast)
Short description

Win32/Filecoder.FH is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %variable1%\­%variable2%\­%variable2%.%variable3%

The %variable1% is one of the following strings:

  • %appdata%
  • %personal%
  • %templates%

Instead of %variable2% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall]

The %variable3% is one of the following strings:

  • .cmd
  • .exe
  • .pif
  • .scr

The trojan creates copies of the following files (source, destination):

  • %system%\­*.dll, %variable1%\­%variable2%\­%variable2%\­*.dll

The trojan creates the following file:

  • %variable1%\­%variable2%\­%variable2%.lnk

The file is a shortcut to a malicious file.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%variable4%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%variable4%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%variable4%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%variable4%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%variable4%"

This causes the trojan to be executed on every system start.


The %variable4% is one of the following strings:

  • %variable1%\­%variable2%\­%variable2%.lnk
  • %variable1%\­%variable2%\­%variable2%.%variable3%

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe
  • tasklist.exe

After the installation is complete, the trojan deletes the original executable file.

Spreading

The trojan may create copies of itself on removable or remote drives.


The trojan copies itself to the following location:

  • %drive%\­$RECYCLE.BIN\­{%variable5%}\­%variable6%.%variable7%

A string with variable content is used instead of %variable5-6% .


The %variable7% is one of the following strings:

  • .cmd
  • .exe
  • .pif
  • .scr

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The trojan searches for files and folders in the root folders of removable and remote drives.


When the trojan finds a file matching the search criteria, it creates a new file.


The name of the new file is based on the name of the folder found in the search. The extension of the file is ".lnk" .


The file is a shortcut to a malicious file.

Payload information

Win32/Filecoder.FH is a trojan that encrypts files on fixed, removable and network drives.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan searches local and network drives for files with one of the following extensions:

  • .1cd
  • .cd
  • .cdr
  • .dbf
  • .doc
  • .dwg
  • .jpeg
  • .jpg
  • .mdb
  • .pdf
  • .psd
  • .rtf
  • .sqlite
  • .xls
  • .zip

Only folders which do not contain one of the following string in their path are searched:

  • abbyy
  • adobe
  • amd64
  • application
  • autograph
  • avatar
  • avatars
  • cache
  • clipart
  • com_
  • common
  • csize
  • framework64
  • games
  • guide
  • intel
  • internet
  • library
  • manual
  • maps
  • msoffice
  • profiles
  • program
  • recycle
  • resource
  • resources
  • roaming
  • sample
  • setup
  • support
  • template
  • temporary
  • texture
  • themes
  • thumbnails
  • uploads
  • windows

The trojan encrypts the file content.


The Blowfish, RSA encryption algorithm is used.


The extension of the encrypted files is changed to:

  • .vault

The trojan creates the following files:

  • %appdata%\­userdata.ini
  • %appdata%\­confirmation.key
  • %appdata%\­vault.key
  • %templates%\­vault.key
  • %desktop%\­vault.key
  • %fixeddrive%\­vault.key
  • %appdata%\­vault.hta
  • %templates%\­vault.hta
  • %fixeddrive%\­vault.hta
  • %startup%\­vault.hta
  • %desktop%\­vault.hta

The trojan creates copies of the following files (source, destination):

  • %appdata%\­confirmation.key, %templates%\­confirmation.key

The trojan may delete the following files:

  • %appdata%\­userdata.ini

The trojan executes the following command:

  • mshta.exe %desktop%\­vault.hta

The trojan displays the following dialog box:

Information stealing

The trojan collects the following information:

  • computer name
  • user name
  • language settings

The data is saved in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}]
    • "%variable9%" = "%encrypteddata%"

A string with variable content is used instead of %variable8-9% .

Other information

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft]
    • "(Default)" = "%data%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}]
    • "%variable10%" = "%pubkey%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}\­0]
    • "%encrypted_xls_doc_rtf_filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}\­1]
    • "%encrypted_pdf_filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}\­2]
    • "%encrypted_psd_dwg_cdr_filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}\­3]
    • "%encrypted_cd_mdb_1cd_dbf_sqlite_filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}\­4]
    • "%encrypted_jpg_jpeg_zip_filepath%"

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­lnkfile\­IsShortcut]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{%variable8%}]

The trojan executes the following commands:

  • vssadmin.exe delete shadows /all /quiet
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures

The trojan contains a URL address. The HTTP protocol is used in the communication.


The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.