Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.FH [Threat Variant Name]
| Category | trojan |
| Size | 84992 B |
| Aliases | Trojan-Ransom.Win32.Scatter.a (Kaspersky) |
| Trojan.Encoder.2843 (Dr.Web) | |
| FileCryptor.EUF.trojan (AVG) | |
| Win32:Stoberox-A (Avast) |
Short description
Win32/Filecoder.FH is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %variable1%\%variable2%\%variable2%.%variable3%
The %variable1% is one of the following strings:
- %appdata%
- %personal%
- %templates%
Instead of %variable2% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
The %variable3% is one of the following strings:
- .cmd
- .exe
- .pif
- .scr
The trojan creates copies of the following files (source, destination):
- %system%\*.dll, %variable1%\%variable2%\%variable2%\*.dll
The trojan creates the following file:
- %variable1%\%variable2%\%variable2%.lnk
The file is a shortcut to a malicious file.
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%" = "%variable4%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%" = "%variable4%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable2%" = "%variable4%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "load" = "%variable4%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "load" = "%variable4%"
This causes the trojan to be executed on every system start.
The %variable4% is one of the following strings:
- %variable1%\%variable2%\%variable2%.lnk
- %variable1%\%variable2%\%variable2%.%variable3%
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- svchost.exe
- tasklist.exe
After the installation is complete, the trojan deletes the original executable file.
Spreading
The trojan may create copies of itself on removable or remote drives.
The trojan copies itself to the following location:
- %drive%\$RECYCLE.BIN\{%variable5%}\%variable6%.%variable7%
A string with variable content is used instead of %variable5-6% .
The %variable7% is one of the following strings:
- .cmd
- .exe
- .pif
- .scr
The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
The trojan searches for files and folders in the root folders of removable and remote drives.
When the trojan finds a file matching the search criteria, it creates a new file.
The name of the new file is based on the name of the folder found in the search. The extension of the file is ".lnk" .
The file is a shortcut to a malicious file.
Payload information
Win32/Filecoder.FH is a trojan that encrypts files on fixed, removable and network drives.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan searches local and network drives for files with one of the following extensions:
- .1cd
- .cd
- .cdr
- .dbf
- .doc
- .dwg
- .jpeg
- .jpg
- .mdb
- .psd
- .rtf
- .sqlite
- .xls
- .zip
Only folders which do not contain one of the following string in their path are searched:
- abbyy
- adobe
- amd64
- application
- autograph
- avatar
- avatars
- cache
- clipart
- com_
- common
- csize
- framework64
- games
- guide
- intel
- internet
- library
- manual
- maps
- msoffice
- profiles
- program
- recycle
- resource
- resources
- roaming
- sample
- setup
- support
- template
- temporary
- texture
- themes
- thumbnails
- uploads
- windows
The trojan encrypts the file content.
The Blowfish, RSA encryption algorithm is used.
The extension of the encrypted files is changed to:
- .vault
The trojan creates the following files:
- %appdata%\userdata.ini
- %appdata%\confirmation.key
- %appdata%\vault.key
- %templates%\vault.key
- %desktop%\vault.key
- %fixeddrive%\vault.key
- %appdata%\vault.hta
- %templates%\vault.hta
- %fixeddrive%\vault.hta
- %startup%\vault.hta
- %desktop%\vault.hta
The trojan creates copies of the following files (source, destination):
- %appdata%\confirmation.key, %templates%\confirmation.key
The trojan may delete the following files:
- %appdata%\userdata.ini
The trojan executes the following command:
- mshta.exe %desktop%\vault.hta
The trojan displays the following dialog box:
Information stealing
The trojan collects the following information:
- computer name
- user name
- language settings
The data is saved in the following Registry key:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}]
- "%variable9%" = "%encrypteddata%"
A string with variable content is used instead of %variable8-9% .
Other information
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft]
- "(Default)" = "%data%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}]
- "%variable10%" = "%pubkey%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}\0]
- "%encrypted_xls_doc_rtf_filepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}\1]
- "%encrypted_pdf_filepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}\2]
- "%encrypted_psd_dwg_cdr_filepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}\3]
- "%encrypted_cd_mdb_1cd_dbf_sqlite_filepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}\4]
- "%encrypted_jpg_jpeg_zip_filepath%"
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{%variable8%}]
The trojan executes the following commands:
- vssadmin.exe delete shadows /all /quiet
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
The trojan contains a URL address. The HTTP protocol is used in the communication.
The trojan can download and execute a file from the Internet.