Win32/Filecoder [Threat Name] go to Threat
Win32/Filecoder.NCS [Threat Variant Name]
Category | trojan |
Size | 297984 B |
Aliases | Trojan-Ransom.win32.Rakhni.hi (Kaspersky) |
Trojan.Cryptolocker.E (Symantec) |
Short description
Win32/Filecoder.NCS is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\NENEC\windows.exe
The trojan executes the following command:
- %appdata%\NENEC\windows.exe start
Payload information
Win32/Filecoder.NCS is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- .1cd
- .3fr
- .7z
- .accdb
- .ai
- .arw
- .backup
- .bay
- .cdr
- .cer
- .cr2
- .crt
- .crw
- .dbf
- .dcr
- .dds
- .der
- .dng
- .doc
- .docm
- .docx
- .dt
- .dwg
- .dxf
- .dxg
- .eml
- .eps
- .erf
- .indd
- .jpeg
- .jpg
- .kdc
- .md
- .mdb
- .mdf
- .mef
- .mrw
- .nef
- .nrw
- .odb
- .odc
- .odp
- .ods
- .odt
- .orf
- .p12
- .p7b
- .p7c
- .pdd
- .pef
- .pem
- .pfx
- .ppt
- .pptm
- .pptx
- .psd
- .pst
- .ptx
- .r3d
- .raf
- .rar
- .raw
- .rtf
- .rw2
- .rwl
- .sr2
- .srf
- .srw
- .tar
- .wb2
- .wpd
- .wps
- .x3f
- .xlk
- .xls
- .xlsb
- .xlsm
- .xlsx
- .zip
Only folders which do not contain one of the following string in their path are searched:
- Windows
The trojan encrypts the file content.
Trojan uses one of the following encryption algorithms:
- SHA512, 3DES
- SHA512, AES
- SHA512, Blowfish
- SHA512, CAST-128
- SHA512, CAST-256
- SHA512, DES
- SHA512, GOST
- SHA512, ICE
- SHA512, IDEA
- SHA512, MARS
- SHA512, MISTY1
- SHA512, RC2
- SHA512, RC4
- SHA512, RC5
- SHA512, RC6
- SHA512, Serpent
- SHA512, TEA
- SHA512, Twofish
An additional .%variable1%_%variable2% extension is appended.
A string with variable content is used instead of %variable1-2% .
The password is stored on the attacker's server.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The trojan saves the list of encrypted files into the following file:
- %appdata%\NENEC\files.list
Information stealing
The trojan collects the following information:
- volume serial number
The trojan attempts to send gathered information to a remote machine.
The trojan contains a URL address. The HTTP protocol is used in the communication.
Other information
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\NENEC]
- "FilesPath" = "%appdata%\NENEC\files.list"
- "ID" = "%hexhddserial%"
- "install" = "true"
- "msg" = "%appdata%\NENEC\msg.html"
- "path" = "%appdata%\NENEC\windows.exe"
The trojan creates the following files:
- %appdata%\NENEC\msg.html