Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.NCS [Threat Variant Name]

Category trojan
Size 297984 B
Aliases Trojan-Ransom.win32.Rakhni.hi (Kaspersky)
  Trojan.Cryptolocker.E (Symantec)
Short description

Win32/Filecoder.NCS is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­NENEC\­windows.exe

The trojan executes the following command:

  • %appdata%\­NENEC\­windows.exe start
Payload information

Win32/Filecoder.NCS is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .1cd
  • .3fr
  • .7z
  • .accdb
  • .ai
  • .arw
  • .backup
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .dds
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dt
  • .dwg
  • .dxf
  • .dxg
  • .eml
  • .eps
  • .erf
  • .indd
  • .jpeg
  • .jpg
  • .kdc
  • .md
  • .mdb
  • .mdf
  • .mef
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odc
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rtf
  • .rw2
  • .rwl
  • .sr2
  • .srf
  • .srw
  • .tar
  • .wb2
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .zip

Only folders which do not contain one of the following string in their path are searched:

  • Windows

The trojan encrypts the file content.


Trojan uses one of the following encryption algorithms:

  • SHA512, 3DES
  • SHA512, AES
  • SHA512, Blowfish
  • SHA512, CAST-128
  • SHA512, CAST-256
  • SHA512, DES
  • SHA512, GOST
  • SHA512, ICE
  • SHA512, IDEA
  • SHA512, MARS
  • SHA512, MISTY1
  • SHA512, RC2
  • SHA512, RC4
  • SHA512, RC5
  • SHA512, RC6
  • SHA512, Serpent
  • SHA512, TEA
  • SHA512, Twofish

An additional .%variable1%_%variable2% extension is appended.


A string with variable content is used instead of %variable1-2% .


The password is stored on the attacker's server.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan saves the list of encrypted files into the following file:

  • %appdata%\­NENEC\­files.list
Information stealing

The trojan collects the following information:

  • volume serial number

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­NENEC]
    • "FilesPath" = "%appdata%\­NENEC\­files.list"
    • "ID" = "%hexhddserial%"
    • "install" = "true"
    • "msg" = "%appdata%\­NENEC\­msg.html"
    • "path" = "%appdata%\­NENEC\­windows.exe"

The trojan creates the following files:

  • %appdata%\­NENEC\­msg.html

Please enable Javascript to ensure correct displaying of this content and refresh this page.