Win32/Filecoder.Ouroboros [Threat Name] go to Threat

Win32/Filecoder.Ouroboros.A [Threat Variant Name]

Category trojan
Size 1120256 B
Detection created Jul 19, 2018
Detection database version 17743
Aliases Trojan-Ransom.Win32.Crypmod.aacg (Kaspersky)
  Trojan.Encoder.25149 (Dr.Web)
Short description

Win32/Filecoder.Ouroboros.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

When executed, the trojan copies itself into the following location:

  • %startup%\­setup.exe

This way the trojan ensures that the file is executed on every system start.

Payload information

Win32/Filecoder.Ouroboros.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches local, removable and network drives for files with one of the following extensions:

  • .zip
  • .7z
  • .rar
  • .pdf
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .pptx
  • .pub
  • .one
  • .vsdx
  • .accdb
  • .asd
  • .xlsb
  • .mdb
  • .snp
  • .wbk
  • .ppt
  • .psd
  • .ai
  • .odt
  • .ods
  • .odp
  • .odm
  • .odc
  • .odb
  • .docm
  • .wps
  • .xlsm
  • .xlk
  • .pptm
  • .pst
  • .dwg
  • .dxfdxg
  • .wpd
  • .rtf
  • .wb2
  • .mdf
  • .dbf
  • .pdd
  • .eps
  • .indd
  • .cdr
  • .dng
  • .3fr
  • .arw
  • .srf
  • .sr2
  • .bay
  • .crw
  • .cr2
  • .dcr
  • .kdc
  • .erf
  • .mef
  • .mrw
  • .nef
  • .nrw
  • .orf
  • .raf
  • .raw
  • .rwl
  • .rw2
  • .r3d
  • .ptx
  • .pef
  • .srw
  • .x3f
  • .der
  • .cer
  • .crt
  • .pem
  • .pfx
  • .p12
  • .p7b
  • .p7c
  • .abw
  • .til
  • .aif
  • .arc
  • .as
  • .asc
  • .asf
  • .ashdisc
  • .asm
  • .asp
  • .aspx
  • .asx
  • .aup
  • .avi
  • .bbb
  • .bdb
  • .bibtex
  • .bkf
  • .bmp
  • .bpn
  • .btd
  • .bz2
  • .c
  • .cdi
  • .himmel
  • .cert
  • .cfm
  • .cgicpio
  • .cpp
  • .csr
  • .cue
  • .dds
  • .dem
  • .dmg
  • .dsb
  • .eddx
  • .edoc
  • .eml
  • .emlx
  • .EPS
  • .epub
  • .fdf
  • .ffu
  • .flv
  • .gam
  • .gcode
  • .gho
  • .gpx
  • .gz
  • .h
  • .hbk
  • .hdd
  • .hds
  • .hpp
  • .ics
  • .idml
  • .iff
  • .img
  • .ipd
  • .iso
  • .isz
  • .iwaj2k
  • .jp2
  • .jpf
  • .jpm
  • .jpx
  • .jsp
  • .jspa
  • .jspx
  • .jst
  • .key
  • .keynote
  • .kml
  • .kmz
  • .lic
  • .lwp
  • .lzma
  • .M3U
  • .M4A
  • .m4v
  • .max
  • .mbox
  • .md2
  • .mdbackup
  • .mddata
  • .mdinfo
  • .mds
  • .mid
  • .mov
  • .mp3
  • .mp4
  • .mpa
  • .mpb
  • .mpeg
  • .mpgmpj
  • .mpp
  • .msg
  • .mso
  • .nba
  • .nbf
  • .nbi
  • .nbu
  • .nbz
  • .nco
  • .nes
  • .note
  • .nrg
  • .nri
  • .afsnit
  • .ogg
  • .ova
  • .ovf
  • .oxps
  • .p2i
  • .p65
  • .p7
  • .pages
  • .pct
  • .PEM
  • .phtm
  • .phtml
  • .php
  • .php3
  • .php4
  • .php5
  • .phps
  • .phpx
  • .phpxx
  • .pl
  • .plistpmd
  • .pmx
  • .ppdf
  • .pps
  • .ppsm
  • .ppsx
  • .ps
  • .PSD
  • .pspimage
  • .pvm
  • .qcn
  • .qcow
  • .qcow2
  • .qt
  • .ra
  • .rm
  • .rtf
  • .s
  • .sbf
  • .set
  • .skb
  • .slf
  • .sme
  • .smm
  • .spb
  • .sql
  • .srt
  • .ssc
  • .ssi
  • .stg
  • .stl
  • .svg
  • .swf
  • .sxw
  • .syncdb
  • .tager
  • .tc
  • .textga
  • .thm
  • .tif
  • .tiff
  • .toast
  • .torrent
  • .txt
  • .vbk
  • .vcard
  • .vcd
  • .vcf
  • .vdi
  • .vfs4
  • .vhd
  • .vhdx
  • .vmdk
  • .vob
  • .wbverify
  • .wav
  • .webm
  • .wmb
  • .wpb
  • .WPS
  • .xdw
  • .xlr
  • .XLSX
  • .xz
  • .yuv
  • .zipx
  • .jpg
  • .jpeg
  • .png
  • .bmp

It avoids files which contain any of the following strings in their path:

  • Windows
  • Program Files (x86)
  • Program Files
  • ProgramData
  • AppData
  • Application Data
  • Local Settings

The trojan searches for files stored in the following folders:

  • %programfiles%\­Steam\­steamapps\­common\­

The trojan searches for files with the following file extensions:

  • .exe

The trojan encrypts the file content.


The name of the encrypted file is changed to:

  • %originalfilename%.king_ouroboros.%originalfileextension%

The AES encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan displays the following dialog box:

The trojan saves the list of encrypted files into the following file:

  • %programfiles%\­Common Files\­log.txt
Information stealing

Win32/Filecoder.Ouroboros.A is a trojan that steals sensitive information.


The following information is collected:

  • computer name
  • volume serial number

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

Other information

The trojan removes all of the volume shadow copies in order to prevent restoring the original files.


The trojan may delete the following folders:

  • C:\­$Recycle.Bin\­%userSID%\­

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "legalnoticecaption" = "Your files have been safely encrypted!!"
    • "legalnoticetext" = "The only way to decrypt your files is by using a decryption key. To get an encryption key send an email to %removed%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1

The trojan executes the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • shutdown -r -f -t 8

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLinkedConnections" = 1

The trojan creates the following file:

  • %desktop%\­README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt

It contains the following text:

  • All your files have been encrypted!
  • The encryption key has been sent online and is not public.
  • You have 10 days time to contact us or you will lose your data.
  • The only way you can recover your files is to buy a decryption key.
  • The payment method is: Bitcoins.  The price is: %removed%
  • For instruction on recovery send an email to: %removed%
  • We will reply within 48 hours.
  • DO NOT USE ANY ANTIVIRUS PROGRAMS. YOU WILL NOT BE ABLE TO RECOVER YOUR FILES!
  • Include this ID in the email you send to us: %removed%

The following file is dropped:

  • %programfiles%\­Common Files\­wallpaper.jpg

This file/image is set as a wallpaper.

The trojan keeps various information in the following files:

  • %programfiles%\­Common Files\­%variable1%%variable1%
  • %programfiles%\­Common Files\­%variable2%

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.