Win32/Filecoder.Ouroboros [Threat Name] go to Threat
Win32/Filecoder.Ouroboros.A [Threat Variant Name]
| Category | trojan |
| Size | 1120256 B |
| Aliases | Trojan-Ransom.Win32.Crypmod.aacg (Kaspersky) |
| Trojan.Encoder.25149 (Dr.Web) |
Short description
Win32/Filecoder.Ouroboros.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
When executed, the trojan copies itself into the following location:
- %startup%\setup.exe
This way the trojan ensures that the file is executed on every system start.
Payload information
Win32/Filecoder.Ouroboros.A is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches local, removable and network drives for files with one of the following extensions:
- .zip
- .7z
- .rar
- .doc
- .docx
- .xls
- .xlsx
- .pptx
- .pub
- .one
- .vsdx
- .accdb
- .asd
- .xlsb
- .mdb
- .snp
- .wbk
- .ppt
- .psd
- .ai
- .odt
- .ods
- .odp
- .odm
- .odc
- .odb
- .docm
- .wps
- .xlsm
- .xlk
- .pptm
- .pst
- .dwg
- .dxfdxg
- .wpd
- .rtf
- .wb2
- .mdf
- .dbf
- .pdd
- .eps
- .indd
- .cdr
- .dng
- .3fr
- .arw
- .srf
- .sr2
- .bay
- .crw
- .cr2
- .dcr
- .kdc
- .erf
- .mef
- .mrw
- .nef
- .nrw
- .orf
- .raf
- .raw
- .rwl
- .rw2
- .r3d
- .ptx
- .pef
- .srw
- .x3f
- .der
- .cer
- .crt
- .pem
- .pfx
- .p12
- .p7b
- .p7c
- .abw
- .til
- .aif
- .arc
- .as
- .asc
- .asf
- .ashdisc
- .asm
- .asp
- .aspx
- .asx
- .aup
- .avi
- .bbb
- .bdb
- .bibtex
- .bkf
- .bmp
- .bpn
- .btd
- .bz2
- .c
- .cdi
- .himmel
- .cert
- .cfm
- .cgicpio
- .cpp
- .csr
- .cue
- .dds
- .dem
- .dmg
- .dsb
- .eddx
- .edoc
- .eml
- .emlx
- .EPS
- .epub
- .fdf
- .ffu
- .flv
- .gam
- .gcode
- .gho
- .gpx
- .gz
- .h
- .hbk
- .hdd
- .hds
- .hpp
- .ics
- .idml
- .iff
- .img
- .ipd
- .iso
- .isz
- .iwaj2k
- .jp2
- .jpf
- .jpm
- .jpx
- .jsp
- .jspa
- .jspx
- .jst
- .key
- .keynote
- .kml
- .kmz
- .lic
- .lwp
- .lzma
- .M3U
- .M4A
- .m4v
- .max
- .mbox
- .md2
- .mdbackup
- .mddata
- .mdinfo
- .mds
- .mid
- .mov
- .mp3
- .mp4
- .mpa
- .mpb
- .mpeg
- .mpgmpj
- .mpp
- .msg
- .mso
- .nba
- .nbf
- .nbi
- .nbu
- .nbz
- .nco
- .nes
- .note
- .nrg
- .nri
- .afsnit
- .ogg
- .ova
- .ovf
- .oxps
- .p2i
- .p65
- .p7
- .pages
- .pct
- .PEM
- .phtm
- .phtml
- .php
- .php3
- .php4
- .php5
- .phps
- .phpx
- .phpxx
- .pl
- .plistpmd
- .pmx
- .ppdf
- .pps
- .ppsm
- .ppsx
- .ps
- .PSD
- .pspimage
- .pvm
- .qcn
- .qcow
- .qcow2
- .qt
- .ra
- .rm
- .rtf
- .s
- .sbf
- .set
- .skb
- .slf
- .sme
- .smm
- .spb
- .sql
- .srt
- .ssc
- .ssi
- .stg
- .stl
- .svg
- .swf
- .sxw
- .syncdb
- .tager
- .tc
- .textga
- .thm
- .tif
- .tiff
- .toast
- .torrent
- .txt
- .vbk
- .vcard
- .vcd
- .vcf
- .vdi
- .vfs4
- .vhd
- .vhdx
- .vmdk
- .vob
- .wbverify
- .wav
- .webm
- .wmb
- .wpb
- .WPS
- .xdw
- .xlr
- .XLSX
- .xz
- .yuv
- .zipx
- .jpg
- .jpeg
- .png
- .bmp
It avoids files which contain any of the following strings in their path:
- Windows
- Program Files (x86)
- Program Files
- ProgramData
- AppData
- Application Data
- Local Settings
The trojan searches for files stored in the following folders:
- %programfiles%\Steam\steamapps\common\
The trojan searches for files with the following file extensions:
- .exe
The trojan encrypts the file content.
The name of the encrypted file is changed to:
- %originalfilename%.king_ouroboros.%originalfileextension%
The AES encryption algorithm is used.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan displays the following dialog box:
The trojan saves the list of encrypted files into the following file:
- %programfiles%\Common Files\log.txt
Information stealing
Win32/Filecoder.Ouroboros.A is a trojan that steals sensitive information.
The following information is collected:
- computer name
- volume serial number
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.
Other information
The trojan removes all of the volume shadow copies in order to prevent restoring the original files.
The trojan may delete the following folders:
- C:\$Recycle.Bin\%userSID%\
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "legalnoticecaption" = "Your files have been safely encrypted!!"
- "legalnoticetext" = "The only way to decrypt your files is by using a decryption key. To get an encryption key send an email to %removed%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
The trojan executes the following commands:
- vssadmin.exe Delete Shadows /All /Quiet
- bcdedit /set {default} recoveryenabled No
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
- shutdown -r -f -t 8
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLinkedConnections" = 1
The trojan creates the following file:
- %desktop%\README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt
It contains the following text:
- All your files have been encrypted!
- The encryption key has been sent online and is not public.
- You have 10 days time to contact us or you will lose your data.
- The only way you can recover your files is to buy a decryption key.
- The payment method is: Bitcoins. The price is: %removed%
- For instruction on recovery send an email to: %removed%
- We will reply within 48 hours.
- DO NOT USE ANY ANTIVIRUS PROGRAMS. YOU WILL NOT BE ABLE TO RECOVER YOUR FILES!
- Include this ID in the email you send to us: %removed%
The following file is dropped:
- %programfiles%\Common Files\wallpaper.jpg
This file/image is set as a wallpaper.
The trojan keeps various information in the following files:
- %programfiles%\Common Files\%variable1%%variable1%
- %programfiles%\Common Files\%variable2%
A string with variable content is used instead of %variable1-2% .