Win32/Filecoder.Phobos [Threat Name] go to Threat

Win32/Filecoder.Phobos.C [Threat Variant Name]

Category trojan
Size 58368 B
Aliases Ransom:Win32/Phobos.V!MTB (Microsoft)
  Ransom.Crysis (Symantec)
  Trojan.Encoder.31034 (Dr.Web)
Short description

Win32/Filecoder.Phobos.C is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed the trojan copies itself in the following locations:

  • %localappdata%\­%originalmalwarefilename%
  • %startup%\­%originalmalwarefilename%
  • %commonaltstartup%\­%originalmalwarefilename%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%localappdata%\­%originalmalwarefilename%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%localappdata%\­%originalmalwarefilename%"

This causes the trojan to be executed on every system start.

Payload information

Win32/Filecoder.Phobos.C is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • %programdata%\­microsoft\­windows\­caches
  • %windir%

It avoids files with the following filenames:

  • boot.ini
  • bootfont.bin
  • ikjgf.txt
  • info.hta
  • info.txt
  • io.sys
  • ntdetect.com
  • ntldr

It avoids files with the following extensions:

  • .actin
  • .Acton
  • .actor
  • .Acuff
  • .Acuna
  • .acute
  • .adage
  • .Adair
  • .Adame
  • .banhu
  • .banjo
  • .Banks
  • .Banta
  • .Barak
  • .bbc
  • .blend
  • .bqux
  • .Caleb
  • .Cales
  • .Caley
  • .calix
  • .Calle
  • .Calum
  • .Calvo
  • .CAPITAL
  • .com
  • .DDoS
  • .deuce
  • .Dever
  • .devil
  • .Devoe
  • .Devon
  • .Devos
  • .dewar
  • .eight
  • .eject
  • .eking
  • .Elbie
  • .elbow
  • .elder
  • .help
  • .KARLOS
  • .karma
  • .mamba
  • .phobos
  • .phoenix
  • .PLUT
  • .WALLET

The trojan encrypts the file content.


An additional ".id[%variable1%-%variable2%].[%emailaddress%].dewar" extension is appended.


A string with variable content is used instead of %variable1%, %variable2% .


The RSA, AES encryption algorithm is used.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The following files are dropped:

  • %drive%\­info.txt
  • %desktop%\­info.txt
  • %commondesktopdirectory%\­info.txt

It contains the following text:

!!!All of your files are encrypted!!! To decrypt them send e-mail to this address: %emailaddress1% and this: %emailaddress2% For ease of communication you can install the telegram messenger. Messenger site https://telegram.org/ To find us, enter the alias %telegramid% in the messenger search box. jabber: %jabberemailaddress%

The following files are dropped:

  • %drive%\­info.hta
  • %desktop%\­info.hta
  • %commondesktopdirectory%\­info.hta

The trojan executes the following commands:

  • %drive%\­info.hta
  • %desktop%\­info.hta
  • %commondesktopdirectory%\­info.hta

Some examples follow.

Other information

The trojan executes the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit /set {default} recoveryenabled no
  • wbadmin delete catalog -quiet
  • netsh advfirewall set currentprofile state off
  • netsh firewall set opmode mode=disable

The trojan terminates processes with any of the following strings in the name:

  • agntsvc.exe
  • agntsvc.exe
  • dbeng50.exe
  • dbsnmp.exe
  • encsvc.exe
  • excel.exe
  • firefoxconfig.exe
  • infopath.exe
  • isqlplussvc.exe
  • msaccess.exe
  • msftesql.exe
  • mspub.exe
  • mydesktopqos.exe
  • mydesktopservice.exe
  • mysqld.exe
  • mysqld-nt.exe
  • mysqld-opt.exe
  • ocautoupds.exe
  • ocomm.exe
  • ocssd.exe
  • onenote.exe
  • oracle.exe
  • outlook.exe
  • powerpnt.exe
  • sqbcoreservice.exe
  • sqlagent.exe
  • sqlbrowser.exe
  • sqlserver.exe
  • sqlwriter.exe
  • steam.exe
  • synctime.exe
  • tbirdconfig.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe
  • xfssvccon.exe

The trojan configuration may be loaded from a separate file. It may affect the behavior of the trojan .

Please enable Javascript to ensure correct displaying of this content and refresh this page.