Win32/ZinoCrypt [Threat Name] go to Threat

Win32/ZinoCrypt.A [Threat Variant Name]

Category	trojan
Size	268288 B
Aliases	Trojan.Win32.Deshacop.fbj (Kaspersky)
	Ransom:Win32/Ranscrape (Microsoft)

Short description

Win32/ZinoCrypt.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan creates the following folder:

%appdata%\Oracle\

The trojan may create the following files:

%appdata%\Password.txt
%appdata%\SETTINGS00007.BIN
%appdata%\SETTINGS00008.BIN
%appdata%\SETTINGS00009.jpg
%existingfolder%\ZINO_NOTE.TXT
%existingfolder%\Attention.vbs

The trojan may create copies of itself using the following filenames:

%windir%\dllhost.exe
%appdata%\Oracle\AdapterTroubleshooter.exe

This copy of the trojan is then executed.

The trojan may set the following Registry entries:

[HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command]
- "(Default)" = "%malwarefilepath%"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Distributed Transaction Coordinator Service" = "Rundll32.exe shell32.dll, ShellExec_RunDLL %windir%\dllhost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Distributed Transaction Coordinator Service" = "Rundll32.exe shell32.dll, ShellExec_RunDLL %windir%\dllhost.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*UserInit" = "%windir%\dllhost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*UserInit" = "%windir%\dllhost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%existingfile%]
- "Debugger" = "%windir%\dllhost.exe"
[HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper" = "%appdata%\SETTINGS00009.jpg"
- "WallpaperStyle" = "2"
- "TitleWallpaper" = "0"

The trojan may delete the following folders:

%appdata%\Oracle\

The trojan may delete the following files:

%appdata%\SETTINGS00008.BIN
%windir%\dllhost.exe

The trojan may delete the following Registry entries:

[HKEY_CURRENT_USER\Software\Classes\mscfile]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Distributed Transaction Coordinator Service"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Distributed Transaction Coordinator Service"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*UserInit"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "*UserInit"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%existingfile%]
- "Debugger"

Payload information

Win32/ZinoCrypt.A is a trojan that encrypts files on fixed, removable and network drives.

The trojan searches local, removable and network drives for files with one of the following extensions:

.0
.1CD
.1PA
.1ST
.2BP
.36
.3DM
.3DS
.3FR
.3G2
.3GP
.411
.4DB
.4DL
.4MP
.73I
.7Z
.8XI
.9PNG
.A3D
.AB4
.ABM
.ABS
.ABW
.ACCDB
.ACCDC
.ACCDE
.ACCDR
.ACCDT
.ACCDW
.ACCFT
.ACT
.ADB
.ADN
.ADP
.ADS
.AES
.AES
.AF2
.AF3
.AFS
.AFT
.AFX
.AGIF
.AGP
.AHD
.ACH
.AI
.AI
.AIC
.AIF
.AIM
.AIT
.AL
.ALBM
.ALF
.ANI
.ANS
.APD
.APJ
.APK
.APM
.APNG
.APS
.APT
.APX
.ARC
.ARC
.ARCH00
.ART
.ARTWORK
.ARW
.ASC
.ASC
.ASCII
.ASE
.ASF
.ASF
.ASK
.ASM
.ASM
.ASP
.ASP
.ASSET
.ASW
.ASX
.ASY
.ATY
.AVATAR
.AVI
.AWDB
.AWP
.AWT
.AWW
.AZZ
.BACK
.BACKUP
.BAK
.BAK
.BANK
.BAR
.BAT
.BAT
.BAT
.BAY
.BBS
.BC6
.BC7
.BD
.BDB
.BDP
.BDR
.BEAN
.BETTER_CALL_SAUL
.BGT
.BIB
.BIG
.BIK
.BKF
.BKP
.BLEND
.BLKRT
.BLOB
.BM2
.BMP
.BMP
.BMX
.BMZ
.BNA
.BND
.BOC
.BOK
.BPW
.BRD
.BRD
.BREAKINGBAD
.BRK
.BRN
.BRT
.BSA
.BSS
.BTD
.BTI
.BTR
.BYU
.BZ2
.BZABW
.C
.C
.C4
.C4D
.CAL
.CALS
.CAN
.CAS
.CD5
.CDB
.CDC
.CDF
.CDG
.CDMM
.CDMT
.CDMTZ
.CDMZ
.CDR
.CDR3
.CDR4
.CDR6
.CDRW
.CDT
.CDX
.CE1
.CE2
.CER
.CF
.CFG
.CFP
.CFR
.CFU
.CGM
.CGM
.CIMG
.CIN
.CIT
.CKP
.CLASS
.CLASS
.CLKW
.CLS
.CMA
.CMD
.CMD
.CMT
.CMX
.CNM
.CNT
.CNV
.COLZ
.CPC
.CPD
.CPG
.CPI
.CPP
.CPP
.CPP
.CPS
.CPT
.CPX
.CR2
.CRAW
.CRD
.CRT
.CRT
.CRW
.CRWL
.CS
.CSH
.CSL
.CSR
.CSR
.CSS
.CSV
.CSV
.CSY
.CT
.CV5
.CVG
.CVI
.CVS
.CVX
.CWT
.CXF
.CYI
.D3DBSP
.DAC
.DACONNECTIONS
.DACPAC
.DAD
.DADIAGRAMS
.DAF
.DAS
.DASCHEMA
.DAT
.DAZIP
.DB
.DB0
.DB2
.DB3
.DBA
.DBC
.DBF
.DBF
.DBK
.DBR
.DBS
.DB-SHM
.DBT
.DBV
.DB-WAL
.DBX
.DC2
.DCA
.DCB
.DCR
.DCS
.DCT
.DCX
.DDD
.DDL
.DDOC
.DDS
.DED
.DER
.DES
.DESC
.DESIGN
.DF1
.DGC
.DGN
.DGS
.DGT
.DHS
.DCH
.DCH
.DIB
.DIF
.DIF
.DIP
.DIP
.DIZ
.DJV
.DJV
.DJVU
.DJVU
.DM3
.DMI
.DMO
.DMP
.DNC
.DNE
.DNG
.DOC
.DOC
.DOCB
.DOCB
.DOCM
.DOCM
.DOCX
.DOCX
.DOCXML
.DOCZ
.DOT
.DOT
.DOTM
.DOTM
.DOTX
.DOTX
.DP1
.DPP
.DPX
.DQY
.DRF
.DRW
.DRZ
.DSK
.DSN
.DSV
.DT
.DT2
.DTA
.DTD
.DTSX
.DTW
.DVI
.DVL
.DWG
.DX
.DXB
.DXF
.DXG
.DXL
.EBD
.ECML
.ECO
.ECW
.ECX
.EDB
.EFD
.EGC
.EIO
.EIP
.EIT
.EMAIL
.EMD
.EMF
.EML
.EMLX
.EP
.EPF
.EPK
.EPP
.EPS
.EPSF
.EQL
.ERF
.ERR
.ESM
.ETF
.ETX
.EUC
.EXF
.EXR
.FADEIN
.FAL
.FAQ
.FAX
.FB2
.FB3
.FBL
.FBX
.FCD
.FCF
.FDB
.FDF
.FDR
.FDS
.FDT
.FDX
.FDXT
.FES
.FF
.FFD
.FFF
.FFT
.FH
.FH10
.FH11
.FH3
.FH4
.FH5
.FH6
.FH7
.FH8
.FHD
.FIC
.FID
.FIF
.FIG
.FIL
.FIM
.FLA
.FLA
.FLAC
.FLC
.FLI
.FLR
.FLV
.FLV
.FM
.FM5
.FMP
.FMP12
.FMPSL
.FMV
.FODT
.FOL
.FORGE
.FOS
.FOUNTAIN
.FP3
.FP4
.FP5
.FP7
.FPK
.FPOS
.FPT
.FPX
.FRM
.FRM
.FRT
.FSH
.FT10
.FT11
.FT7
.FT8
.FT9
.FTN
.FWDN
.FX0
.FX1
.FXC
.FXG
.FXR
.FZB
.FZV
.G3
.GCDP
.GDB
.GDOC
.GDRAW
.GEM
.GEO
.GFB
.GFIE
.GGR
.GHO
.GIF
.GIF
.GIH
.GIM
.GIO
.GLOX
.GMBCK
.GMSPR
.GPD
.GPG
.GPG
.GPN
.GRAY
.GREY
.GRO
.GROB
.GRS
.GRW
.GRY
.GSD
.GTHR
.GTP
.GV
.GWI
.GZ
.H
.H
.HBK
.HDB
.HDP
.HDR
.HEISENBERG
.HHT
.HIS
.HKDB
.HKX
.HPG
.HPGL
.HPI
.HPL
.HPLG
.HPP
.HS
.HTC
.HTML
.HVPL
.HWP
.HWP
.HWP
.HZ
.CHART
.CHORD
.I3D
.IB
.IBD
.IBD
.ICN
.ICPR
.ICXS
.IDC
.IDEA
.IDX
.IGT
.IGX
.IHX
.IIF
.IIL
.IIQ
.IMD
.INDD
.INFO
.INI
.INK
.INT
.IPF
.IPX
.ITC2
.ITDB
.ITL
.ITM
.ITW
.IWD
.IWI
.J
.J2C
.J2K
.JAR
.JARVIS
.JAS
.JAVA
.JAVA
.JB2
.JBIG
.JBIG2
.JBMP
.JBR
.JFIF
.JIA
.JIS
.JNG
.JOE
.JP1
.JP2
.JPE
.JPEG
.JPEG
.JPG
.JPG
.JPG2
.JPS
.JPX
.JRTF
.JS
.JTF
.JTX
.JWL
.JXR
.K2P
.KDB
.KDBX
.KDC
.KDI
.KDK
.KES
.KEY
.KEY
.KF
.KIC
.KLG
.KNT
.KON
.KPG
.KWD
.LACCDB
.LATEX
.LAY
.LAY
.LAY6
.LAY6
.LAYOUT
.LBF
.LBM
.LBT
.LDF
.LGB
.LGC
.LIS
.LIT
.LITEMOD
.LJP
.LMK
.LNT
.LOG
.LP2
.LRC
.LRF
.LST
.LTR
.LTX
.LUA
.LUE
.LUF
.LVL
.LWO
.LWP
.LWS
.LXFML
.LYT
.LYX
.M
.M2
.M3D
.M3U
.M4A
.M4V
.MA
.MAC
.MAF
.MAM
.MAN
.MAP
.MAQ
.MAR
.MAT
.MAW
.MAX
.MAX
.MB
.MBM
.MBOX
.MCL
.MCMETA
.MD5TXT
.MDB
.MDB
.MDBACKUP
.MDBHTML
.MDC
.MDDATA
.MDE
.MDF
.MDF
.MDN
.MDT
.ME
.MEF
.MELL
.MENU
.MFT
.MFW
.MGCB
.MGMF
.MGMT
.MGMX
.MGTX
.MID
.MIN
.MKV
.MKV
.MLX
.MMAT
.MML
.MML
.MMW
.MNG
.MNR
.MNT
.MOBI
.MOS
.MOV
.MOV
.MOVIE
.MP3
.MP4
.MPEG
.MPF
.MPG
.MPG
.MPO
.MPP
.MPQGE
.MRG
.MRW
.MRWREF
.MRXS
.MS11
.MSG
.MSLL
.MSO
.MT9
.MTE
.MUD
.MWB
.MWP
.MX0
.MXL
.MYD
.MYD
.MYI
.MYI
.MYL
.NCF
.NCR
.NCT
.ND
.NDD
.NDF
.NEF
.NEF
.NFO
.NJX
.NK2
.NLM
.NOTES
.NOW
.NRW
.NS2
.NS3
.NS4
.NSD
.NSF
.NSG
.NSH
.NTL
.NV2
.NWB
.NWCTXT
.NX1
.NX2
.NYF
.NZB
.OBJ
.OC3
.OC4
.OC5
.OCE
.OCI
.OCR
.ODB
.ODB
.ODC
.ODF
.ODG
.ODG
.ODM
.ODO
.ODP
.ODP
.ODS
.ODS
.ODT
.ODT
.OFL
.OFT
.OIL
.OMF
.ONE
.OPENBSD
.OPLC
.OQY
.ORA
.ORF
.ORT
.ORX
.OTA
.OTG
.OTG
.OTH
.OTI
.OTP
.OTP
.OTS
.OTS
.OTT
.OTT
.OVP
.OVR
.OWC
.OWG
.OYX
.OZB
.OZJ
.OZT
.P12
.P7B
.P7C
.P7S
.P96
.P97
.PAGES
.PAK
.PAL
.PAN
.PANO
.PAP
.PAQ
.PAQ
.PAS
.PAS
.PAT
.PBM
.PBO
.PC1
.PC2
.PC3
.PCD
.PCS
.PCT
.PCX
.PDB
.PDD
.PDF
.PDF
.PDM
.PDN
.PE4
.PEF
.PEM
.PEM
.PFD
.PFF
.PFI
.PFS
.PFV
.PFX
.PGF
.PGM
.PHM
.PHP
.PHP
.PI1
.PI2
.PI3
.PIC
.PICT
.PIP
.PIX
.PJPEG
.PJPG
.PJT
.PKPASS
.PL
.PLANTUML
.PLC
.PLT
.PM
.PMG
.PNG
.PNG
.PNI
.PNM
.PNTG
.PNZ
.POBJ
.POP
.POT
.POT
.POTM
.POTM
.POTX
.POTX
.PP4
.PP5
.PPAM
.PPAM
.PPM
.PPS
.PPS
.PPSM
.PPSM
.PPSX
.PPSX
.PPT
.PPT
.PPTM
.PPTM
.PPTX
.PPTX
.PRF
.PRT
.PRW
.PS
.PSAFE3
.PSD
.PSD
.PSDX
.PSE
.PSID
.PSK
.PSP
.PSPBRUSH
.PSPIMAGE
.PST
.PSW
.PTG
.PTH
.PTX
.PU
.PUB
.PUZ
.PVJ
.PVM
.PVR
.PWA
.PWI
.PWR
.PX
.PXR
.PY
.PZ3
.PZA
.PZP
.PZS
.QBA
.QBBACKUP
.QBI
.QBO
.QBP
.QBR
.QBSDK
.QBT
.QBW
.QBWIN
.QBY
.QCOW2
.QDF
.QDL
.QMG
.QPD
.QPX
.QRY
.QSM
.QSS
.QST
.QVD
.QWC
.R3D
.RAD
.RAF
.RAR
.RAR
.RAS
.RAT
.RAW
.RAW
.RB
.RCTD
.RCU
.RDB
.RDL
.RE4
.README
.RFT
.RGB
.RGF
.RGSS3A
.RIB
.RIC
.RIFF
.RIM
.RIS
.RIX
.RLE
.RLI
.RM
.RNG
.ROFL
.RPD
.RPF
.RPT
.RRI
.RS
.RSB
.RSD
.RSR
.RST
.RT
.RTD
.RTF
.RTF
.RTP
.RTX
.RUN
.RW2
.RWL
.RWZ
.RZK
.RZN
.S2MV
.S3M
.SAF
.SAFETEXT
.SAI
.SAM
.SAS7BDAT
.SAVE
.SAY
.SB
.SBF
.SCAD
.SCAN
.SCC
.SCI
.SCM
.SCRIV
.SCRIVX
.SCT
.SCV
.SCW
.SD0
.SDA
.SDB
.SDF
.SDM
.SDOC
.SDW
.SEP
.SET
.SFC
.SFERA
.SFW
.SGM
.SCH
.SCH
.SID
.SIDD
.SIDN
.SIE
.SIG
.SIS
.SK1
.SK2
.SKCARD
.SKM
.SLA
.SLAGZ
.SLD
.SLDASM
.SLDDRT
.SLDM
.SLDPRT
.SLDX
.SLK
.SLK
.SLM
.SLS
.SMF
.SMIL
.SMS
.SNAGITSTAMPS
.SNAGSTYLES
.SNP
.SNX
.SOB
.SPA
.SPE
.SPH
.SPJ
.SPP
.SPQ
.SPR
.SQB
.SQL
.SQL
.SQLITE
.SQLITE3
.SQLITE3
.SQLITEDB
.SQLITEDB
.SR2
.SRF
.SRT
.SRW
.SSA
.SSFN
.SSK
.ST
.ST4
.ST5
.ST6
.ST7
.ST8
.STC
.STC
.STD
.STD
.STE
.STI
.STI
.STM
.STN
.STP
.STR
.STRINGS
.STW
.STW
.STX
.STY
.SUB
.SUM
.SUMO
.SVA
.SVF
.SVG
.SVG
.SVGZ
.SWF
.SWF
.SXC
.SXC
.SXD
.SXD
.SXG
.SXI
.SXI
.SXM
.SXM
.SXW
.SXW
.SYNCDB
.SYNCMANAGERLOGGER
.T12
.T13
.T2B
.TAB
.TAR
.TAR
.TAR.BZ2
.TAX
.TB0
.TBK
.TBN
.TCX
.TDF
.TDT
.TE
.TEACHER
.TEMP1234
.TEX
.TEXT
.TFC
.TG4
.TGA
.TGZ
.TGZ
.THM
.THP
.THUMB
.TIF
.TIF
.TIFF
.TIFF
.TJP
.TLB
.TLC
.TM
.TM2
.TMD
.TMP
.TMV
.TMX
.TN
.TNE
.TOR
.TPC
.TPI
.TRELBY
.TRM
.TVJ
.TXT
.TXT
.TXT
.U3D
.U3I
.UDB
.UFO
.UFR
.UGA
.UNAUTH
.UNITY
.UNREC
.UNX
.UOF
.UOP
.UOP
.UOT
.UOT
.UOT
.UPD
.UPK
.USERTILE-MS
.USR
.UTF8
.UTXT
.V12
.V30
.VAULT
.VBR
.VBS
.VBS
.VCF
.VCT
.VDA
.VDB
.VDF
.VDI
.VEC
.VFF
.VFS0
.VMDK
.VML
.VMX
.VNT
.VOB
.VOB
.VPD
.VPE
.VPK
.VPP_PC
.VRML
.VRP
.VSD
.VSDM
.VSDX
.VSM
.VST
.VSTM
.VSTX
.VSX
.VTF
.VTX
.VUE
.VW
.W3X
.WALLET
.WALLET
.WAV
.WAV
.WB1
.WB2
.WBC
.WBD
.WBK
.WBM
.WBMP
.WBZ
.WCF
.WDB
.WDP
.WEBDOC
.WEBP
.WGZ
.WIRE
.WKS
.WKS
.WLL
.WMA
.WMA
.WMDB
.WMF
.WMO
.WMV
.WMV
.WN
.WOTREPLAY
.WP
.WP4
.WP5
.WP6
.WP7
.WPA
.WPB
.WPD
.WPE
.WPG
.WPL
.WPS
.WPT
.WPW
.WRI
.WSC
.WSD
.WSH
.WTX
.WVL
.X
.X11
.X3D
.X3F
.XAR
.XBDOC
.XBPLATE
.XDB
.XDL
.XF
.XHTM
.XLA
.XLAM
.XLB
.XLC
.XLC
.XLD
.XLF
.XLGC
.XLL
.XLM
.XLM
.XLR
.XLS
.XLS
.XLSB
.XLSB
.XLSM
.XLSM
.XLSX
.XLSX
.XLT
.XLT
.XLTM
.XLTM
.XLTX
.XLTX
.XLW
.XLW
.XMIND
.XML
.XML
.XMLX
.XMMAP
.XPM
.XPP
.XPS
.XSN
.XWP
.XXX
.XY3
.XYP
.XYW
.Y
.YAL
.YBK
.YML
.YSP
.YTBL
.YUV
.Z3D
.ZABW
.ZDB
.ZDC
.ZIF
.ZIP
.ZIP
.ZTMP
.ZW
WALLET.DAT

It avoids files which contain any of the following strings in their path:

ATTENTION.VBS
ZINO
WINDOWS
BOOT
TMP
WINNT
APPLICATION DATA
APPDATA
PROGRAM FILES (X86)
PROGRAM FILES
TEMP
THUMBS.DB
$RECYCLE.BIN
SYSTEM
VOLUME INFORMATION

The trojan encrypts the file content.

The name of the encrypted file is changed to:

%originalfilename%-ENCRYPTED-FILE.ZINO

When searching the drives, the trojan creates the following file in every folder visited:

ZINO_NOTE.TXT
Attention.vbs

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

The trojan removes all of the volume shadow copies in order to prevent restoring the original files.

Other information

The trojan can create and run a new thread with its own program code within the following processes:

%windir%\System32\CHARMAP.EXE
%windir%\System32\NOTEPAD.EXE
%windir%\System32\REKEYWIZ.EXE
%windir%\System32\CMD.EXE

The trojan may execute the following files:

%windir%\System32\eventvwr.exe

The trojan executes the following command:

cmd.exe RUNAS /C START %malwarefilepath%

The trojan can download a file from the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

The file is stored in the following location:

%appdata%\SETTINGS00009.jpg

This file/image is set as a wallpaper.

The trojan can detect presence of debuggers and other analytical tools.

Trojan is able to bypass User Account Control (UAC).