Win64/Filecoder [Threat Name] go to Threat
Win64/Filecoder.R [Threat Variant Name]
| Category | trojan |
| Size | 217088 B |
| Aliases | Trojan.Encoder.25069 (Dr.Web) |
| Trojan:Win32/Occamy.B (Microsoft) |
Short description
Win64/Filecoder.R is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan does not create any copies of itself.
Payload information
Win64/Filecoder.R is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files on the following drives:
- A:\-Z:\
It avoids files which contain any of the following strings in their path:
- Windows
- windows
- Program files
- Program files (x86)
- system volume information
- $recycle.bin
The trojan searches for files stored in the following folders:
- C:\Program Files (x86)\Microsoft SQL Server\
- C:\Program Files\Microsoft SQL Server\
The trojan encrypts the file content.
The AES-256, RSA encryption algorithm is used.
The extension of the encrypted files is changed to:
- %originalfilename%.[evil@cock.lu].EVIL
When searching the drives, the trojan creates the following file in every folder visited:
- !_HOW_RECOVERY_FILES_!.txt
It contains the following text:
- >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
- HELLO, DEAR FRIEND!
- 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ]
- Your files are NOT damaged! Your files are modified only. This modification is reversible.
- The only 1 way to decrypt your files is to receive the decryption program.
- 2. [ HOW TO RECOVERY FILES? ]
- To receive the decryption program write on our e-mail: evil@cock.lu or evil@firemail.cc
- And in subject write your ID: %removed%
- We send you full instruction how to decrypt all your files.
- 3. [ FREE DECRYPTION! ]
- Free decryption as guarantee.
- We guarantee the receipt of the decryption program after payment.
- To believe, you can give us up to 3 files that we decrypt for free.
- Files should not be important to you! (databases, backups, large excel sheets, etc.)
- >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
When files encryption is finished, the trojan removes itself from the computer.
Other information
The trojan terminates processes with any of the following strings in the name:
- agntsvc.exe
- dbeng50.exe
- dbsnmp.exe
- encsvc.exe
- excel.exe
- fdhost.exe
- fdlauncher.exe
- firefoxconfig.exe
- infopath.exe
- msaccess.exe
- MsDtsSrvr.exe
- msftesql.exe
- msmdsrv.exe
- mspub.exe
- mydesctopservice.exe
- mysqld.exe
- mysqld-nt.exe
- mysqld-opt.exe
- ntdbsmgr.exe
- ocautoupds.exe
- ocomm.exe
- ocssd.exe
- onenote.exe
- oracle.exe
- outlook.exe
- pg_ctl.exe
- postgres.exe
- powerpnt.exe
- ReportingServecesService.exe
- ReportingServicesService.exe
- sqbcoreservice.exe
- sqlagent.exe
- SQLAGENT.EXE
- sqlbrowser.exe
- sqlceip.exe
- sqlserv.exe
- sqlservr.exe
- sqlwriter.exe
- Ssms.exe
- steam.exe
- synctime.exe
- tbirdconfig.exe
- thebat.exe
- thebat64.exe
- thunderbird.exe
- UniFi.exe
- visio.exe
- winword.exe
- wordpad.exe
The trojan executes the following commands:
- vssadmin delete shadows /all /quiet
- sc delete "vmickvpexchange"
- sc delete "vmicguestinterface"
- sc delete "vmicshutdown"
- sc delete "vmicheartbeat"
- sc delete "vmicrdv"
- sc delete "storflt"
- sc delete "vmictimesync"
- sc delete "vmicvss"
- sc delete "MSSQLFDLauncher"
- sc delete "MSSQLSERVER"
- sc delete "SQLSERVERAGENT"
- sc delete "SQLBrowser"
- sc delete "SQLTELEMETRY"
- sc delete "MsDtsServer130"
- sc delete "SSISTELEMETRY130"
- sc delete "SQLWriter"
- sc delete "MSSQL$VEEAMSQL2012"
- sc delete "SQLAgent$VEEAMSQL2012"
- sc delete "MSSQL"
- sc delete "SQLAgent"
- sc delete "MSSQLServerADHelper100"
- sc delete "MSSQLServerOLAPService"
- sc delete "MsDtsServer100"
- sc delete "ReportServer"
- sc delete "SQLTELEMETRY$HL"
- sc delete "TMBMServer"
- sc delete "MSSQL$PROGID"
- sc delete "MSSQL$WOLTERSKLUWER"
- sc delete "SQLAgent$PROGID"
- sc delete "SQLAgent$WOLTERSKLUWER"
- sc delete "MSSQLFDLauncher$OPTIMA"
- sc delete "MSSQL$OPTIMA"
- sc delete "SQLAgent$OPTIMA"
- sc delete "ReportServer$OPTIMA"
- sc delete "msftesql$SQLEXPRESS"
- sc delete "postgresql-x64-9.4"
- sc delete "WRSVC"
- sc delete "KLIF"
- sc delete "klpd"
- sc delete "klflt"
- sc delete "klbackupdisk"
- sc delete "klbackupflt"
- sc delete "klkbdflt"
- sc delete "klmouflt"
- sc delete "klhk"
- sc delete "KSDE1.0.0"
- sc delete "kltap"
- sc delete "TmFilter"
- sc delete "TMLWCSService"
- sc delete "tmusa"
- sc delete "TmPreFilter"
- sc delete "TMSmartRelayService"
- sc delete "VSApiNt"
- sc delete "TmCCSF"
- sc delete "tmlisten"
- sc delete "TmProxy"
- sc delete "ntrtscan"
- sc delete "ofcservice"
- sc delete "UniFi"
- cmd.exe /c del %malwarefilepath% >> NUL