Win64/Filecoder [Threat Name] go to Threat

Win64/Filecoder.R [Threat Variant Name]

Category trojan
Size 217088 B
Detection created Jul 07, 2018
Detection database version 17676
Aliases Trojan.Encoder.25069 (Dr.Web)
  Trojan:Win32/Occamy.B (Microsoft)
Short description

Win64/Filecoder.R is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.

Payload information

Win64/Filecoder.R is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files on the following drives:

  • A:\­-Z:\­

It avoids files which contain any of the following strings in their path:

  • Windows
  • windows
  • Program files
  • Program files (x86)
  • system volume information
  • $recycle.bin

The trojan searches for files stored in the following folders:

  • C:\­Program Files (x86)\­Microsoft SQL Server\­
  • C:\­Program Files\­Microsoft SQL Server\­

The trojan encrypts the file content.


The AES-256, RSA encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %originalfilename%.[evil@cock.lu].EVIL

When searching the drives, the trojan creates the following file in every folder visited:

  • !_HOW_RECOVERY_FILES_!.txt

It contains the following text:

  • >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<
  • HELLO, DEAR FRIEND!
  • 1.  [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ]
  • Your files are NOT damaged! Your files are modified only. This modification is reversible.
  • The only 1 way to decrypt your files is to receive the decryption program.
  • 2.  [ HOW TO RECOVERY FILES? ]
  • To receive the decryption program write on our e-mail: evil@cock.lu or evil@firemail.cc
  • And in subject write your ID:  %removed%
  • We send you full instruction how to decrypt all your files.
  • 3.  [ FREE DECRYPTION! ]
  • Free decryption as guarantee.
  • We guarantee the receipt of the decryption program after payment.
  • To believe, you can give us up to 3 files that we decrypt for free.
  • Files should not be important to you! (databases, backups, large excel sheets, etc.)
  • >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When files encryption is finished, the trojan removes itself from the computer.

Other information

The trojan terminates processes with any of the following strings in the name:

  • agntsvc.exe
  • dbeng50.exe
  • dbsnmp.exe
  • encsvc.exe
  • excel.exe
  • fdhost.exe
  • fdlauncher.exe
  • firefoxconfig.exe
  • infopath.exe
  • msaccess.exe
  • MsDtsSrvr.exe
  • msftesql.exe
  • msmdsrv.exe
  • mspub.exe
  • mydesctopservice.exe
  • mysqld.exe
  • mysqld-nt.exe
  • mysqld-opt.exe
  • ntdbsmgr.exe
  • ocautoupds.exe
  • ocomm.exe
  • ocssd.exe
  • onenote.exe
  • oracle.exe
  • outlook.exe
  • pg_ctl.exe
  • postgres.exe
  • powerpnt.exe
  • ReportingServecesService.exe
  • ReportingServicesService.exe
  • sqbcoreservice.exe
  • sqlagent.exe
  • SQLAGENT.EXE
  • sqlbrowser.exe
  • sqlceip.exe
  • sqlserv.exe
  • sqlservr.exe
  • sqlwriter.exe
  • Ssms.exe
  • steam.exe
  • synctime.exe
  • tbirdconfig.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • UniFi.exe
  • visio.exe
  • winword.exe
  • wordpad.exe

The trojan executes the following commands:

  • vssadmin delete shadows /all /quiet
  • sc delete "vmickvpexchange"
  • sc delete "vmicguestinterface"
  • sc delete "vmicshutdown"
  • sc delete "vmicheartbeat"
  • sc delete "vmicrdv"
  • sc delete "storflt"
  • sc delete "vmictimesync"
  • sc delete "vmicvss"
  • sc delete "MSSQLFDLauncher"
  • sc delete "MSSQLSERVER"
  • sc delete "SQLSERVERAGENT"
  • sc delete "SQLBrowser"
  • sc delete "SQLTELEMETRY"
  • sc delete "MsDtsServer130"
  • sc delete "SSISTELEMETRY130"
  • sc delete "SQLWriter"
  • sc delete "MSSQL$VEEAMSQL2012"
  • sc delete "SQLAgent$VEEAMSQL2012"
  • sc delete "MSSQL"
  • sc delete "SQLAgent"
  • sc delete "MSSQLServerADHelper100"
  • sc delete "MSSQLServerOLAPService"
  • sc delete "MsDtsServer100"
  • sc delete "ReportServer"
  • sc delete "SQLTELEMETRY$HL"
  • sc delete "TMBMServer"
  • sc delete "MSSQL$PROGID"
  • sc delete "MSSQL$WOLTERSKLUWER"
  • sc delete "SQLAgent$PROGID"
  • sc delete "SQLAgent$WOLTERSKLUWER"
  • sc delete "MSSQLFDLauncher$OPTIMA"
  • sc delete "MSSQL$OPTIMA"
  • sc delete "SQLAgent$OPTIMA"
  • sc delete "ReportServer$OPTIMA"
  • sc delete "msftesql$SQLEXPRESS"
  • sc delete "postgresql-x64-9.4"
  • sc delete "WRSVC"
  • sc delete "KLIF"
  • sc delete "klpd"
  • sc delete "klflt"
  • sc delete "klbackupdisk"
  • sc delete "klbackupflt"
  • sc delete "klkbdflt"
  • sc delete "klmouflt"
  • sc delete "klhk"
  • sc delete "KSDE1.0.0"
  • sc delete "kltap"
  • sc delete "TmFilter"
  • sc delete "TMLWCSService"
  • sc delete "tmusa"
  • sc delete "TmPreFilter"
  • sc delete "TMSmartRelayService"
  • sc delete "VSApiNt"
  • sc delete "TmCCSF"
  • sc delete "tmlisten"
  • sc delete "TmProxy"
  • sc delete "ntrtscan"
  • sc delete "ofcservice"
  • sc delete "UniFi"
  • cmd.exe /c del %malwarefilepath% >> NUL

Please enable Javascript to ensure correct displaying of this content and refresh this page.