Win32/Filecoder.AESNI [Threat Name] go to Threat

Win32/Filecoder.AESNI.A [Threat Variant Name]

Category trojan
Size 830464 B
Detection created Dec 08, 2016
Detection database version 14574
Aliases Variant.Ransom.Xdata.3 (BitDefender)
Short description

Win32/Filecoder.AESNI.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

The trojan does not create any copies of itself.


The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan then removes itself from the computer.

Payload information

Win32/Filecoder.AESNI.A is a trojan that encrypts files on fixed, removable and network drives.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan searches local drives for all files except those with the following file extensions:

  • .dll
  • .exe
  • .lnk
  • .lock
  • .msi
  • .mui
  • .sys

It avoids files from the following directories:

  • %desktop%
  • %windir%

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %filepath%.lock

When searching the drives, the trojan creates the following file in every folder visited:

  • !Read__Me.tXt

It contains the following text:

  • IMPORTANT: When writing us on e-mail, you must specify the following ID:
  • ---
  • ID WIN-AAAAAAAAAAA#F9ED3B097872CA69D3D0E3F53CAAA364
  • ---
  • Decoding Files 1 Bitcoin (~700$), tomorrow 2 Bitcoin (~1400$)
  • translation at the expense of Bitcoin
  • 1ERvN8gQEw6rFEYDbdxyJzXcd5FSAnukJL
  • Buy Bitcoin here https://localbitcoins.com or
  • https://www.buybitcoinworldwide.com/find-exchange/ or
  • https://www.coinbase.com or
  • https://www.xmlgold.eu or
  • any other exchanger
  • or
  • write to Google how to buy Bitcoin in your country?
  • after payment you will receive a program that automatically decrypts all your files
  • mail support rescuers@india.com
  • NO money =NO decryption
Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • user name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. It communicates via the TOR anonymity network.

Other information

The trojan creates the following files:

  • %temp%\­%tempfile%.bat

The trojan executes the following commands:

  • %temp%\­%tempfile%.bat
  • %system%\­vssadmin.exe Delete Shadows /All

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "LegalNoticeCaption" = "Microsoft Windows Security Center"
    • "LegalNoticeText" = "Dear Owner. Bad news: your server was hacked.
    • For more information and recommendations, write to our experts by e-mail.
    • When you start Windows, Windows Defender works to help protect
    • your PC by scanning for malicious or unwanted software."

The trojan may delete the following folders:

  • %systemdrive%\­$RECYCLE.BIN

Please enable Javascript to ensure correct displaying of this content and refresh this page.