Win32/Filecoder.AESNI [Threat Name] go to Threat

Win32/Filecoder.AESNI.B [Threat Variant Name]

Category trojan
Size 1028096 B
Detection created May 22, 2017
Detection database version 15458
Aliases Trojan-Ransom.Win32.AecHu.b (Kaspersky)
  Ransom:Win32/Xdatrypt.A (Microsoft)
  Trojan.DownLoader24.60953 (Dr.Web)
Short description

Win32/Filecoder.AESNI.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.

Installation

The trojan does not create any copies of itself.


The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan then removes itself from the computer.

Payload information

Win32/Filecoder.AESNI.B is a trojan that encrypts files on fixed, removable and network drives.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan searches local drives for all files except those with the following file extensions:

  • .cab
  • .decrypr_helper@freemail_hu
  • .lnk
  • .log
  • .msi
  • .mui
  • .sys
  • .wim

It avoids files from the following directories:

  • %desktop%
  • %windir%
  • CryptnetUrlCache
  • Temp
  • Windows

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %filepath%.decrypr_helper@freemail_hu

When searching the drives, the trojan creates the following file in every folder visited:

  • !!! READ THIS - IMPORTANT !!!.hta

Some examples follow.

Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • user name
  • external IP address of the network device

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. It communicates via the TOR anonymity network.


Other information

The trojan creates the following files:

  • %temp%\­%tempfile%.bat

The trojan executes the following commands:

  • %temp%\­%tempfile%.bat
  • %system%\­vssadmin.exe Delete Shadows /All

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "LegalNoticeCaption" = "Microsoft Windows Security Center"
    • "LegalNoticeText" = "Dear Owner. Bad news: your server was hacked.
    • For more information and recommendations, write to our experts by e-mail.
    • When you start Windows, Windows Defender works to help protect
    • your PC by scanning for malicious or unwanted software."
  • [HKEY_LOCAL_MACHINE\­system\­CurrentControlSet\­Control\­Terminal Server]
    • "AllowTSConnections" = 1
  • [HKEY_LOCAL_MACHINE\­system\­CurrentControlSet\­Control\­Terminal Server\­WinStations\­RDP-Tcp]
    • "MaxConnectionTime" = 0
    • "MaxDisconnectionTime" = 0
    • "MaxIdleTime" = 0
    • "SecurityLayer" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­Terminal Services]
    • "fDenyTSConnections" = 0
    • "fAllowUnsolicited" = 1
    • "UserAuthentication" = 0
    • "MaxDisconnectionTime" = 0
    • "MaxIdleTime" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Magnify.exe]
    • "Debugger" = "c"

The trojan may create the following files:

  • %commonappdata%\­%variable%.key.decrypr_helper@freemail_hu

A string with variable content is used instead of %variable% .


The trojan may delete the following files:

  • %malwarefolder%\­auth.txt
  • %malwarefolder%\­info.txt
  • %malwarefolder%\­ip.txt

The trojan may delete the following folders:

  • %systemdrive%\­$RECYCLE.BIN

The following services are disabled:

  • Acronis VSS Provider
  • AcronisAgent
  • AcronisFS
  • AcronisPXE
  • AcrSch2Svc
  • ADHelper100
  • AdobeARMservice
  • Agent.exe
  • Altaro
  • Altaro.SubAgent.exe
  • Altaro.UI.Service.exe
  • AMS
  • Apache2.2
  • Apache2.4
  • ARSM
  • BackupExecAgentAccelerator
  • BackupExecAgentBrowser
  • BackupExecDeviceMediaService
  • BackupExecJobEngine
  • BackupExecManagementService
  • BackupExecRPCService
  • bedbg
  • Browser
  • cbVSCService11
  • CertPropSvc
  • CertSvc
  • CobianBackup11
  • ComarchAutomatSynchronizacji
  • ComarchML
  • ComarchUpdateAgentService
  • CrashPlanService
  • dashboardMD Sync
  • DataCollectorSvc
  • dbupdate
  • dbupdatem
  • DbxSvc
  • DLOAdminSvcu
  • DLOMaintenanceSvc
  • DomainManagerProviderSvc
  • EDBSRVR
  • eXchange POP3 6.0
  • FBSServer
  • FBSWorker
  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • GenetecSecurityCenterMobileServer
  • GenetecServer
  • GenetecWatchdog
  • HyperV
  • KAORCMP999467066507407
  • LMIRfsDriver
  • LogisticsServicesHost800
  • MELCS
  • memcached Server
  • MEMTAS
  • MEPOCS
  • MEPOPS
  • MESMTPCS
  • MicroMD AutoDeploy
  • MicroMD Connection Service
  • MICROMD72ONCOEMR
  • MMS
  • MsDtsServer
  • MsDtsServer100
  • MSExchangeADTopology
  • MSExchangeAntispamUpdate
  • MSExchangeEdgeSync
  • MSExchangeFBA
  • MSExchangeFDS
  • MSExchangeImap4
  • MSExchangeIS
  • MSExchangeMailboxAssistants
  • MSExchangeMailSubmission
  • MSExchangeMonitoring
  • MSExchangePop3
  • MSExchangeRep
  • MSExchangeRepl
  • MSExchangeSA
  • MSExchangeSearch
  • MSExchangeServiceHost
  • MSExchangeTransport
  • MSExchangeTransportLogSearch
  • msftesql$SBSMONITORING
  • msftesql-Exchange
  • MSSQL$ACRONIS
  • MSSQL$BKUPEXEC
  • MSSQL$MICROSOFT##SSEE
  • MSSQL$MICROSOFT##WID
  • MSSQL$PROBA
  • MSSQL$SBSMONITORING
  • MSSQL$SHAREPOINT
  • MSSQL$SQL2005
  • MSSQL$SQLEXPRESS
  • MSSQL$VEEAMSQL2008R2
  • MSSQLFDLauncher
  • MSSQLFDLauncher$PROBA
  • MSSQLFDLauncher$SBSMONITORING
  • MSSQLFDLauncher$SHAREPOINT
  • MSSQLServer
  • MSSQLServerADHelper
  • MSSQLServerADHelper100
  • MSSQLServerADHelper100
  • MSSQLServerOLAPService
  • MSSQLServerOLAPService
  • MSSQLSERVR
  • MySQL
  • MySQL56
  • NAVSERVER
  • ONCOEMR2MICROMD7
  • PleskControlPanel
  • PleskSQLServer
  • plesksrv
  • PopPassD
  • postgresql-8.4.spiceworks.QuickBooksDB23
  • PRIMAVERAWindowsService
  • PrimaveraWS800
  • PrimaveraWS900
  • QBCFMonitorService
  • QBFCService
  • QBVSS
  • QuickBooksDB25
  • RBMS_OptimaBI
  • RBSS_OptimaBI
  • RemoteService.exe
  • RemoteSystemMonitorService
  • ReportServer
  • SBOClientAgent
  • ServerService
  • sesvc
  • ShadowProtectSvc
  • SPAdminV4
  • SPSearch4
  • SPTimerV3
  • SPTrace
  • SPTraceV4
  • SPWriter
  • SPWriterV4
  • SQLAgent$PROBA
  • SQLAgent$SBSMONITORING
  • SQLAgent$SHAREPOINT
  • SQLAgent$SQLEXPRESS
  • SQLAgent$VEEAMSQL2008R2
  • SQLBrowser
  • SQLSERVERAGENT
  • SQLWriter
  • stc_raw_agent
  • StorageNode
  • swprv
  • TeamViewer
  • TTESCheduleServer800
  • vds
  • Veeam Backup and Replication Service
  • Veeam Backup Catalog Data Service
  • VeeamCatalogSvc
  • VeeamCloudSvc
  • VeeamDeploymentService
  • VeeamMountSvc
  • VeeamNFSSvc
  • VeeamTransportSvc
  • vmicvss
  • vmms
  • VSNAPVSS
  • VSS
  • W32Time
  • W3SVC
  • WAN
  • WinVNC4
  • wsbexchange
  • WSearch
  • WseComputerBackupSvc
  • WseEmailSvc
  • WseHealthSvc
  • WseMediaSvc
  • WseMgmtSvc
  • WseNtfSvc
  • WseStorageSvc
  • WSS_ComputerBackupProviderSvc
  • WSS_ComputerBackupSvc
  • zBackupAssistService
  • ZWCService

The following programs are terminated:

  • acrobat.exe
  • acrord32.exe
  • acrotray.exe
  • agentmon.exe
  • apcsystray.exe
  • autodeployservice.exe
  • cbinterface.exe
  • cobian.exe
  • comarch opt!ma.exe
  • conime.exe
  • couchpotato.exe
  • crashplantray.exe
  • dbxsvc.exe
  • dns.exe
  • dropbox.exe
  • edgetransport.exe
  • excel.exe
  • fb_inet_server.exe
  • fbsserver.exe
  • fbsworker.exe
  • fdhost.exe
  • fdlauncher.exe
  • googlecrashhandler.exe
  • googlecrashhandler64.exe
  • googleupdate.exe
  • httpd.exe
  • iexplore.exe
  • ilsvc.exe
  • inetinfo.exe
  • ismserv.exe
  • javaw.exe
  • jucheck.exe
  • jusched.exe
  • lc2.exe
  • lua.exe
  • lync.exe
  • mad.exe
  • mainserv.exe
  • melsc.exe
  • memcached.exe
  • mepops.exe
  • mesmtpc.exe
  • microsoft.exchange.antispamupdatesvc.exe
  • microsoft.exchange.contentfilter.wrapper.exe
  • microsoft.exchange.search.exsearch.exe
  • microsoft.exchange.servicehost.exe
  • mmc.exe
  • mqsvc.exe
  • msaccess.exe
  • msdtssrvr.exe
  • msexchangefds.exe
  • msexchangemailboxassistants.exe
  • msexchangemailsubmission.exe
  • msexchangetransportlogsearch.exe
  • msftefd.exe
  • msftesql.exe
  • msmdsrv.exe
  • msoia.exe
  • mysqld.exe
  • mysqld-nt.exe
  • nssm.exe
  • nvidia web helper.exe
  • onenoteim.exe
  • onenotem.exe
  • outlook.exe
  • php.exe
  • php-cgi.exe
  • plex media server.exe
  • plexscripthost.exe
  • powershell.exe
  • pvlsvr.exe
  • python.exe
  • qbcfmonitorservice.exe
  • qbdbmgrn.exe
  • qbupdate.exe
  • qbw32.exe
  • rdrcef.exe
  • regedit.exe
  • reportingservicesservice.exe
  • sabnzbd.exe
  • sap business one.exe
  • servermanager.exe
  • sharedservicehost.exe
  • skype.exe
  • sqlagent.exe
  • sqlbrowser.exe
  • sqlservr.exe
  • sqlwriter.exe
  • srvany.exe
  • ssms.exe
  • steam.exe
  • steamwebhelper.exe
  • store.exe
  • subiekt.exe
  • synchronizationservice.exe
  • systemsettings.exe
  • tabtip.exe
  • tabtip32.exe
  • teamviewer_service.exe
  • terminal.exe
  • trayapplication.exe
  • vds.exe
  • vssvc.exe
  • w3wp.exe
  • winvnc4.exe
  • winword.exe
  • wordpad.exe
  • wscript.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.