Win32/Filecoder.BTCWare [Threat Name] go to Threat

Win32/Filecoder.BTCWare.A [Threat Variant Name]

Category trojan
Size 489472 B
Detection created Apr 12, 2017
Detection database version 15245
Short description

Win32/Filecoder.BTCWare.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­mtrea.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "crptxxx" = "%appdata%\­mtrea.exe"
Payload information

Win32/Filecoder.BTCWare.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .1c
  • .3fr
  • .3fr
  • .accdb
  • .accdb
  • .ai
  • .ai
  • .arw
  • .arw
  • .bay
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • .indd
  • .jpe
  • .jpg
  • .kdc
  • .mdb
  • .mdf
  • .mef
  • .mk
  • .mp3
  • .mp4
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pdf
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .rar
  • .raw
  • .rtf
  • .rw2
  • .rwl
  • .sr2
  • .srf
  • .srw
  • .tif
  • .wb2
  • .wma
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx

The trojan encrypts the file content.


The AES-256 encryption algorithm is used.


The name of the encrypted file is changed to:

  • %originalfilepath%.crptxxx

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


It communicates via the Tor anonymity network. The trojan contains a list of (2) URLs.


The trojan creates the following file:

  • %startup%\­decrypt.txt

This way the trojan ensures that the file is executed on every system start.


It contains the following text:

  • Warning!
  • All your files are encrypted with AES algorithm
  • For decrypt use this instructions:
  • Download tor browser
  • Run tor and go to: http://%removed%.onion/
  • Or you can use tor2web services
  • http://%removed%.onion.to/
  • in log panel enter your id (%variable%)
  • follow next instructions
  • if server is down, try connect later
  • locker version 1.0.0

A string with variable content is used instead of %variable% .

Other information

The trojan performs no action if it detects a running process containing one of the following strings in its name:

  • VBoxService.exe

The following file is deleted:

  • %appdata%\­mtrea.exe:Zone.Identifier

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­mscloq]
  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile\­shell\­open\­command]
    • "(Default)" = "vssadmin delete shadows /all"

The trojan executes the following command:

  • eventvwr

The following Registry entry is deleted:

  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile\­shell\­open\­command]

The trojan terminates processes with any of the following strings in the name:

  • eventvwr
  • eventvwr.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.