Win32/Filecoder.Crypt888 [Threat Name] go to Threat

Win32/Filecoder.Crypt888.B [Threat Variant Name]

Category trojan
Size 1719380 B
Detection created Dec 03, 2016
Detection database version 14547
Aliases Ransom:Win32/Pocrimcrypt.A (Microsoft)
Short description

Win32/Filecoder.Crypt888.B is a trojan that encrypts files on local drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The trojan drops one of the following files in the %temp% folder:

  • 32.cab (48879 B, Win32/Spy.Banker.ADES)
  • 64.cab (51101 B, Win64/Spy.Banker.AK)

The trojan may execute the following commands:

  • cmd.exe /c wusa %temp%\­32.cab /quiet /extract:%windir%\­system32\­migwiz\­& exit
  • cmd.exe /c wusa %temp%\­64.cab /quiet /extract:%windir%\­system32\­migwiz\­& exit
Payload information

Win32/Filecoder.Crypt888.B is a trojan that encrypts files on local drives.


It avoids files from the following directories:

  • C:\­

The trojan searches for files stored in the following folders:

  • %desktop%
  • %userprofile%\­AppData\­Roaming
  • %userprofile%\­AppData\­Local
  • %drive%
  • %userprofile%\­Music
  • %userprofile%\­Pictures
  • %userprofile%\­Videos
  • %userprofile%\­Documents
  • C:\­Users\­Public\­Documents
  • C:\­Users\­Public\­Pictures
  • C:\­Users\­Public\­Videos

The trojan encrypts the file content.


The DES encryption algorithm is used.


The name of the encrypted file is changed to:

  • Lock.%originalfilename%

To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.


The following file is dropped:

  • %temp%\­wl.jpg (976068 B)

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%temp%\­wl.jpg"

Other information

The trojan creates the following file:

  • %temp%\­888.vbs

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

The trojan may create the following files:

  • %temp%\­8x8x8

Please enable Javascript to ensure correct displaying of this content and refresh this page.