Win32/Filecoder.Spora [Threat Name] go to Threat

Win32/Filecoder.Spora.A [Threat Variant Name]

Category trojan
Size 96256 B
Detection created Jan 11, 2017
Signature database version 14751
Aliases Trojan-Ransom.Win32.Spora.aey (Kaspersky)
  Trojan.PWS.Sphinx.2 (Dr.Web)
  Ransom:Win32/Spora!rfn (Microsoft)
Short description

Win32/Filecoder.Spora.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.

Spreading

The trojan copies itself into the root folders of fixed and/or removable drives using a random filename.


The trojan tries to copy itself into shared folders of machines on a local network.


The following files are dropped in the same folder:

  • %foldername%.lnk

The name of the file may be based on the name of an existing file or folder.


These are shortcuts to files of the trojan .

Payload information

Win32/Filecoder.Spora.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches local drives for files with the following file extensions:

  • .dot
  • .doc
  • .docx
  • .docm
  • .xls
  • .xlsx
  • .xlsm
  • .xlsb
  • .xltx
  • .xltm
  • .odt
  • .rtf
  • .pdf
  • .bpdx
  • .pptx
  • .pptm
  • .potx
  • .potm
  • .ppsx
  • .ppsm
  • .psd
  • .dwg
  • .cdr
  • .cd
  • .1cd
  • .dbf
  • .sqlite
  • .dt
  • .cf
  • .cfu
  • .epf
  • .log
  • .lgf
  • .lgp
  • .elf
  • .cdn
  • .efd
  • .geo
  • .gsf
  • .jpg
  • .jpeg
  • .tiff
  • .bmp
  • .zip
  • .rar
  • .7z
  • .backup
  • .docxml
  • .xlam
  • .tib
  • .bak
  • .bak1
  • .bak2
  • .bak3
  • .bak4
  • .002
  • .003
  • .004
  • .005
  • .006
  • .007
  • .008
  • .009
  • .010
  • .wbk
  • .ful
  • .wbcat
  • .backupdb
  • .pdb
  • .mdb
  • .accdb
  • .ace
  • .arj
  • .tar
  • .cab
  • .cfg
  • .dxf
  • .dwf
  • .vbox
  • .vdi
  • .vhd
  • .vhdx
  • .vmdk
  • .vmsd
  • .vmx
  • .vmxf
  • .vob
  • .pfx
  • .cer
  • .key
  • .lic
  • .sql
  • .sql1
  • .sql2
  • .db3
  • .dbs
  • .frm
  • .ldf
  • .sdb
  • .tmd
  • .sdf
  • .iso
  • .mdf
  • .mds
  • .bin
  • .nrg
  • .cue
  • .wmv
  • .mp4
  • .avi
  • .msg
  • .email

It avoids files which contain any of the following strings in their path:

  • windows
  • program files
  • program files (x86)
  • games

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


The trojan creates the following files:

  • %appdata%\­%variable%.html
  • %startup%\­%variable%.html
  • %drive%\­%variable%.html

A string with variable content is used instead of %variable% .


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


Some examples follow.

Other information

The trojan keeps various information in the following files:

  • %appdata%\­%variable1%
  • %appdata%\­%variable2%

A string with variable content is used instead of %variable1-2% .


The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­lnkfile\­IsShortcut]

The trojan may execute the following commands:

  • wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"
  • cmd.exe /c %malwarefilepath% /u

The trojan attempts to delete the following file:

  • %mawlarefilepath%:Zone.Identifier

Please enable Javascript to ensure correct displaying of this content and refresh this page.