Python/Filecoder [Threat Name] go to Threat
Python/Filecoder.A [Threat Variant Name]
| Category | trojan |
Short description
Python/Filecoder.A is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service. The file is run-time compressed using RAR SFX .
Installation
The trojan extracts the archive content into the following folder:
- %currentfolder%
The trojan creates the following files:
- %currentfolder%\atk.pyd (208384 B)
- %currentfolder%\back.png (3417 B)
- %currentfolder%\bz2.pyd (68608 B)
- %currentfolder%\cairo._cairo.pyd (69632 B)
- %currentfolder%\Crypto.Cipher._AES.pyd (29184 B)
- %currentfolder%\favicon.png (3675 B)
- %currentfolder%\final-step.png (21592 B)
- %currentfolder%\freetype6.dll (538324 B)
- %currentfolder%\gdiplus.dll (1351168 B)
- %currentfolder%\gio._gio.pyd (263168 B)
- %currentfolder%\glib._glib.pyd (58368 B)
- %currentfolder%\gobject._gobject.pyd (113152 B)
- %currentfolder%\gtk._gtk.pyd (1882624 B)
- %currentfolder%\intl.dll (152489 B)
- %currentfolder%\libatk-1.0-0.dll (163476 B)
- %currentfolder%\libcairo-2.dll (1294335 B)
- %currentfolder%\libexpat-1.dll (143096 B)
- %currentfolder%\libfontconfig-1.dll (279059 B)
- %currentfolder%\libgdk-win32-2.0-0.dll (932373 B)
- %currentfolder%\libgdk_pixbuf-2.0-0.dll (285194 B)
- %currentfolder%\libgio-2.0-0.dll (1222182 B)
- %currentfolder%\libglib-2.0-0.dll (1242929 B)
- %currentfolder%\libgmodule-2.0-0.dll (36986 B)
- %currentfolder%\libgobject-2.0-0.dll (341594 B)
- %currentfolder%\libgthread-2.0-0.dll (44287 B)
- %currentfolder%\libgtk-win32-2.0-0.dll (4939820 B)
- %currentfolder%\libpango-1.0-0.dll (333729 B)
- %currentfolder%\libpangocairo-1.0-0.dll (104729 B)
- %currentfolder%\libpangoft2-1.0-0.dll (815421 B)
- %currentfolder%\libpangowin32-1.0-0.dll (108945 B)
- %currentfolder%\libpng14-14.dll (230529 B)
- %currentfolder%\library.zip (818391 B)
- %currentfolder%\msvcr90.dll (653120 B)
- %currentfolder%\nextGD.png (3365 B)
- %currentfolder%\pango.pyd (111616 B)
- %currentfolder%\pangocairo.pyd (17920 B)
- %currentfolder%\pay.png (3233 B)
- %currentfolder%\python27.dll (2454016 B)
- %currentfolder%\pythoncom27.dll (396800 B)
- %currentfolder%\pywintypes27.dll (110080 B)
- %currentfolder%\rugui.glade (31363 B)
- %currentfolder%\select.pyd (10240 B)
- %currentfolder%\step-1.png (28293 B)
- %currentfolder%\step-3.png (25308 B)
- %currentfolder%\step-4.png (22171 B)
- %currentfolder%\step2-2.png (27033 B)
- %currentfolder%\unicodedata.pyd (686080 B)
- %currentfolder%\wall.bmp (68056 B)
- %currentfolder%\win32api.pyd (100352 B)
- %currentfolder%\win32com.shell.shell.pyd (381952 B)
- %currentfolder%\win32file.pyd (119808 B)
- %currentfolder%\win32gui.pyd (167936 B)
- %currentfolder%\win32wnet.pyd (25088 B)
- %currentfolder%\windbyit.exe (734208 B)
- %currentfolder%\zlib1.dll (100352 B)
- %currentfolder%\_ctypes.pyd (87552 B)
- %currentfolder%\_hashlib.pyd (715264 B)
- %currentfolder%\_socket.pyd (46080 B)
- %currentfolder%\_ssl.pyd (1160704 B)
- %currentfolder%\CryptoLocker\favicon.ico (2550 B)
- %currentfolder%\CryptoLocker\index.html (12192 B)
- %currentfolder%\CryptoLocker\assets\css\style.css (8472 B)
- %currentfolder%\CryptoLocker\assets\css\img\info.png (686 B)
- %currentfolder%\CryptoLocker\assets\css\img\warning.png (607 B)
- %currentfolder%\CryptoLocker\assets\images\1.jpg (376395 B)
- %currentfolder%\CryptoLocker\assets\images\2.jpg (447613 B)
- %currentfolder%\CryptoLocker\assets\images\3.jpg (375404 B)
- %currentfolder%\CryptoLocker\assets\images\4.jpg (77567 B)
- %currentfolder%\CryptoLocker\assets\images\5.jpg (45489 B)
- %currentfolder%\CryptoLocker\assets\images\6.jpg (432011 B)
- %currentfolder%\CryptoLocker\assets\images\btc.png (4348 B)
- %currentfolder%\CryptoLocker\assets\js\jquery.easing.js (8097 B)
- %currentfolder%\CryptoLocker\assets\js\jquery.js (247823 B)
- %currentfolder%\CryptoLocker\assets\js\jquery.scrollTo.js (2252 B)
- %currentfolder%\CryptoLocker\assets\js\script.js (3741 B)
- %currentfolder%\CryptoLocker\assets\js\google-code-prettify\prettify.css (815 B)
- %currentfolder%\CryptoLocker\assets\js\google-code-prettify\prettify.js (13632 B)
- %appdata%\Seatle202141\l00000iiiiillll.blc
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "seattle" = "%currentfolder%\windbyit.exe"
The trojan displays the following dialog boxes:
Payload information
The trojan encrypts files on local disks.
The trojan searches local drives for all files except those with the following file extensions:
- .pyd
- .blc
- .lnk
- .avi
- .dat
- .reg
- .ico
- .flv
- .m4v
- .mov
- .mp4
- .mpg
- .rm
- .swf
- .vob
- .wmv
- .3gp
- .xvid
- .divx
- .bsf
- .mpeg
- .mkv
- .sys
- .edb
- .dmp
- .dll
- .exe
- .msi
- .ini
- .cab
- .cpl
- .tmp
- .torrent
- .bat
- .com
- .drv
- .fnt
- .fon
The trojan encrypts the file content.
The AES encryption algorithm is used.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan saves the list of encrypted files into the following file:
- %appdata%\Seatle202141\fileorglist%drive%.blc
Information stealing
The trojan collects the following information:
- computer name
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
The trojan moves the following files (source, destination):
- %currentfolder%\wall.bmp, %appdata%\wall.bmp (68056 B)
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "Wallpaper" = "%appdata%\wall.bmp"
- "WallpaperStyle" = 0
- "TileWallpaper" = 0