Win32/Filecoder.AESNI [Threat Name] go to Threat
Win32/Filecoder.AESNI.A [Threat Variant Name]
| Category | trojan |
| Size | 830464 B |
| Aliases | Variant.Ransom.Xdata.3 (BitDefender) |
Short description
Win32/Filecoder.AESNI.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
Installation
The trojan does not create any copies of itself.
The trojan creates and runs a new thread with its own program code within the following processes:
- %system%\svchost.exe
The trojan then removes itself from the computer.
Payload information
Win32/Filecoder.AESNI.A is a trojan that encrypts files on fixed, removable and network drives.
To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.
The trojan searches local drives for all files except those with the following file extensions:
- .dll
- .exe
- .lnk
- .lock
- .msi
- .mui
- .sys
It avoids files from the following directories:
- %desktop%
- %windir%
The trojan encrypts the file content.
The RSA, AES encryption algorithm is used.
The extension of the encrypted files is changed to:
- %filepath%.lock
When searching the drives, the trojan creates the following file in every folder visited:
- !Read__Me.tXt
It contains the following text:
- IMPORTANT: When writing us on e-mail, you must specify the following ID:
- ---
- ID WIN-AAAAAAAAAAA#F9ED3B097872CA69D3D0E3F53CAAA364
- ---
- Decoding Files 1 Bitcoin (~700$), tomorrow 2 Bitcoin (~1400$)
- translation at the expense of Bitcoin
- 1ERvN8gQEw6rFEYDbdxyJzXcd5FSAnukJL
- Buy Bitcoin here https://localbitcoins.com or
- https://www.buybitcoinworldwide.com/find-exchange/ or
- https://www.coinbase.com or
- https://www.xmlgold.eu or
- any other exchanger
- or
- write to Google how to buy Bitcoin in your country?
- after payment you will receive a program that automatically decrypts all your files
- mail support rescuers@india.com
- NO money =NO decryption
Information stealing
The trojan collects the following information:
- computer name
- operating system version
- user name
The trojan attempts to send gathered information to a remote machine.
The trojan contains a URL address. It communicates via the TOR anonymity network.
Other information
The trojan creates the following files:
- %temp%\%tempfile%.bat
The trojan executes the following commands:
- %temp%\%tempfile%.bat
- %system%\vssadmin.exe Delete Shadows /All
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "LegalNoticeCaption" = "Microsoft Windows Security Center"
- "LegalNoticeText" = "Dear Owner. Bad news: your server was hacked.
- For more information and recommendations, write to our experts by e-mail.
- When you start Windows, Windows Defender works to help protect
- your PC by scanning for malicious or unwanted software."
The trojan may delete the following folders:
- %systemdrive%\$RECYCLE.BIN