Win32/Filecoder.Crysis [Threat Name] go to Threat
Win32/Filecoder.Crysis.P [Threat Variant Name]
Category | trojan |
Size | 94720 B |
Aliases | Trojan-Ransom.Win32.Crusis.to (Kaspersky) |
Trojan.Encoder.3953 (Dr.Web) | |
Ransom:Win32/Wadhrama (Microsoft) |
Short description
Win32/Filecoder.Crysis.P is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %windir%\system32\%originalmalwarefilename%
- %userprofile%\appdata\roaming\microsoft\windows\start menu\programs\startup\%originalmalwarefilename%
- %programdata%\microsoft\windows\start menu\programs\startup\%originalmalwarefilename%
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%windir%\system32\%originalmalwarefilename%"
- "%originalmalwarefilename%" = "%appdata%\%originalmalwarefilename%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%originalmalwarefilename%" = "%windir%\system32\%originalmalwarefilename%"
- "%originalmalwarefilename%" = "%appdata%\%originalmalwarefilename%"
This causes the trojan to be executed on every system start.
Payload information
Win32/Filecoder.Crysis.P is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files which contain any of the following strings in their path:
- c:\windows
- .arrow
It avoids files with the following filenames:
- %originalmalwarefilename%
- boot.ini
- bootfont.bin
- FILES_ENCRYPTED.txt
- info.hta
- io.sys
- ntdetect.com
- ntldr
The trojan encrypts the file content.
An additional ".id-%variable%.[%emailaddress%].arrow" extension is appended.
A string with variable content is used instead of %variable% .
The RSA, AES encryption algorithm is used.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The following files are dropped:
- %desktop%\FILES ENCRYPTED.txt
- %commondesktop%\FILES ENCRYPTED.txt
- %drive%\FILES ENCRYPTED.txt
It contains the following text:
The following files are dropped:
- %appdata%\info.hta
- %commonstartup%\info.hta
- %startup%\info.hta
- %windir%\system32\info.hta
The trojan executes the following commands:
- mshta.exe %commonstartup%\info.hta
- mshta.exe %startup%\info.hta
Some examples follow.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%appdata%\info.hta" = "mshta.exe\"%appdata%\info.hta\""
- "%windir%\system32\info.hta" = "mshta.exe\"%windir%\system32\info.hta\""
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%appdata%\info.hta" = "mshta.exe\"%appdata%\info.hta\""
- "%windir%\system32\info.hta" = "mshta.exe\"%windir%\system32\info.hta\""
Other information
The trojan executes the following commands:
- mode con cp select=1251
- vssadmin delete shadows /all /quiet
- exit
The trojan terminates processes with any of the following strings in the name:
- 1c8.exe
- 1cv77.exe
- mysqld.exe
- mysqld-nt.exe
- outlook.exe
- postgres.exe
- sqlservr.exe
The following services are disabled:
- FirebirdGuardianDefaultInstance
- FirebirdServerDefaultInstance
- mssqlserver
- sqlserveradhelper
- sqlwriter