Win32/Filecoder.DarkSide [Threat Name] go to Threat
Win32/Filecoder.DarkSide.B [Threat Variant Name]
Category | trojan |
Size | 55296 B |
Aliases | Trojan-Ransom.Win32.Encoder.lzn (Kaspersky) |
Ransom:Win32/DarkSide.DA (Microsoft) | |
Win32:DarkSide-C.[Ransom] (Avast) | |
Trojan.Encoder.33763 (Dr.Web) |
Short description
Win32/Filecoder.DarkSide.B is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan does not create any copies of itself.
The trojan registers itself as a system service using the following name:
- %variable%
A string with variable content is used instead of %variable% .
Payload information
Win32/Filecoder.DarkSide.B is a trojan that encrypts files on fixed, removable and network drives.
The trojan launches the following processes:
- %malwarefilepath% -work worker%num% job%num%-%PID%
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- $recycle.bin
- $windows.~bt
- $windows.~ws
- all users
- appdata
- application data
- boot
- config.msi
- default
- intel
- mozilla
- msocache
- perflogs
- program files
- program files (x86)
- programdata
- public
- system volume information
- tor browser
- windows
- windows.old
- x64dbg
It avoids files with the following filenames:
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
It avoids files with the following extensions:
- .386
- .adv
- .ani
- .bat
- .bin
- .cab
- .cmd
- .com
- .cpl
- .cur
- .deskthemepack
- .diagcfg
- .diagpkg
- .dll
- .drv
- .exe
- .hlp
- .hta
- .icl
- .icns
- .ico
- .ics
- .idx
- .key
- .ldf
- .lnk
- .lock
- .mod
- .mpa
- .msc
- .msi
- .msp
- .msstyles
- .msu
- .nls
- .nomedia
- .ocx
- .pdb
- .prf
- .ps1
- .rom
- .rtp
- .scr
- .shs
- .spl
- .sys
- .theme
- .thremepack
- .wpx
The trojan encrypts the file content.
The Salsa20 encryption algorithm is used.
An additional .%variable% extension is appended.
The following file is dropped in the same folder:
- README.%variable%.TXT
It contains the following text:
A string with variable content is used instead of %variable% .
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Information stealing
Win32/Filecoder.DarkSide.B is a trojan that steals sensitive information.
The trojan collects the following information:
- user name
- computer name
- operating system version
- language settings
- disks
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
Other information
The trojan may terminate specific running processes.
The following services are disabled:
- backup
- GxBlr
- GxCIMgr
- GxCVD
- GxFWD
- GxVss
- memtas
- mepocs
- sophos
- sql
- svc$
- veeam
- vss
The trojan searches for files with the following names:
- *recycle*
The trojan then deletes the found files.
The trojan may set the following Registry entries:
- [HKEY_CLASSES_ROOT\.%variable%]
- "" = "%variable%"
- [HKEY_CLASSES_ROOT\%variable%\DefaultIcon]
- "" = "%commonappdata%\%variable%.ico"
The following files may be dropped:
- %commonappdata%\%variable%.ico
The trojan may set the following Registry entries:
- [HKEY_USERS\%SID%\Control Panel\Desktop]
- "WallPaper" = "%commonappdata%\%variable%.bmp"
- "WallpaperStyle" = "10"
The following files may be dropped:
- %commonappdata%\%variable%.bmp
This file/image is set as a wallpaper.
A string with variable content is used instead of %variable% .
Trojan may remove itself from the infected computer.