Win32/Filecoder [Threat Name] go to Threat

Win32/Filecoder.ODM [Threat Variant Name]

Category trojan
Size 68608 B
Aliases Ransom:Win32/FileCoder.SG!MTB (Microsoft)
Short description

Win32/Filecoder.ODM is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan is usually a part of other malware with name PowerShell/Kryptik.AX .


The trojan does not create any copies of itself.

Payload information

Win32/Filecoder.ODM is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .3ds
  • .3fr
  • .7z
  • .accdb
  • .accdt
  • .aep
  • .ai
  • .apk
  • .arw
  • .asp
  • .asset
  • .avi
  • .backup
  • .bak
  • .bar
  • .bay
  • .bc6
  • .bc7
  • .big
  • .bik
  • .bin
  • .bkf
  • .bkp
  • .blob
  • .bpw
  • .bsa
  • .c
  • .cab
  • .cas
  • .cdf
  • .cdr
  • .cer
  • .cfr
  • .con
  • .cpp
  • .cr2
  • .crt
  • .crw
  • .cs
  • .css
  • .csv
  • .d3dbsp
  • .das
  • .dat
  • .db
  • .db0
  • .dba
  • .dbf
  • .dcr
  • .der
  • .desc
  • .dmp
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwfx
  • .dwg
  • .dxf
  • .dxg
  • .eml
  • .epk
  • .eps
  • .erf
  • .esm
  • .fdb
  • .flv
  • .forge
  • .fos
  • .fpk
  • .fsh
  • .gdb
  • .gho
  • .gif
  • .h
  • .hkdb
  • .hkx
  • .hplg
  • .htm
  • .html
  • .hvpl
  • .hxs
  • .chm
  • .ibank
  • .icxs
  • .idx
  • .iso
  • .itdb
  • .itl
  • .itm
  • .iwd
  • .iwi
  • .java
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kdb
  • .kdbx
  • .kdc
  • .key
  • .kf
  • .layout
  • .lbf
  • .ldf
  • .litemod
  • .lrf
  • .ltx
  • .lvl
  • .m2
  • .m3u
  • .m4a
  • .map
  • .max
  • .mcmeta
  • .mdb
  • .mdbackup
  • .mddata
  • .mdf
  • .mef
  • .menu
  • .mlx
  • .mov
  • .mp3
  • .mp4
  • .mpqge
  • .mrwref
  • .ncf
  • .nrw
  • .nsf
  • .ntl
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .oth
  • .p12
  • .p7b
  • .p7c
  • .pak
  • .pdb
  • .pdb
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pkpass
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .prf
  • .prproj
  • .ps
  • .psd
  • .psk
  • .pst
  • .ptx
  • .pub
  • .py
  • .qba
  • .qbb
  • .qbw
  • .qbx
  • .qdf
  • .qic
  • .sav
  • .sb
  • .sdf
  • .shtm
  • .shtml
  • .sid
  • .sidd
  • .sidn
  • .sie
  • .sis
  • .sldm
  • .sldx
  • .slm
  • .sln
  • .snx
  • .sql
  • .sr2
  • .srf
  • .srw
  • .stc
  • .sum
  • .svg
  • .sxc
  • .t12
  • .t13
  • .tar
  • .tax
  • .tbl
  • .tib
  • .txt
  • .upk
  • .vcf
  • .vdf
  • .vfs0
  • .vpk
  • .vpp_pc
  • .vtf
  • .w3x
  • .wallet
  • .wav
  • .wdb
  • .wma
  • .wmo
  • .wmv
  • .wpd
  • .wps
  • .x3f
  • .xf
  • .xla
  • .xlam
  • .xlk
  • .xll
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .z
  • .zip
  • .ztmp

It avoids files from the following directories:

  • Program Files
  • Program Files (x86)
  • System Volume Information
  • Windows

It avoids files with the following filenames:

  • YOUR_FILES_ARE_ENCRYPTED.HTML

The trojan encrypts the file content.


The EC, ChaCha20 encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %originalfilepath%%ec_file_pub_key_hex%

A string with variable content is used instead of %ec_file_pub_key_hex% .


The following file is dropped in the same folder:

  • YOUR_FILES_ARE_ENCRYPTED.HTML

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


It contains the following text:

Information stealing

Win32/Filecoder.ODM is a trojan that steals sensitive information.


The trojan collects the following information:

  • user name
  • computer name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan removes all of the volume shadow copies in order to prevent restoring the original files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.