Win32/Filecoder.WastedLocker [Threat Name] go to Threat
Win32/Filecoder.WastedLocker.A [Threat Variant Name]
Category | trojan |
Size | 57344 B |
Aliases | Trojan-Ransom.Win32.Wasted.n (Kaspersky) |
Ransom-Wasted.trojan (McAfee) | |
Ransom:Win32/WastedLocker.WT!MTB (Microsoft) |
Short description
Win32/Filecoder.WastedLocker.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
The trojan creates copies of the following files (source, destination):
- %windir%\system32\%random%.exe|.dll, %appdata%\%variable1%
The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:
- %appdata%\%variable1%:bin
This copy of the trojan is then executed.
After the installation is complete, the trojan deletes the original executable file.
Instead of %variable1% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
Trojan is able to bypass User Account Control (UAC).
The trojan may create the following folders:
- %temp%\%variable2%
- %temp%\%variable2%\system32
The trojan may create copies of the following files (source, destination):
- %windir%\system32\winmm.dll, %temp%\%variable2%\system32\winmm.dll
- %windir%\system32\winsat.exe, %temp%\%variable2%\system32\winsat.exe
The trojan executes the following command:
- %windir%\system32\winsat.exe
The trojan may delete the following files:
- %temp%\%variable2%\system32\winmm.dll
- %temp%\%variable2%\system32\winsat.exe
The trojan may delete the following folders:
- %temp%\%variable2%\system32
- %temp%\%variable2%
A string with variable content is used instead of %variable2% .
The trojan may register itself as a system service with variable name.
The trojan may create copies of itself in the folder:
- %windir%\system32
Payload information
Win32/Filecoder.WastedLocker.A is a trojan that encrypts files on local drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- c:\program files (x86)\
- c:\program files\
- c:\programdata\
- c:\recovery\
- c:\users\%username%\appdata\local\temp
- c:\users\%username%\appdata\roaming\
- c:\windows\
It avoids files which contain any of the following strings in their path:
- \$recycle.bin\
- \appdata\
- \bin\
- \boot\
- \caches\
- \dev\
- \etc\
- \initdr\
- \lib\
- \programdata\
- \run\
- \sbin\
- \sys\
- \system volume information\
- \users\all users\
- \var\
- \vmlinuz\
- \webcache\
- \windowsapps\
It avoids files with the following filenames:
- grldr
- ntldr
- bootmgr
It avoids files with the following extensions:
- *.386
- *.adv
- *.ani
- *.bak
- *.bat
- *.bin
- *.cab
- *.cmd
- *.com
- *.cpl
- *.cr
- *.cur
- *.dat
- *.diagcab
- *.diagcfg
- *.dll
- *.drv
- *.%targeted_organization_name%wasted
- *.%targeted_organization_name%wasted_info
- *.exe
- *.hlp
- *.hta
- *.icl
- *.icns
- *.ics
- *.idx
- *.ini
- *.key
- *.lnk
- *.mod
- *.msc
- *.msi
- *.msp
- *.msstyles
- *.msu
- *.nls
- *.nomedia
- *.ocx
- *.ps1
- *.rom
- *.rtp
- *.scr
- *.sdi
- *.shs
- *.sys
- *.theme
- *.themepack
- *.wim
- *.wpx
The trojan encrypts the file content.
The RSA, AES encryption algorithm is used.
An additional ".%targeted_organization_name%wasted" extension is appended.
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
The following file is created in the same folders:
- %encrypted_file_name%.%targeted_organization_name%wasted_info
It contains the following text:
Other information
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
- "ProxyBypass"
- "IntranetName"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
- "UNCAsIntranet" = 0
- "AutoDetect" = 1
The trojan may execute the following commands:
- vssadmin.exe Delete Shadows /All /Quiet
- takeown.exe /F %malwarepath%
- icacls.exe %malwarepath% /reset
The trojan may create the following files:
- %temp%\%variable%.dmp
- %temp%\lck.log
A string with variable content is used instead of %variable% .
When files encryption is finished, the trojan removes itself from the computer.