Win32/Filecoder.WastedLocker [Threat Name] go to Threat

Win32/Filecoder.WastedLocker.A [Threat Variant Name]

Category trojan
Size 57344 B
Aliases Trojan-Ransom.Win32.Wasted.n (Kaspersky)
  Ransom-Wasted.trojan (McAfee)
  Ransom:Win32/WastedLocker.WT!MTB (Microsoft)
Short description

Win32/Filecoder.WastedLocker.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan creates copies of the following files (source, destination):

  • %windir%\­system32\­%random%.exe|.dll, %appdata%\­%variable1%

The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:

  • %appdata%\­%variable1%:bin

This copy of the trojan is then executed.


After the installation is complete, the trojan deletes the original executable file.


Instead of %variable1% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control]

Trojan is able to bypass User Account Control (UAC).


The trojan may create the following folders:

  • %temp%\­%variable2%
  • %temp%\­%variable2%\­system32

The trojan may create copies of the following files (source, destination):

  • %windir%\­system32\­winmm.dll, %temp%\­%variable2%\­system32\­winmm.dll
  • %windir%\­system32\­winsat.exe, %temp%\­%variable2%\­system32\­winsat.exe

The trojan executes the following command:

  • %windir%\­system32\­winsat.exe

The trojan may delete the following files:

  • %temp%\­%variable2%\­system32\­winmm.dll
  • %temp%\­%variable2%\­system32\­winsat.exe

The trojan may delete the following folders:

  • %temp%\­%variable2%\­system32
  • %temp%\­%variable2%

A string with variable content is used instead of %variable2% .


The trojan may register itself as a system service with variable name.


The trojan may create copies of itself in the folder:

  • %windir%\­system32
Payload information

Win32/Filecoder.WastedLocker.A is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files from the following directories:

  • c:\­program files (x86)\­
  • c:\­program files\­
  • c:\­programdata\­
  • c:\­recovery\­
  • c:\­users\­%username%\­appdata\­local\­temp
  • c:\­users\­%username%\­appdata\­roaming\­
  • c:\­windows\­

It avoids files which contain any of the following strings in their path:

  • \­$recycle.bin\­
  • \­appdata\­
  • \­bin\­
  • \­boot\­
  • \­caches\­
  • \­dev\­
  • \­etc\­
  • \­initdr\­
  • \­lib\­
  • \­programdata\­
  • \­run\­
  • \­sbin\­
  • \­sys\­
  • \­system volume information\­
  • \­users\­all users\­
  • \­var\­
  • \­vmlinuz\­
  • \­webcache\­
  • \­windowsapps\­

It avoids files with the following filenames:

  • grldr
  • ntldr
  • bootmgr

It avoids files with the following extensions:

  • *.386
  • *.adv
  • *.ani
  • *.bak
  • *.bat
  • *.bin
  • *.cab
  • *.cmd
  • *.com
  • *.cpl
  • *.cr
  • *.cur
  • *.dat
  • *.diagcab
  • *.diagcfg
  • *.dll
  • *.drv
  • *.%targeted_organization_name%wasted
  • *.%targeted_organization_name%wasted_info
  • *.exe
  • *.hlp
  • *.hta
  • *.icl
  • *.icns
  • *.ics
  • *.idx
  • *.ini
  • *.key
  • *.lnk
  • *.mod
  • *.msc
  • *.msi
  • *.msp
  • *.msstyles
  • *.msu
  • *.nls
  • *.nomedia
  • *.ocx
  • *.ps1
  • *.rom
  • *.rtp
  • *.scr
  • *.sdi
  • *.shs
  • *.sys
  • *.theme
  • *.themepack
  • *.wim
  • *.wpx

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


An additional ".%targeted_organization_name%wasted" extension is appended.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The following file is created in the same folders:

  • %encrypted_file_name%.%targeted_organization_name%wasted_info

It contains the following text:

%targeted_organization_fullname% YOUR NETWORK IS ENCRYPTED NOW USE %redacted%@PROTONMAIL.COM | %redacted%@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key] %redacted% [end_key] KEEP IT
Other information

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap]
    • "ProxyBypass"
    • "IntranetName"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap]
    • "UNCAsIntranet" = 0
    • "AutoDetect" = 1

The trojan may execute the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • takeown.exe /F %malwarepath%
  • icacls.exe %malwarepath% /reset

The trojan may create the following files:

  • %temp%\­%variable%.dmp
  • %temp%\­lck.log

A string with variable content is used instead of %variable% .


When files encryption is finished, the trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.