Python/Filecoder [Threat Name] go to Threat

Python/Filecoder.BA [Threat Variant Name]

Category trojan
Size 8504719 B
Detection created Feb 01, 2018
Detection database version 16834
Short description

Python/Filecoder.BA is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The trojan creates the following folders:

  • %temp%\­_MEI%variable%

A variable numerical value is used instead of %variable% .


The trojan creates the following files:

  • dmed.bat
  • C:\­!HoW_To-UnloCK.tXT
  • %existingfolder%\­!HoW_To-UnloCK.tXT
  • %desktop%\­HoW_To-UnloCK.lnk
Payload information

Python/Filecoder.BA is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .*htm
  • .*html
  • .7z
  • .aac
  • .aes
  • .apk
  • .app
  • .asc
  • .asm
  • .asp
  • .aspx
  • .avi
  • .b64
  • .bak
  • .base64
  • .bmp
  • .bz2
  • .c
  • .cap
  • .class
  • .conf
  • .config
  • .cpp
  • .crt
  • .cs
  • .csv
  • .dbc
  • .dbf
  • .dds
  • .deb
  • .dmp
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dps
  • .dpt
  • .dwg
  • .e
  • .ec
  • .eif
  • .eml
  • .et
  • .ett
  • .flac
  • .fly
  • .frm
  • .gho
  • .gif
  • .gpg
  • .gz
  • .hta
  • .htm
  • .html
  • .hvm
  • .ibdata1
  • .id
  • .img
  • .iso
  • .jar
  • .java
  • .jpg
  • .jsp
  • .jspx
  • .key
  • .ldf
  • .lock
  • .log
  • .lua
  • .map
  • .mca
  • .Md
  • .mdb
  • .mdf
  • .mid
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .myd
  • .myi
  • .ns
  • .nsf
  • .odb
  • .odt
  • .opt
  • .ora
  • .out
  • .pdf
  • .php
  • .pka
  • .pl
  • .png
  • .pot
  • .pps
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps
  • .ps1
  • .psd
  • .pub
  • .rar
  • .raw
  • .rb
  • .rc
  • .rdp
  • .rmvb
  • .rpm
  • .rsa
  • .rtf
  • .saz
  • .sh
  • .sln
  • .sql
  • .sqlite3
  • .sqlitedb
  • .str
  • .svg
  • .Svg
  • .swf
  • .sxp
  • .tar
  • .tif
  • .txt
  • .vba
  • .vbs
  • .vdi
  • .vmdk
  • .vti
  • .war
  • .wav
  • .wma
  • .wmv
  • .wps
  • .wpt
  • .xlam
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xz
  • .zip
  • FileShare1.0.db
  • Msg3.0.db
  • Registry.db
  • wallet.dat

It avoids files which contain any of the following strings in their path:

  • C:\­Documents and Settings
  • C:\­Windows

The trojan encrypts the file content.


The AES-CBC encryption algorithm is used.


The name of the encrypted file is changed to:

  • %originalfilepath%.10Ez8

When searching the drives, the trojan creates the following file in every folder visited:

  • !HoW_To-UnloCK.tXT

To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.


Other information

The following programs are terminated:

  • java.exe
  • tomcat*
  • httpd.exe
  • apache*
  • nginx*

The following services are disabled:

  • MariaDB
  • mysql
  • mssqlserver
  • OracleServiceORCL
  • MongoDB
  • postgresql
  • nginx
  • apache2.4

The trojan executes the following commands:

  • wevtutil cl System
  • wevtutil cl Security
  • wevtutil cl Application

The following file is deleted:

  • dmed.bat

The trojan may delete the following folders:

  • %temp%\­_MEI%variable%

When files encryption is finished, the trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.