Win32/Filecoder.Rapid [Threat Name] go to Threat

Win32/Filecoder.Rapid.A [Threat Variant Name]

Category trojan
Size 920576 B
Detection created Jan 03, 2018
Detection database version 16678
Aliases Trojan.Win32.Agentb.iwqd (Kaspersky)
Short description

Win32/Filecoder.Rapid.A is a trojan that encrypts files on local drives. To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­info.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Encrypter" = "%appdata%\­info.exe"

The following file is dropped:

  • %appdata%\­recovery.txt

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "userinfo" = "%appdata%\­recovery.txt"
Payload information

Win32/Filecoder.Rapid.A is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • *.*

It avoids files which contain any of the following strings in their path:

  • $*
  • intel
  • nvidia
  • ProgramData
  • temp
  • Windows

It avoids files with the following filenames:

  • How Recovery Files.txt
  • info.exe
  • recovery.txt

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %filepath%.rapid

The following file is dropped in the same folder:

  • How Recovery Files.txt

It contains the following text:

Hello! All your files have been encrypted by us If you want restore files write on e-mail - unlockforyou@cock.li or unlockforyou@india.com

To restore files to their original state the user is requested to send an e-mail to a specified address in exchange for a password/instructions.

Other information

The trojan executes the following commands:

  • cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  • cmd.exe /c bcdedit.exe /set {default} recoveryenabled No
  • cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­EncryptKeys]
    • "local_enc_private_key_len"
    • "local_enc_private_key"
    • "local_public_key_len"
    • "local_public_key"

The trojan executes the following command:

  • %appdata%\­recovery.txt

The trojan opens the file using the default associated application.


It contains the following text:

Hello! All your files have been encrypted by us If you want restore files write on e-mail - unlockforyou@cock.li or unlockforyou@india.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.