Win32/Filecoder.ThunderCrypt [Threat Name] go to Threat

Win32/Filecoder.ThunderCrypt.A [Threat Variant Name]

Category trojan
Size 195072 B
Detection created May 04, 2017
Detection database version 15361
Aliases Trojan-Dropper.Win32.Injector.qkhw (Kaspersky)
  Trojan.DownLoader24.57517 (Dr.Web)
Short description

Win32/Filecoder.ThunderCrypt.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The trojan launches the following processes:

  • powershell.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • powershell.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Shell]
    • "{C25D5EEA-6226-5D0F-7C6B85D6D2AE72D5}" = "%malwarebase64dllfilestring%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Shell]
    • "{C25D5EEA-6226-5D0F-7C6B85D6D2AE72D5}" = "%malwarebase64dllfilestring%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Applets]
    • "{A3035EF9-497F-5260-1752075B222C82AC}" = "%malwarepowershellscript%"

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "{0DBDD863-3254-5EE8-C6B5C4D9237BBAC1}" = "%malwarejavascript%"
Payload information

Win32/Filecoder.ThunderCrypt.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files on the following drives:

  • A:\­- Z:\­

Only folders which contain one of the following string in their path are searched:

  • :\­Boot\­
  • :\­ProgramData\­
  • :\­Program Files
  • :\­System Volume Information\­
  • :\­Windows\­
  • \­AppData\­
  • \­Application Data\­

The trojan searches for files with the following file extensions:

  • .1cd
  • .3dm
  • .3fr
  • .3gp
  • .7z
  • .7zip
  • .accdb
  • .aif
  • .aiff
  • .arw
  • .aspx
  • .avi
  • .bak
  • .bay
  • .bmp
  • .bz2
  • .c
  • .cd
  • .cdr
  • .cpp
  • .cr2
  • .crt
  • .crw
  • .cs
  • .cshtml
  • .css
  • .csv
  • .db2
  • .db3
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .eps
  • .erf
  • .f4v
  • .fdb
  • .fla
  • .flv
  • .gdb
  • .gif
  • .gz
  • .h
  • .hpp
  • .htm
  • .html
  • .ibd
  • .ibz
  • .idc
  • .indd
  • .ism
  • .java
  • .jpeg
  • .jpg
  • .js
  • .kdc
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mef
  • .mkv
  • .mov
  • .mp3
  • .mpa
  • .mpeg
  • .mpg
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odc
  • .odf
  • .odg
  • .odm
  • .odp
  • .ods
  • .odt
  • .oga
  • .ogg
  • .ogv
  • .orf
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .ppt
  • .pptx
  • .psd
  • .ptx
  • .py
  • .r3d
  • .raf
  • .rar
  • .raw
  • .rb
  • .rtf
  • .rw2
  • .rwl
  • .s5d
  • .sdb
  • .sl2
  • .sl3
  • .sln
  • .sql
  • .sqlite
  • .sqlite3
  • .sr2
  • .srf
  • .srw
  • .svg
  • .tar
  • .tgz
  • .tib
  • .tif
  • .tiff
  • .txt
  • .uap
  • .vbs
  • .vcproj
  • .vcxproj
  • .vdi
  • .vhd
  • .vmdk
  • .wav
  • .wave
  • .wb2
  • .wma
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xls
  • .xlsb
  • .xlsx
  • .zip

The trojan encrypts the file content.


The RSA-2048 encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan displays the following dialog boxes:

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (13) URLs. The TCP, HTTP, HTTPS protocol is used.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Classes\­TypeLib\­{AC61AFD7-3E81-5D08-7FFBC526C2F1F603}]

The trojan may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.