Trojan.Encoder.31784

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '1' = '"%TEMP%\9EA3.tmp.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\nvngxupdatecheckdaily_{081131b0-31b0-31b0-31b0-081131b031b0}

Creates the following files on removable media

<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\default.bmp
<Drive name for removable media>:\coffee.bmp
<Drive name for removable media>:\dashborder_96.bmp
<Drive name for removable media>:\dashborder_144.bmp
<Drive name for removable media>:\contoso.cer

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\dwm.exe
<SYSTEM32>\taskhost.exe

the following user processes:

iexplore.exe

Modifies file system

Creates the following files

%TEMP%\ae7f.tmp
C:\far2\documentation\rus\readme-warning.txt
C:\far2\documentation\eng\readme-warning.txt
C:\far2\addons\readme-warning.txt
C:\far2\addons\xlat\readme-warning.txt
C:\far2\addons\xlat\russian\readme-warning.txt
C:\far2\addons\shell\readme-warning.txt
C:\far2\addons\setup\readme-warning.txt
C:\far2\addons\macros\readme-warning.txt
C:\far2\addons\colors\readme-warning.txt
C:\far2\addons\colors\default_highlighting\readme-warning.txt
C:\far2\addons\colors\custom_highlighting\readme-warning.txt
D:\readme-warning.txt
%TEMP%\readme-warning.txt
%TEMP%\webinstaller\qnzuposrqouvfisa\readme-warning.txt
%TEMP%\temp1_fp_13.0.0.182_archive.zip\fp_13.0.0.182_archive\13_0_r0_182\readme-warning.txt
%TEMP%\opera installer\readme-warning.txt
%TEMP%\adobe_admlogs\readme-warning.txt
%HOMEPATH%\desktop\readme-warning.txt
C:\readme-warning.txt
%TEMP%\9ea3.tmp.exe
%APPDATA%\eaievws
C:\far2\encyclopedia\tap\readme-warning.txt
C:\far2\encyclopedia\readme-warning.txt

Sets the 'hidden' attribute to the following files

%APPDATA%\eaievws

Moves the following files

from %TEMP%\adobearm.log to %TEMP%\adobearm.log.kjhslgjkjdfg
from %TEMP%\jusched.log to %TEMP%\jusched.log.kjhslgjkjdfg
from %TEMP%\microsoft .net framework 4.5 setup_20150506_155317844.html to %TEMP%\microsoft .net framework 4.5 setup_20150506_155317844.html.kjhslgjkjdfg
from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt to %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt.kjhslgjkjdfg
from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215.html to %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215.html.kjhslgjkjdfg
from %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150506_155226438.html to %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150506_155226438.html.kjhslgjkjdfg
from %TEMP%\msi1cfbe.log to %TEMP%\msi1cfbe.log.kjhslgjkjdfg
from %TEMP%\msic204f.log to %TEMP%\msic204f.log.kjhslgjkjdfg
from %TEMP%\msie45bf.log to %TEMP%\msie45bf.log.kjhslgjkjdfg
from %TEMP%\wallpaper.bmp to %TEMP%\wallpaper.bmp.kjhslgjkjdfg
from %TEMP%\msieb217.log to %TEMP%\msieb217.log.kjhslgjkjdfg
from %TEMP%\rgie195.tmp to %TEMP%\rgie195.tmp.kjhslgjkjdfg
from %TEMP%\rgie195.tmp-tmp to %TEMP%\rgie195.tmp-tmp.kjhslgjkjdfg
from %TEMP%\setupexe(20151124155624744).log to %TEMP%\setupexe(20151124155624744).log.kjhslgjkjdfg
from %TEMP%\setupexe(201603101200226dc).log to %TEMP%\setupexe(201603101200226dc).log.kjhslgjkjdfg
from %TEMP%\setupexe(20160310140634718).log to %TEMP%\setupexe(20160310140634718).log.kjhslgjkjdfg
from %TEMP%\user.bmp to %TEMP%\user.bmp.kjhslgjkjdfg
from %TEMP%\jawshtml.html to %TEMP%\jawshtml.html.kjhslgjkjdfg
from %TEMP%\msid38c.log to %TEMP%\msid38c.log.kjhslgjkjdfg
from %TEMP%\javadeployreg.log to %TEMP%\javadeployreg.log.kjhslgjkjdfg
from %TEMP%\dd_setuputility.txt to %TEMP%\dd_setuputility.txt.kjhslgjkjdfg
from %TEMP%\adobearm_notlocked.log to %TEMP%\adobearm_notlocked.log.kjhslgjkjdfg
from %TEMP%\adobesfx.log to %TEMP%\adobesfx.log.kjhslgjkjdfg
from %TEMP%\ae7f.tmp to %TEMP%\ae7f.tmp.kjhslgjkjdfg
from %TEMP%\aspnetsetup.log to %TEMP%\aspnetsetup.log.kjhslgjkjdfg
from %TEMP%\aspnetsetup_00000.log to %TEMP%\aspnetsetup_00000.log.kjhslgjkjdfg
from %TEMP%\aspnetsetup_00001.log to %TEMP%\aspnetsetup_00001.log.kjhslgjkjdfg
from %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt to %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt.kjhslgjkjdfg
from %TEMP%\dd_vcredist_amd64_20151216210341.log to %TEMP%\dd_vcredist_amd64_20151216210341.log.kjhslgjkjdfg
from %TEMP%\dotnetfx.log to %TEMP%\dotnetfx.log.kjhslgjkjdfg
from %TEMP%\dd_vcredist_amd64_20151216210341_000_vcruntimeminimum_x64.log to %TEMP%\dd_vcredist_amd64_20151216210341_000_vcruntimeminimum_x64.log.kjhslgjkjdfg
from %TEMP%\dd_vcredist_amd64_20151216210341_001_vcruntimeadditional_x64.log to %TEMP%\dd_vcredist_amd64_20151216210341_001_vcruntimeadditional_x64.log.kjhslgjkjdfg
from %TEMP%\dd_vcredist_x86_20151216210157.log to %TEMP%\dd_vcredist_x86_20151216210157.log.kjhslgjkjdfg
from %TEMP%\dd_vcredist_x86_20151216210157_000_vcruntimeminimum_x86.log to %TEMP%\dd_vcredist_x86_20151216210157_000_vcruntimeminimum_x86.log.kjhslgjkjdfg
from %TEMP%\dd_vcredist_x86_20151216210157_001_vcruntimeadditional_x86.log to %TEMP%\dd_vcredist_x86_20151216210157_001_vcruntimeadditional_x86.log.kjhslgjkjdfg
from %TEMP%\dd_wcf_ca_smci_20151217_052858_840.txt to %TEMP%\dd_wcf_ca_smci_20151217_052858_840.txt.kjhslgjkjdfg
from %TEMP%\dd_wcf_ca_smci_20151217_052908_497.txt to %TEMP%\dd_wcf_ca_smci_20151217_052908_497.txt.kjhslgjkjdfg
from %TEMP%\dotnetfxsdk.log to %TEMP%\dotnetfxsdk.log.kjhslgjkjdfg
from %TEMP%\wmsetup.log to %TEMP%\wmsetup.log.kjhslgjkjdfg

Deletes itself.

Creates ransom message files (Trojan.Encoder).

Network activity

TCP

HTTP GET requests

http://gs#####netiplist.net/lok.exe

HTTP POST requests

http://gs######etiplist.download/sub/index.php

UDP

DNS ASK gs######etiplist.download
DNS ASK gs#####netiplist.net

Miscellaneous

Creates and executes the following

'%TEMP%\9ea3.tmp.exe'
'%TEMP%\9ea3.tmp.exe' n2920
'<SYSTEM32>\cmd.exe' ' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe'
'<SYSTEM32>\sc.exe' delete "ReportServer$OPTIMA"
'<SYSTEM32>\sc.exe' delete "msftesql$SQLEXPRESS"
'<SYSTEM32>\sc.exe' delete "postgresql-x64-9.4"
'<SYSTEM32>\sc.exe' delete WRSVC
'<SYSTEM32>\sc.exe' delete ekrn
'<SYSTEM32>\sc.exe' delete klim6
'<SYSTEM32>\sc.exe' delete "AVP18.0.0"
'<SYSTEM32>\sc.exe' delete KLIF
'<SYSTEM32>\sc.exe' delete klpd
'<SYSTEM32>\sc.exe' delete klflt
'<SYSTEM32>\sc.exe' delete klbackupdisk
'<SYSTEM32>\sc.exe' delete klbackupflt
'<SYSTEM32>\sc.exe' delete klkbdflt
'<SYSTEM32>\sc.exe' delete klmouflt
'<SYSTEM32>\sc.exe' delete klhk
'<SYSTEM32>\sc.exe' delete "KSDE1.0.0"
'<SYSTEM32>\sc.exe' delete kltap
'<SYSTEM32>\sc.exe' delete TmFilter
'<SYSTEM32>\sc.exe' delete TMLWCSService
'<SYSTEM32>\sc.exe' delete tmusa
'<SYSTEM32>\sc.exe' delete TmPreFilter
'<SYSTEM32>\sc.exe' delete TMSmartRelayService
'<SYSTEM32>\sc.exe' delete TMiCRCScanService
'<SYSTEM32>\sc.exe' delete VSApiNt
'<SYSTEM32>\sc.exe' delete TmCCSF
'<SYSTEM32>\sc.exe' delete tmlisten
'<SYSTEM32>\sc.exe' delete TmProxy
'<SYSTEM32>\sc.exe' delete ntrtscan
'<SYSTEM32>\sc.exe' delete ofcservice
'<SYSTEM32>\sc.exe' delete "SQLAgent$OPTIMA"
'<SYSTEM32>\vssvc.exe'
'<SYSTEM32>\sc.exe' delete "MSSQL$OPTIMA"
'<SYSTEM32>\sc.exe' delete "SQLAgent$WOLTERSKLUWER"
'<SYSTEM32>\sc.exe' delete vmickvpexchange
'<SYSTEM32>\sc.exe' delete vmicguestinterface
'<SYSTEM32>\sc.exe' delete vmicshutdown
'<SYSTEM32>\sc.exe' delete vmicheartbeat
'<SYSTEM32>\sc.exe' delete vmicrdv
'<SYSTEM32>\sc.exe' delete storflt
'<SYSTEM32>\sc.exe' delete vmictimesync
'<SYSTEM32>\sc.exe' delete vmicvss
'<SYSTEM32>\sc.exe' delete MSSQLFDLauncher
'<SYSTEM32>\sc.exe' delete MSSQLSERVER
'<SYSTEM32>\sc.exe' delete SQLSERVERAGENT
'<SYSTEM32>\sc.exe' delete SQLBrowser
'<SYSTEM32>\sc.exe' delete SQLTELEMETRY
'<SYSTEM32>\sc.exe' delete MsDtsServer130
'<SYSTEM32>\sc.exe' delete SSISTELEMETRY130
'<SYSTEM32>\sc.exe' delete SQLWriter
'<SYSTEM32>\sc.exe' delete "MSSQL$VEEAMSQL2012"
'<SYSTEM32>\sc.exe' delete "SQLAgent$VEEAMSQL2012"
'<SYSTEM32>\sc.exe' delete MSSQL
'<SYSTEM32>\sc.exe' delete SQLAgent
'<SYSTEM32>\sc.exe' delete MSSQLServerADHelper100
'<SYSTEM32>\sc.exe' delete MSSQLServerOLAPService
'<SYSTEM32>\sc.exe' delete MsDtsServer100
'<SYSTEM32>\sc.exe' delete ReportServer
'<SYSTEM32>\sc.exe' delete "SQLTELEMETRY$HL"
'<SYSTEM32>\sc.exe' delete TMBMServer
'<SYSTEM32>\sc.exe' delete "MSSQL$PROGID"
'<SYSTEM32>\sc.exe' delete "MSSQL$WOLTERSKLUWER"
'<SYSTEM32>\sc.exe' delete "SQLAgent$PROGID"
'<SYSTEM32>\sc.exe' delete "MSSQLFDLauncher$OPTIMA"
'<SYSTEM32>\svchost.exe' -k swprv

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial