Trojan.Encoder.29755

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\indogerman2010.pptx
<Drive name for removable media>:\middaugh_keynote.pptx
<Drive name for removable media>:\samieee_obiee_presentation.pptx
<Drive name for removable media>:\ovp25012015.doc
<Drive name for removable media>:\508softwareandos.doc
<Drive name for removable media>:\lisp_success.doc
<Drive name for removable media>:\hanni_umami_chapter.doc
<Drive name for removable media>:\contoso_1.cer
<Drive name for removable media>:\contosoroot_1.cer
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\contosoroot.cer
<Drive name for removable media>:\sdkfailsafeemulator.cer
<Drive name for removable media>:\default.bmp
<Drive name for removable media>:\dial.bmp
<Drive name for removable media>:\dialmap.bmp
<Drive name for removable media>:\dashborder_192.bmp
<Drive name for removable media>:\dashborder_144.bmp
<Drive name for removable media>:\dashborder_96.bmp
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\join.avi
<Drive name for removable media>:\!!! all your files are encrypted !!!.txt
<Drive name for removable media>:\hypothyroidism_slides.pptx
<Drive name for removable media>:\asaprojectcompetition.pptx

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Modifies file system

Creates the following files

%TEMP%\2e3555f7.buran
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini
C:\far2\encyclopedia\tap\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acroread.msi
C:\far2\fexcept\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\arm\s\!!! all your files are encrypted !!!.txt
C:\far2\encyclopedia\!!! all your files are encrypted !!!.txt
C:\far2\plugins\align\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\data1.cab
C:\far2\plugins\autowrap\!!! all your files are encrypted !!!.txt
C:\far2\plugins\brackets\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\data1.cab.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
C:\far2\plugins\compare\!!! all your files are encrypted !!!.txt
C:\far2\plugins\drawline\!!! all your files are encrypted !!!.txt
C:\far2\plugins\arclite\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acroread.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
unc\zywynhvecjp\users\all users\adobe\arm\s\armmanifest.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
C:\far2\documentation\rus\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\arm\s\armmanifest.msi
C:\far2\addons\!!! all your files are encrypted !!!.txt
C:\far2\addons\colors\!!! all your files are encrypted !!!.txt
C:\far2\addons\colors\custom_highlighting\!!! all your files are encrypted !!!.txt
C:\far2\addons\colors\default_highlighting\!!! all your files are encrypted !!!.txt
C:\far2\addons\macros\!!! all your files are encrypted !!!.txt
C:\far2\addons\setup\!!! all your files are encrypted !!!.txt
C:\far2\addons\shell\!!! all your files are encrypted !!!.txt
C:\far2\!!! all your files are encrypted !!!.txt
C:\far2\addons\xlat\!!! all your files are encrypted !!!.txt
C:\far2\addons\xlat\russian\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\ntuser.pol.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
unc\zywynhvecjp\users\all users\!!! all your files are encrypted !!!.txt
C:\far2\documentation\eng\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi
unc\zywynhvecjp\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
unc\zywynhvecjp\users\all users\adobe\arm\reader_15.007.20033\!!! all your files are encrypted !!!.txt
unc\zywynhvecjp\users\all users\ntuser.pol
C:\far2\plugins\editcase\!!! all your files are encrypted !!!.txt
C:\far2\plugins\emenu\!!! all your files are encrypted !!!.txt

Sets the 'hidden' attribute to the following files

unc\zywynhvecjp\users\all users\ntuser.pol.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}

Deletes the following files

%TEMP%\2e3555f7.buran

Moves the following files

from unc\zywynhvecjp\users\all users\ntuser.pol to unc\zywynhvecjp\users\all users\ntuser.pol.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
from unc\zywynhvecjp\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi to unc\zywynhvecjp\users\all users\adobe\arm\reader_15.007.20033\readerdcmanifest.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
from unc\zywynhvecjp\users\all users\adobe\arm\s\armmanifest.msi to unc\zywynhvecjp\users\all users\adobe\arm\s\armmanifest.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
from unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini to unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
from unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acroread.msi to unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acroread.msi.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}
from unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\data1.cab to unc\zywynhvecjp\users\all users\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\data1.cab.{2489ead2-c08d-6c03-b0cd-b6b1fd51d432}

Modifies user data files (Trojan.Encoder).

Changes user data files extensions (Trojan.Encoder).

Network activity

UDP

DNS ASK ge###tool.com
DNS ASK ip##gger.ru

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\wevtutil.exe' clear-log System
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System
'%WINDIR%\syswow64\wevtutil.exe' clear-log Security
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security
'%WINDIR%\syswow64\wevtutil.exe' clear-log Application
'%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application
'%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"
'%WINDIR%\syswow64\attrib.exe' "%HOMEPATH%\documents\Default.rdp" -s -h
'%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h
'%WINDIR%\syswow64\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
'%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
'%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
'%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
'%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
'%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet
'<SYSTEM32>\vssvc.exe'
'%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup
'%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
'%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no
'%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled
'%WINDIR%\syswow64\sc.exe' config eventlog start=disabled

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial