Trojan.Encoder.35673

Technical Information

To ensure autorun and distribution

Creates the following files on removable media

<Drive name for removable media>:\join.avi
<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\pmd.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\contoso.cer

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Modifies file system

Creates the following files

%TEMP%\how_to_decrypt.hta
D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\how_to_decrypt.hta
D:\$recycle.bin\how_to_decrypt.hta
D:\how_to_decrypt.hta
%TEMP%\f-1659697901.log

Modifies the following files

D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini
<Drive name for removable media>:\join.avi
<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\pmd.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\contoso.cer

Network activity

UDP

DNS ASK 2.##.#.10.in-addr.arpa
DNS ASK 39.##.#.10.in-addr.arpa
DNS ASK 9.##.#.10.in-addr.arpa
DNS ASK 73.##.#.10.in-addr.arpa
DNS ASK 47.##.#.10.in-addr.arpa
DNS ASK 11.##.#.10.in-addr.arpa
DNS ASK 41.##.#.10.in-addr.arpa
DNS ASK 37.##.#.10.in-addr.arpa
DNS ASK 40.##.#.10.in-addr.arpa
DNS ASK 15.##.#.10.in-addr.arpa
DNS ASK 75.##.#.10.in-addr.arpa
DNS ASK 44.##.#.10.in-addr.arpa
DNS ASK 51.##.#.10.in-addr.arpa
DNS ASK 59.##.#.10.in-addr.arpa
DNS ASK 19.##.#.10.in-addr.arpa
DNS ASK 57.##.#.10.in-addr.arpa
DNS ASK 17.##.#.10.in-addr.arpa
DNS ASK 77.##.#.10.in-addr.arpa
DNS ASK 79.##.#.10.in-addr.arpa
DNS ASK 7.##.#.10.in-addr.arpa
DNS ASK 81.##.#.10.in-addr.arpa
DNS ASK 46.##.#.10.in-addr.arpa
DNS ASK 8.##.#.10.in-addr.arpa
DNS ASK 48.##.#.10.in-addr.arpa
DNS ASK 83.##.#.10.in-addr.arpa
DNS ASK 90.##.#.10.in-addr.arpa
DNS ASK 56.##.#.10.in-addr.arpa
DNS ASK 5.##.#.10.in-addr.arpa
DNS ASK 24#.##.#.10.in-addr.arpa
DNS ASK 24.##.#.10.in-addr.arpa
DNS ASK 23#.##.#.10.in-addr.arpa
DNS ASK 22#.##.#.10.in-addr.arpa
DNS ASK 21#.##.#.10.in-addr.arpa
DNS ASK 20#.##.#.10.in-addr.arpa
DNS ASK 19#.##.#.10.in-addr.arpa
DNS ASK 18#.##.#.10.in-addr.arpa
DNS ASK 17#.##.#.10.in-addr.arpa
DNS ASK 16#.##.#.10.in-addr.arpa
DNS ASK 15#.##.#.10.in-addr.arpa
DNS ASK 14#.##.#.10.in-addr.arpa
DNS ASK 13#.##.#.10.in-addr.arpa
DNS ASK 12#.##.#.10.in-addr.arpa
DNS ASK 91.##.#.10.in-addr.arpa
DNS ASK 21.##.#.10.in-addr.arpa
DNS ASK 23.##.#.10.in-addr.arpa
DNS ASK 30.##.#.10.in-addr.arpa
DNS ASK 28.##.#.10.in-addr.arpa
DNS ASK 65.##.#.10.in-addr.arpa
DNS ASK 43.##.#.10.in-addr.arpa
DNS ASK 67.##.#.10.in-addr.arpa
DNS ASK 38.##.#.10.in-addr.arpa
DNS ASK 69.##.#.10.in-addr.arpa
DNS ASK 13.##.#.10.in-addr.arpa
DNS ASK 34.##.#.10.in-addr.arpa
DNS ASK 3.##.#.10.in-addr.arpa
DNS ASK 88.##.#.10.in-addr.arpa
DNS ASK 52.##.#.10.in-addr.arpa
DNS ASK 92.##.#.10.in-addr.arpa
DNS ASK 84.##.#.10.in-addr.arpa
DNS ASK 0.##.#.10.in-addr.arpa
DNS ASK 63.##.#.10.in-addr.arpa
DNS ASK 16.##.#.10.in-addr.arpa
DNS ASK 76.##.#.10.in-addr.arpa
DNS ASK 64.##.#.10.in-addr.arpa
DNS ASK 72.##.#.10.in-addr.arpa
DNS ASK 14.##.#.10.in-addr.arpa
DNS ASK 62.##.#.10.in-addr.arpa
DNS ASK 60.##.#.10.in-addr.arpa
DNS ASK 12.##.#.10.in-addr.arpa
DNS ASK 70.##.#.10.in-addr.arpa
DNS ASK 10.##.#.10.in-addr.arpa
DNS ASK 66.##.#.10.in-addr.arpa
DNS ASK 6.##.#.10.in-addr.arpa
DNS ASK 68.##.#.10.in-addr.arpa
DNS ASK 4.##.#.10.in-addr.arpa
DNS ASK 61.##.#.10.in-addr.arpa
DNS ASK 53.##.#.10.in-addr.arpa
DNS ASK 54.##.#.10.in-addr.arpa
DNS ASK 20.##.#.10.in-addr.arpa
DNS ASK 55.##.#.10.in-addr.arpa
DNS ASK 58.##.#.10.in-addr.arpa
DNS ASK 10#.##.#.10.in-addr.arpa
DNS ASK 11#.##.#.10.in-addr.arpa
DNS ASK 50.##.#.10.in-addr.arpa
DNS ASK 74.##.#.10.in-addr.arpa
DNS ASK 80.##.#.10.in-addr.arpa
DNS ASK 1.##.#.10.in-addr.arpa
DNS ASK 82.##.#.10.in-addr.arpa
DNS ASK 95.##.#.10.in-addr.arpa
DNS ASK 94.##.#.10.in-addr.arpa
DNS ASK 97.##.#.10.in-addr.arpa
DNS ASK 25.##.#.10.in-addr.arpa
DNS ASK 33.##.#.10.in-addr.arpa
DNS ASK 27.##.#.10.in-addr.arpa
DNS ASK 71.##.#.10.in-addr.arpa
DNS ASK 35.##.#.10.in-addr.arpa
DNS ASK 42.##.#.10.in-addr.arpa
DNS ASK 45.##.#.10.in-addr.arpa
DNS ASK 98.##.#.10.in-addr.arpa
DNS ASK 36.##.#.10.in-addr.arpa
DNS ASK 85.##.#.10.in-addr.arpa
DNS ASK 87.##.#.10.in-addr.arpa
DNS ASK 29.##.#.10.in-addr.arpa
DNS ASK 89.##.#.10.in-addr.arpa
DNS ASK 93.##.#.10.in-addr.arpa
DNS ASK 32.##.#.10.in-addr.arpa
DNS ASK 99.##.#.10.in-addr.arpa
DNS ASK 22.##.#.10.in-addr.arpa
DNS ASK 86.##.#.10.in-addr.arpa
DNS ASK 78.##.#.10.in-addr.arpa
DNS ASK 96.##.#.10.in-addr.arpa
DNS ASK 18.##.#.10.in-addr.arpa
DNS ASK 49.##.#.10.in-addr.arpa
DNS ASK 26.##.#.10.in-addr.arpa
DNS ASK 25#.##.#.10.in-addr.arpa

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE BACKUP -keepVersions:0"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "wmic SHADOWCOPY DELETE"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"
'%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
'%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE BACKUP -keepVersions:0"
'%WINDIR%\syswow64\cmd.exe' /c "wmic SHADOWCOPY DELETE"
'%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"
'%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial