Win32/Filecoder.Sigma [Threat Name] go to Threat

Win32/Filecoder.Sigma.A [Threat Variant Name]

Category trojan
Size 3107328 B
Detection created Jan 25, 2018
Detection database version 16795
Short description

Win32/Filecoder.Sigma.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­%variable%\­taskwgr.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "chrome" = "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL %appdata%\­Microsoft\­%variable%\­taskwgr.exe"

The trojan contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • %appdata%\­Microsoft\­%variable%\­System.zip

The trojan extracts the archive content into the following folder:

  • %appdata%\­Microsoft\­%variable%\­Tor

The trojan tries to move file (source, destination):

  • %appdata%\­Microsoft\­%variable%\­Tor\­tor.exe, %appdata%\­Microsoft\­%variable%\­Tor\­svchost.exe

The file is then executed.


The following file is deleted:

  • %appdata%\­Microsoft\­%variable%\­System.zip
Payload information

Win32/Filecoder.Sigma.A is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .001
  • .602
  • .3g2
  • .3gp
  • .3pr
  • .7z
  • .7zip
  • .aac
  • .ab4
  • .abd
  • .acc
  • .accdb
  • .accde
  • .accdr
  • .accdt
  • .ach
  • .acr
  • .act
  • .adb
  • .adp
  • .ads
  • .aes
  • .agdl
  • .ai
  • .aiff
  • .ait
  • .al
  • .aoi
  • .apj
  • .apk
  • .arc
  • .arw
  • .ascx
  • .asf
  • .asm
  • .asp
  • .aspx
  • .asset
  • .asx
  • .atb
  • .avi
  • .awg
  • .back
  • .backup
  • .backupdb
  • .bak
  • .bank
  • .bat
  • .bay
  • .bdb
  • .bgt
  • .bik
  • .bin
  • .bkp
  • .blend
  • .bmp
  • .bpw
  • .brd
  • .bsa
  • .bz2
  • .c
  • .cash
  • .cdb
  • .cdf
  • .cdr
  • .cdr3
  • .cdr4
  • .cdr5
  • .cdr6
  • .cdrw
  • .cdx
  • .ce1
  • .ce2
  • .cer
  • .cfg
  • .cfn
  • .cgm
  • .cib
  • .class
  • .cls
  • .cmd
  • .cmt
  • .config
  • .contact
  • .cpi
  • .cpp
  • .cr2
  • .craw
  • .crt
  • .crw
  • .cry
  • .cs
  • .csh
  • .csl
  • .csr
  • .css
  • .csv
  • .d3dbsp
  • .dac
  • .das
  • .dat
  • .db_journal
  • .db3
  • .dbdb
  • .dbf
  • .dbx
  • .dc2
  • .dch
  • .dcr
  • .dcs
  • .ddd
  • .ddoc
  • .ddrw
  • .dds
  • .def
  • .der
  • .des
  • .design
  • .dgc
  • .dgn
  • .dif
  • .dip
  • .dit
  • .djv
  • .djvu
  • .dng
  • .doc
  • .docb
  • .docm
  • .dotx
  • .drf
  • .drw
  • .dtd
  • .dwg
  • .dxb
  • .dxf
  • .dxg
  • .edb
  • .eml
  • .eps
  • .erbsql
  • .erf
  • .exf
  • .fdb
  • .ffd
  • .fff
  • .fh
  • .fhd
  • .fla
  • .flac
  • .flb
  • .flf
  • .flv
  • .flvv
  • .forge
  • .fpx
  • .frm
  • .fxg
  • .gbr
  • .gho
  • .gif
  • .gpg
  • .gray
  • .grey
  • .groups
  • .gry
  • .gz
  • .h
  • .hbk
  • .hdd
  • .hpp
  • .html
  • .hwp
  • .ibank
  • .ibd
  • .ibz
  • .idx
  • .iif
  • .iiq
  • .incpas
  • .indd
  • .info
  • .info_
  • .iwi
  • .jar
  • .java
  • .jnt
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .json
  • .k2p
  • .kc2
  • .kdbx
  • .kdc
  • .key
  • .kpdx
  • .kwm
  • .laccdb
  • .lay
  • .lay6
  • .lbf
  • .lck
  • .ldf
  • .lit
  • .litemod
  • .litesql
  • .lock
  • .ltx
  • .lua
  • .m
  • .m2ts
  • .m3u
  • .m4a
  • .m4p
  • .m4u
  • .m4v
  • .ma
  • .mab
  • .mapimail
  • .max
  • .mbx
  • .md
  • .mdb
  • .mdc
  • .mdf
  • .mef
  • .mfw
  • .mid
  • .mkv
  • .mlb
  • .mml
  • .mmw
  • .mny
  • .money
  • .moneywell
  • .mos
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .mrw
  • .ms11
  • .msf
  • .msg
  • .mts
  • .myd
  • .myi
  • .nd
  • .ndd
  • .ndf
  • .nef
  • .nk2
  • .nop
  • .nrw
  • .ns2
  • .ns3
  • .ns4
  • .nsd
  • .nsf
  • .nsg
  • .nsh
  • .nvram
  • .nwb
  • .nx1
  • .nx2
  • .nyf
  • .oab
  • .obj
  • .odb
  • .odc
  • .odf
  • .odg
  • .odm
  • .odp
  • .ods
  • .odt
  • .ogg
  • .oil
  • .omg
  • .one
  • .onenotec2
  • .orf
  • .ost
  • .otg
  • .oth
  • .otp
  • .ots
  • .ott
  • .p12
  • .p7b
  • .p7c
  • .pab
  • .pages
  • .paq
  • .pas
  • .pat
  • .pbf
  • .pcd
  • .pct
  • .pdb
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pif
  • .pl
  • .plc
  • .plus_muhd
  • .pm
  • .pm!
  • .pmi
  • .pmj
  • .pml
  • .pmm
  • .pmo
  • .pmr
  • .pnc
  • .pnd
  • .png
  • .pnx
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .prf
  • .private
  • .ps
  • .psafe3
  • .psd
  • .pspimage
  • .pst
  • .ptx
  • .pub
  • .pwm
  • .py
  • .qba
  • .qbb
  • .qbm
  • .qbr
  • .qbw
  • .qbx
  • .qby
  • .qcow
  • .qcow2
  • .qed
  • .qtb
  • .r3d
  • .raf
  • .rar
  • .rat
  • .raw
  • .rb
  • .rdb
  • .re4
  • .rm
  • .rtf
  • .rvt
  • .rw2
  • .rwl
  • .rwz
  • .s3db
  • .safe
  • .sas7bdat
  • .sav
  • .save
  • .say
  • .sch
  • .sd0
  • .sda
  • .sdb
  • .sdf
  • .secret
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .slm
  • .sql
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .sqlite-shm
  • .sqlite-wal
  • .sr2
  • .srb
  • .srf
  • .srs
  • .srt
  • .srw
  • .st4
  • .st5
  • .st6
  • .st7
  • .st8
  • .stc
  • .std
  • .sti
  • .stl
  • .stm
  • .stw
  • .stx
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxg
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tax
  • .tbb
  • .tbk
  • .tbn
  • .tex
  • .tga
  • .tgz
  • .thm
  • .tif
  • .tiff
  • .tlg
  • .tlx
  • .txt
  • .uop
  • .uot
  • .upk
  • .usr
  • .vb
  • .vbox
  • .vbs
  • .vdi
  • .vhd
  • .vhdx
  • .vmdk
  • .vmsd
  • .vmx
  • .vmxf
  • .vob
  • .vpd
  • .vsd
  • .wab
  • .wad
  • .wallet
  • .war
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmf
  • .wmv
  • .wpd
  • .wps
  • .x11
  • .x3f
  • .xis
  • .xla
  • .xlam
  • .xlc
  • .xlk
  • .xlm
  • .xlr
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .xps
  • .xxx
  • .ycbcra
  • .yuv
  • .zip

It avoids files which contain any of the following strings in their path:

  • $
  • All Users
  • AppData
  • Program Files
  • Program Files (x86)
  • ProgramData
  • RECYCLER
  • system32
  • Windows

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When searching the drives, the trojan creates the following file in every folder visited:

  • ReadMe.txt

It contains the following text:

What has happened to my files ? Why i am seeing this ? All of your files have been encrypted with RSA 2048 Encryption. Which means, you wont be able to open them or view them properly.   It does NOT mean they are damaged. Solution Well its quite simple only we can decrypt your files because we hold your RSA 2048 private key. So you need to buy the special decryption software and your RSA private key from us if you ever want your files back. Once payment is made, you will be given a decrypter along with your private key , once you run that , All of your files will be unlocked and back to normal. So there are 2 ways to do this either you wait for a miracle and get your price doubled or follow instructions below carefully and get back your all important files. Payment procedure First try to open decrypter page in normal browser http://%redacted%.onion.link http://%redacted%.onion.plus http://%redacted%.onion.rip http://%redacted%.onion.casa Wait a few seconds, and site will open then enter your GUID mentioned below and process. 6D5E895FD8387CD0D2314B456B1F8E7A If you failed to open links in normal browsers Download a special browser called "TOR browser" and then open the given below link. Steps for the same are - 1. Go to  https://www.torproject.org/download/download-easy.html.en to download the "TOR Browser". 2. Click the purple button which says "Download TOR Browser" 3. Run the downloaded file, and install it. 4. Once installation is completed, run the TOR browser by clicking the icon on Desktop. 5. Now click "Connect button", wait a few seconds, and the TOR browser will open. 6. Copy and paste the below link in the address bar of the TOR browser. http://%redacted%.onion/ Now HIT "Enter" 7. Wait a few seconds, and site will open then enter your GUID mentioned below and process. 6D5E895FD8387CD0D2314B456B1F8E7A If you have problems during installation or use of Tor Browser, please, visit Youtube and search for "Install Tor Browser Windows" and you will find a lot of videos.

The following file is dropped:

  • %appdata%\­Microsoft\­%variable%\­test.bmp

The trojan creates copies of the following files (source, destination):

  • %appdata%\­Microsoft\­%variable%\­test.bmp, %appdata%\­Microsoft\­%variable%\­test1.bmp

This file/image is set as a wallpaper.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%appdata%\­Microsoft\­%variable%\­test1.bmp"

The following file is dropped:

  • %desktop%\­ReadMe.html

The trojan opens the file using the default associated application.

The following file is deleted:

  • %appdata%\­Microsoft\­%variable%\­taskwgr.exe

A string with variable content is used instead of %variable% .

Information stealing

Win32/Filecoder.Sigma.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • computer name
  • country
  • operating system version
  • user name

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The TOR protocol is used in the communication.

Other information

The trojan may delete files stored in the following folders:

  • %temp%

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.