Win32/Filecoder.ArmaLocky [Threat Name] go to Threat

Win32/Filecoder.ArmaLocky.A [Threat Variant Name]

Category trojan
Size 252416 B
Detection created Sep 11, 2017
Detection database version 16064
Aliases Trojan-Ransom.Win32.Agent.jac (Kaspersky)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

Win32/Filecoder.ArmaLocky.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %malwarefolder%\­install.log
  • %systemdriveroot%\­_Locky_HELP_.html
  • %existingfolder%\­_ReadMe_.txt

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "locky" = "iexplore.exe %systemdriveroot%\­_Locky_HELP_.html"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "locky" = "iexplore.exe %systemdriveroot%\­_Locky_HELP_.html"
  • [HKEY_CLASSES_ROOT\­.armadilo1]
    • (Default) = "lock"
  • [HKEY_CLASSES_ROOT\­.armadilo1\­shell\­Open with Internet Explorer\­command]
    • (Default) = "iexplore.exe %systemdriveroot%\­_Locky_HELP_.html"

The following file is deleted:

  • %malwarefolder%\­%variable%.ini

A string with variable content is used instead of %variable% .

Payload information

Win32/Filecoder.ArmaLocky.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches local, removable and network drives for files with one of the following extensions:

  • $er
  • ^^^
  • 3dm
  • 3ds
  • 3g2
  • 3gp
  • 4dd
  • 4dl
  • 7z
  • a5w
  • abs
  • accdb
  • action
  • adb
  • adf
  • aex
  • ai
  • aif
  • alf
  • an
  • ap
  • appcache
  • arc
  • arm
  • aro
  • arz
  • asa
  • asax
  • ascx
  • asf
  • ashx
  • ask
  • asmx
  • asp
  • aspx
  • asr
  • asx
  • atom
  • att
  • au
  • avi
  • axd
  • bad
  • bak
  • bml
  • bmp
  • bok
  • br
  • browser
  • btapp
  • btr
  • bwp
  • bz2
  • c
  • cat
  • cbr
  • ccbjs
  • cdb
  • cdf
  • cer
  • cfm
  • cfml
  • cgi
  • class
  • cma
  • cms
  • cnf
  • codasite
  • compressed
  • con
  • conf
  • cpd
  • cphd
  • cpp
  • crl
  • crt
  • crt
  • crypt12
  • crypt5
  • crypt6
  • crypt7
  • crypt8
  • crypt9
  • cs
  • cshtml
  • csp
  • csr
  • css
  • csv
  • ctl
  • cvs
  • dad
  • dat
  • db
  • db2
  • db3
  • dbc
  • dbf
  • dbm
  • dbs
  • dbt
  • dbv
  • dbx
  • dcb
  • dcr
  • dct
  • dcx
  • ddl
  • dds
  • deb
  • der
  • dhtml
  • dlis
  • dll
  • dml
  • do
  • doc
  • docb
  • docm
  • docmhtml
  • docx
  • dochtml
  • dothtml
  • dotx
  • dp1
  • dqy
  • dsc
  • dsk
  • dsn
  • dtd
  • dtsx
  • dwt
  • dxl
  • ece
  • eco
  • edb
  • epim
  • eps
  • exe
  • fcd
  • fcgi
  • fic
  • fla
  • flv
  • fm5
  • fmb
  • fmp
  • fmp12
  • fmt
  • fmx
  • fol
  • fp3
  • fp4
  • fp5
  • fp7
  • fpt
  • freeway
  • frm
  • fwp
  • gdb
  • ged
  • gif
  • gne
  • go
  • gpg
  • grdb
  • gz
  • h
  • hdb
  • hdm
  • hdml
  • his
  • hss
  • hta
  • htaccess
  • htc
  • htm
  • html
  • htx
  • hxs
  • hype
  • ib
  • ibc
  • ibd
  • ibz
  • iff
  • ihx
  • ism
  • iso
  • itw
  • jar
  • java
  • jet
  • jhtml
  • jnlp
  • jpg
  • js
  • jsf
  • json
  • jsp
  • jspa
  • jspx
  • jss
  • jst
  • jtx
  • jvs
  • jws
  • kdb
  • kexi
  • key
  • kit
  • lasso
  • lbc
  • ldf
  • less
  • lgc
  • lst
  • lua
  • lwx
  • m
  • m3u
  • m4a
  • m4v
  • maff
  • map
  • mapx
  • marshal
  • master
  • max
  • mdb
  • mdf
  • mdn
  • mdt
  • mfd
  • mht
  • mhtml
  • mid
  • mov
  • moz
  • mp3
  • mp4
  • mpa
  • mpd
  • mpg
  • mrg
  • msg
  • mspx
  • mud
  • muse
  • mvc
  • mvr
  • mwb
  • myd
  • myi
  • mysql
  • ndf
  • nnt
  • nod
  • ns2
  • ns3
  • ns4
  • nsf
  • nv
  • nv2
  • nwdb
  • nxg
  • nyf
  • nzb
  • odb
  • odt
  • ognc
  • olp
  • opml
  • opt
  • oqy
  • ora
  • orx
  • oth
  • owc
  • pages
  • pck
  • pdf
  • pdm
  • pem
  • phl
  • php
  • php2
  • php3
  • php4
  • php5
  • phtm
  • phtml
  • pkb
  • pkg
  • pks
  • pl
  • plb
  • pls
  • png
  • pnz
  • pps
  • ppsm
  • ppsx
  • ppt
  • ppthtml
  • pptm
  • pptmhtml
  • pptx
  • prf
  • ps
  • psd
  • psp
  • py
  • qbquery
  • qbx
  • qf
  • qrm
  • qry
  • qvd
  • ra
  • rar
  • rb
  • rbf
  • rctd
  • rdf
  • rdo
  • rep
  • rex
  • rflw
  • rhtml
  • rjs
  • rm
  • rod
  • rodx
  • rpd
  • rpm
  • rsd
  • rss
  • rt
  • rtf
  • rul
  • rw3
  • rwp
  • rwsw
  • rwtheme
  • sal
  • sas7bdat
  • sass
  • sbf
  • scss
  • scx
  • sdb
  • seam
  • sh
  • sht
  • shtm
  • shtml
  • sis
  • site
  • sitemap
  • sites
  • sites2
  • sitx
  • sln
  • spc
  • spq
  • sql
  • sqlite
  • sqlite3
  • sqlitedb
  • sqr
  • srf
  • srt
  • ssp
  • stc
  • stm
  • stml
  • stp
  • suck
  • svc
  • svg
  • svg
  • svr
  • swf
  • swift
  • tar
  • te
  • tex
  • tga
  • tgz
  • thm
  • tif
  • tiff
  • tmd
  • tps
  • trc
  • trm
  • txt
  • ucf
  • udb
  • udl
  • usr
  • v12
  • vb
  • vbhtml
  • vbs
  • vcd
  • vcf
  • vdi
  • vdw
  • vhd
  • vis
  • vlp
  • vmdk
  • vob
  • vpd
  • vrml
  • vsdisco
  • wav
  • wbs
  • wbxml
  • wdgt
  • web
  • widget
  • wma
  • wml
  • wmv
  • wn
  • woa
  • wpd
  • wps
  • wpx
  • wsdl
  • wsf
  • wss
  • xbel
  • xbl
  • xdb
  • xen
  • xfdl
  • xht
  • xhtm
  • xhtml
  • xlc
  • xld
  • xlm
  • xlr
  • xls
  • xlsb
  • xlsm
  • xlsx
  • xlt
  • xltm
  • xltx
  • xml
  • xml
  • xmlff
  • xpd
  • xss
  • xul
  • yaws
  • yuv
  • zfo
  • zhtml
  • zip
  • zipx
  • zul

On drive %systemdrive% the trojan encrypts files in the follwing folders only:

  • %systemdrive%\­Documents and Settings\­%username%\­Documents\­
  • %systemdrive%\­Documents and Settings\­%username%\­Downloads\­
  • %systemdrive%\­Documents and Settings\­%username%\­Desktop\­
  • %systemdrive%\­Documents and Settings\­%username%\­Appdata\­Roaming\­

It avoids files from the following directories:

  • %allusersprofile%
  • %documentsandsettings%
  • %malwarefolder%
  • %programfiles%
  • %programfilesw6432%
  • %systemdriveroot%\­Boot
  • %systemdriveroot%\­Config.Msi
  • %systemdriveroot%\­MSOCache
  • %windir%

The trojan encrypts the file content.


The AES-256, RSA-4096 encryption algorithm is used.


The extension of the encrypted files is changed to:

  • %originalextension%.armadilo1

When searching the drives, the trojan creates the following file in every folder visited:

  • _ReadMe_.txt

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan creates the following file:

  • %systemdriveroot%\­_Locky_HELP_.html

The file is then opened in web browser.


Some examples follow.

Other information

The trojan removes all of the volume shadow copies in order to prevent restoring the original files.


The following services are disabled:

  • agorum
  • apache
  • axigen
  • citadel
  • communigate
  • dba
  • eudora
  • exim
  • icewarp
  • iisadmin
  • imap
  • mail
  • mdaemon
  • msdtc
  • msdtsoracle
  • nginx
  • nntpsvc
  • pop3
  • resvc
  • smtp
  • spark
  • sql
  • srservice
  • swprv
  • tomcat
  • vss
  • w3svc
  • wingate
  • xchange

The trojan terminates processes with any of the following strings in the name:

  • agorum
  • apache
  • axigen
  • citadel
  • communigate
  • dba
  • eudora
  • exim
  • icewarp
  • iisadmin
  • imap
  • mail
  • mdaemon
  • msdtc
  • msdtsoracle
  • nginx
  • nntpsvc
  • pop3
  • resvc
  • smtp
  • spark
  • sql
  • tomcat
  • w3svc
  • wingate
  • xchange

The trojan executes the following files:

  • %malwarefolder%\­wp.exe %malwarefolder%\­%malwarefilename%

Please enable Javascript to ensure correct displaying of this content and refresh this page.