Trojan.Encoder.38660

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BabyLockerKZ' = '"<Full path to file>"'

Creates the following files on removable media

<Drive name for removable media>:\how_to_back_files.html
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\sdkfailsafeemulator.cer
<Drive name for removable media>:\iisstart.htm
<Drive name for removable media>:\ituneshelpunavailable.htm
<Drive name for removable media>:\64bit_notes.htm
<Drive name for removable media>:\iisstart.html
<Drive name for removable media>:\ituneshelpunavailable.html

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Executes the following

'<SYSTEM32>\taskkill.exe' -f -im sqlbrowser.exe
'<SYSTEM32>\net.exe' stop SQLBrowser
'<SYSTEM32>\net.exe' stop SQLAgent$MSFW
'<SYSTEM32>\net.exe' stop SQLAgent$ISARS
'<SYSTEM32>\net.exe' stop MSSQL$MSFW
'<SYSTEM32>\net.exe' stop MSSQL$ISARS
'<SYSTEM32>\net.exe' stop MSSQLServerADHelper100
'<SYSTEM32>\taskkill.exe' -f -impostgres.exe
'<SYSTEM32>\taskkill.exe' -f -im pg_ctl.exe
'<SYSTEM32>\taskkill.exe' -f -im msftesql.exe
'<SYSTEM32>\taskkill.exe' -f -im ReportingServicesService.exe
'<SYSTEM32>\taskkill.exe' -f -im fdhost.exe
'<SYSTEM32>\taskkill.exe' -f -im SQLAGENT.EXE
'<SYSTEM32>\taskkill.exe' -f -im Ssms.exe
'<SYSTEM32>\taskkill.exe' -f -im fdlauncher.exe
'<SYSTEM32>\taskkill.exe' -f -im sqlceip.exe
'<SYSTEM32>\taskkill.exe' -f -im MsDtsSrvr.exe
'<SYSTEM32>\taskkill.exe' -f -im msmdsrv.exe
'<SYSTEM32>\taskkill.exe' -f -im sqlserv.exe
'<SYSTEM32>\taskkill.exe' -f -im sql writer.exe
'<SYSTEM32>\net.exe' stop REportServer$ISARS
'<SYSTEM32>\net.exe' stop SQLWriter

Injects code into

the following system processes:

<SYSTEM32>\wbadmin.exe

Modifies file system

Creates the following files

C:\users\public\desktop\how_to_back_files.html
C:\how_to_back_files.html
a:\how_to_back_files.html
D:\how_to_back_files.html

Modifies the following files

C:\kms\kms_vl_all_aio.cmd
C:\kms\kms_vl_all_aio_debug.log
<Drive name for removable media>:\sdkfailsafeemulator.cer
<Drive name for removable media>:\correct.avi
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\weeklysheet1215.doc
<Drive name for removable media>:\508softwareandos.doc
<Drive name for removable media>:\cveuropeo.doc
<Drive name for removable media>:\file_p_00000000_1371597592.docx
<Drive name for removable media>:\holycrosschurchinstructions.docx
<Drive name for removable media>:\sdszfo.docx

Modifies user data files (Trojan.Encoder).

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLWriter' (with hidden window)

Restarts the analyzed sample

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
'<SYSTEM32>\net1.exe' stop SQLWriter
'<SYSTEM32>\cmd.exe' /c net stop SQLWriter
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
'<SYSTEM32>\net1.exe' stop REportServer$ISARS
'<SYSTEM32>\cmd.exe' /c net stop REportServer$ISARS
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
'<SYSTEM32>\net1.exe' stop SQLBrowser
'<SYSTEM32>\cmd.exe' /c net stop SQLBrowser
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
'<SYSTEM32>\net1.exe' stop SQLAgent$MSFW
'<SYSTEM32>\cmd.exe' /c net stop SQLAgent$MSFW
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
'<SYSTEM32>\net1.exe' stop SQLAgent$ISARS
'<SYSTEM32>\cmd.exe' /c net stop SQLAgent$ISARS
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
'<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTABACKUP -deleteOldest
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
'<SYSTEM32>\bcdedit.exe' /set {default} recoverynabled No
'<SYSTEM32>\wbem\wmic.exe' SHADOWCOPY /nointeractive
'<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTATEBACKUP
'<SYSTEM32>\bcdedit.exe' /set {default} bootstatuspolicy ignoreallfailures
'<SYSTEM32>\wbadmin.exe' delete backup -keepVersion:0 -quiet
'<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} recoverynabled No
'<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
'<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
'<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
'<SYSTEM32>\cmd.exe' /c wbadmin delete backup -keepVersion:0 -quiet
'<SYSTEM32>\cmd.exe' /c wmic.exe SHADOWCOPY /nointeractive
'<SYSTEM32>\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
'<SYSTEM32>\net1.exe' stop MSSQL$MSFW
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
'<SYSTEM32>\cmd.exe' /c net stop MSSQL$MSFW
'<SYSTEM32>\cmd.exe' /c taskkill -f -im Ssms.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im fdlauncher.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlceip.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im MsDtsSrvr.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im msmdsrv.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlserv.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im sql writer.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im sqlbrowser.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
'<SYSTEM32>\cmd.exe' /c rem Kill "SQL"
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
'<SYSTEM32>\net1.exe' stop MSSQL$ISARS
'<SYSTEM32>\cmd.exe' /c taskkill -f -im SQLAGENT.EXE
'<SYSTEM32>\cmd.exe' /c net stop MSSQL$ISARS
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
'<SYSTEM32>\net1.exe' stop MSSQLServerADHelper100
'<SYSTEM32>\cmd.exe' /c net stop MSSQLServerADHelper100
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
'<SYSTEM32>\cmd.exe' /c taskkill -f -impostgres.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im pg_ctl.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im msftesql.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im ReportingServicesService.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
'<SYSTEM32>\cmd.exe' /c taskkill -f -im fdhost.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
'%WINDIR%\syswow64\cmd.exe' /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
'<SYSTEM32>\cmd.exe' /c pause

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial