Win32/Diskcoder [Threat Name] go to Threat

Win32/Diskcoder.C [Threat Variant Name]

Category trojan
Size 362360 B
Detection created Jun 27, 2017
Detection database version 15653
Aliases Ransom:Win32/Petya (Microsoft)
  Trojan-Ransom.Win32.ExPetr.a (Kaspersky)
  Ransom.Petya (Symantec)
Short description

Win32/Diskcoder.C is a trojan that encrypts files on local drives. To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service. The trojan spreads itself by exploiting various vulnerabilities in the operating system of the targeted machines.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • C:\­Windows\­perfc
  • C:\­Windows\­dllhost.dat

After the installation is complete, the trojan deletes the original executable file.


Win32/Diskcoder.C replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


The trojan stores the first sector of the original MBR in sector 34 of the new MBR.

Spreading

Win32/Diskcoder.C is a trojan that spreads via shared folders.


The following names of the shared network folders are used:

  • admin$

The trojan spreads by exploiting a vulnerability in the operating system of the targeted machine. It exploits the MS17-010 vulnerability.

Payload information

Win32/Diskcoder.C is a trojan that encrypts files on local drives.


The trojan searches for files with the following file extensions:

  • .3ds
  • .7z
  • .accdb
  • .ai
  • .asp
  • .aspx
  • .avhd
  • .back
  • .bak
  • .c
  • .cfg
  • .conf
  • .cpp
  • .cs
  • .ctl
  • .dbf
  • .disk
  • .djvu
  • .doc
  • .docx
  • .dwg
  • .eml
  • .fdb
  • .gz
  • .h
  • .hdd
  • .kdbx
  • .mail
  • .mdb
  • .msg
  • .nrg
  • .ora
  • .ost
  • .ova
  • .ovf
  • .pdf
  • .php
  • .pmf
  • .ppt
  • .pptx
  • .pst
  • .pvi
  • .py
  • .pyc
  • .rar
  • .rtf
  • .sln
  • .sql
  • .tar
  • .vbox
  • .vbs
  • .vcb
  • .vdi
  • .vfd
  • .vmc
  • .vmdk
  • .vmsd
  • .vmx
  • .vsdx
  • .vsv
  • .work
  • .xls
  • .xlsx
  • .xvd
  • .zip

It avoids files from the following directories:

  • C:\­Windows

The trojan encrypts the file content.


The RSA, AES encryption algorithm is used.


To decrypt files, the user is asked to send information/certain amount of money via the Bitcoin payment service.


The trojan creates the following file:

  • %drive%\­README.TXT

It contains the following text:

  • Ooops, your important files are encrypted.
  • If you see this text, then your files are no longer accessible, because
  • they have been encrypted. Perhaps you are busy looking for a way to recover
  • your files, but don't waste your time. Nobody can recover your files without
  • our decryption service.
  • We guarantee that you can recover all your files safely and easily.
  • All you need to do is submit the payment and purchase the decryption key.
  • Please follow the instructions:
  • 1. Send $300 worth of Bitcoin to following address:
  • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
  • 2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.
  • Your personal installation key:
  • AQIAAA5mAAAApAAAJ0quN3lfqin4N84edPIoM70cTN5bF7ck/a/KpXuiGavQlL0k
  • fVtzLu/4yc2GdhMia2ZmwH2F3jDTFQtUqkGafuGNmDzOzEM2D/1ASSMkq3Lg99zv
  • TF4iCK2qGEIa4l6/S9uKEFnxsSg1mQOnCLqw89vgpA0ITLbImqV/H1sHDno5ODy2
  • fjDe3bMXVzfxqy42bD93uQVCRx7/YSUkQ3p5Zn1efVdpDwhcRfLBbj6EClzET23S
  • /PKQWNQzqdfNcgpyzVSlBpqAq7Dt+0o06tzIhPWT4ErwMux2+qXT4KEgu4YEI65P
  • x+woUQLvG7RX/CAmZHrZI/vNISRJIBjpL3OiwA==

The trojan may perform operating system restart.


Win32/Diskcoder.C is a trojan that encrypts specific parts of drives.


The trojan displays a fake error message:

Other information

The trojan may execute the following commands:

  • C:\­Windows\­dllhost.dat\­\­%computer% -accepteula -s -d C:\­Windows\­System32\­rundll32.exe C:\­Windows\­%malwarename%,#1
  • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %drive%:
  • schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "shutdown.exe /r /f" /ST %time%
  • at %time% shutdown.exe /r /f

Please enable Javascript to ensure correct displaying of this content and refresh this page.