Trojan.Encoder.38803

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SysBootManager' = 'C:\WinRar64\WinRar.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\boot managment engine

Infects the following executable files

%TEMP%\opera installer\opera_36.0.2130.46_setup.exe
%APPDATA%\mozilla\firefox\profiles\la5zhz1m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
%APPDATA%\telegram desktop\telegram.exe
%APPDATA%\telegram desktop\updater.exe
%APPDATA%\telegram desktop\unins000.exe
%HOMEPATH%\desktop\notepad.exe
%HOMEPATH%\desktop\utorrent.exe
%HOMEPATH%\desktop\wrar520.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Command Prompt (CMD)
Windows Task Manager (Taskmgr)

blocks the following features:

User Account Control (UAC)

Executes the following

'<SYSTEM32>\taskkill.exe' /IM explorer.exe /F

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\cookies
%HOMEPATH%\desktop\toolbar.bmp
%HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
%HOMEPATH%\desktop\testee.cer
%HOMEPATH%\desktop\lisp_success.doc
%HOMEPATH%\desktop\iisstart.html
%HOMEPATH%\desktop\dialmap.bmp
%HOMEPATH%\desktop\dial.bmp
%HOMEPATH%\desktop\delete.avi
%HOMEPATH%\desktop\dashborder_192.bmp
%HOMEPATH%\desktop\dashborder_144.bmp
%HOMEPATH%\desktop\correct.avi
%HOMEPATH%\desktop\contosoroot.cer
%HOMEPATH%\desktop\trivial-merge.html
%HOMEPATH%\desktop\applicantform_en.doc
%HOMEPATH%\desktop\alert.htm
%HOMEPATH%\desktop\adhd_and_obesity.docx
%HOMEPATH%\desktop\adadsi.html
%HOMEPATH%\desktop\about.htm
%HOMEPATH%\desktop\sdksampleprivdeveloper.cer
%HOMEPATH%\desktop\64bit_notes.htm
%HOMEPATH%\desktop\508softwareandos.doc
%APPDATA%\thunderbird\profiles.ini
%APPDATA%\opera software\opera stable\login data
%APPDATA%\mozilla\firefox\profiles.ini
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\login data
%HOMEPATH%\desktop\api-hashmap.html
%HOMEPATH%\desktop\weeklysheet1215.doc

Modifies file system

Creates the following files

C:\winrar64\winrar.exe
nul
<SYSTEM32>\files.key
%LOCALAPPDATA%\microsoft\windows\upps\upps.bin
%LOCALAPPDATA%\mozilla\firefox\profiles\la5zhz1m.default-release\cache2\entries\f7dd2615771c55ad7643de68b9c00e50610300a1
%LOCALAPPDATA%\packages\microsoft.oneconnect_8wekyb3d8bbwe\localstate\diagoutputdir\oneconnect.discoverynotificationtask03_11_04_34_02_3680.txt

Modifies the following files

C:\users\default\appdata\local\microsoft\windows\shell\defaultlayouts.xml
C:\users\default\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
C:\users\default\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
C:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
C:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
C:\users\default\appdata\local\microsoft\windows sidebar\settings.ini
C:\users\default\appdata\local\microsoft\windows\winx\group3\10 - appsandfeatures.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\09 - mobility center.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\08 - powerandsleep.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\07 - event viewer.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\06 - systemabout.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\05 - device manager.lnk
C:\users\default\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\04-1 - networkstatus.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\03 - computer management.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\02a - windows powershell.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\02 - command prompt.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\01a - windows powershell.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\01 - command prompt.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group2\5 - task manager.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group2\4 - control panel.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group2\3 - windows explorer.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group2\2 - search.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group2\1 - run.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group1\1 - desktop.lnk
C:\users\default\appdata\local\microsoft\windows\winx\group3\04 - disk management.lnk
C:\users\default\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail

Modifies multiple files.

Substitutes the following files

%LOCALAPPDATA%\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl
%APPDATA%\mozilla\firefox\profiles\la5zhz1m.default-release\prefs.js

Modifies user data files (Trojan.Encoder).

Network activity

Connects to

'ra#.####ubusercontent.com':443
'di##ord.com':443

TCP

Other

'ra#.####ubusercontent.com':443
'di##ord.com':443

UDP

DNS ASK ra#.####ubusercontent.com
DNS ASK di##ord.com

Miscellaneous

Searches for the following windows

ClassName: 'OleMainThreadWndClass' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'C:\winrar64\winrar.exe'
'<SYSTEM32>\taskkill.exe' /IM explorer.exe /F' (with hidden window)
'<SYSTEM32>\cmd.exe' /C "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"' (with hidden window)
'<SYSTEM32>\cmd.exe' /C "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"' (with hidden window)

Executes the following

'<SYSTEM32>\schtasks.exe' /create /tn "Boot Managment Engine" /tr C:\WinRar64\WinRar.exe /sc ONLOGON /ru user /it /rl highest
'<SYSTEM32>\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
'<SYSTEM32>\shutdown.exe' /r /t 0
'<SYSTEM32>\cmd.exe' /C "powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"
'<SYSTEM32>\cmd.exe' /C "powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0"

Attempts to shut down the Windows operating system.

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial