Home / malwarePDF  

Ransom:Win32/Pagongcrypt


First posted on 28 June 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Pagongcrypt.

Explanation :

Installation

This ransomware drops itself as %appdata%\Microsoft\TrueCrypter\TrueCrypter.exe.

It modifies the following registry keys:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: TrueCrypter
With data: \Microsoft\TrueCrypter\TrueCrypter.exe

Payload

Connects to a remote host

Before the ransomware encrypts the files, it contacts the C&C server to get further instructions and parameters to proceed with the encryption. In the wild, we have observed the threat connect to the following servers or TOR servers.

  • hxxps://ask.fm/innocentask001
  • hxxp://forumforastral.com/innocentuser001
  • hxxp://m2coftkce5g4gyza.onion.gq


Malware can connect to a remote host to do any of the following:
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate


Encrypts your files

This threat searches for files in your %appdata%\' (for example, c:\document and settings\john doe) and encrypts those with the following file extensions:

.7z .csproj .htm .mp4 .potm .reg .ts .7zip .csr .html .mrw .potx .resx .tsv .arw .css .hxx .msg .pp .rpm .tsx .as .csv .ico .mx .ppam .rss .txt .asm .cxx .inc .nef .pps .rtf .vb .asp .db .index .ods .ppsm .rw2 .vbs .aspx .dcr .ini .odt .ppsx .scpt .vcxproj .au3 .dds .jad .org .ppt .sh .veg .avi .deb .java .pages .pptm .shtml .wmw .bash .dib .jfif .pas .pptx .sitx .wpd .bat .dng .jpe .pcd .prproj .sldm .wps .bmp .doc .jpeg .pdf .ps .sldx .xcodeproj .bookmarks .docm .jpg .pdn .ps1 .sln .xht .bsh .docx .js .php .psd .splus .xhtm .cbr .dot .jsm .php3 .psm1 .sql .xhtml .cc .dotm .json .php4 .ptx .sqlite .xlam .cer .dotx .jsp .php5 .pwi .sqlite3 .xls .cfm .dtd .jss .phps .py .src .xlsb .class .eps .jsx .phpt .pyc .swift .xlsm .cmd .fla .kix .phtml .pyw .sxc .xlsx .config .fpx .lex .pkg .raf .tar .xltm .cpp .gif .litcofee .pl .rar .tar.gz .xltx .cr2 .gz .lpr .pm .raw .tga .xml .crw .gzip .lua .pmx .rb .thmx .zip .cs .hpp .mov .png .rbw .tif .zipx .csh .hta .mp3 .pot .rc .tiff

After the ransomware encrypts a file, it creates a new file containing the encrypted data and appending a .enc suffix. For example:
  • desktop.ini is renamed to desktop.ini.enc
  • test.pps is renamed to test.pps.enc


It also displays the ransom note for the instructions on how to pay in exchange for file decryption:

Payments can be made bitcoins or Amazon gift cards:





Analysis by Rodel Finones

Last update 28 June 2016

 

TOP

Malware :