Home / malware Win32/Shieldcrypt
First posted on 12 September 2017.
Source: MicrosoftAliases :
There are no other names known for Win32/Shieldcrypt.
Explanation :
Installation
We have seen that this ransomware may use and install a copy of itself using different names such as:
- %ProgramData% \MicroSoftWare\SmartScreen\SmartScreen.exe
- %ProgramData% \MicroSoftTMP\system32\conhost.exe
It may report and post information to:
- hxxp://45[.]76[.]81[.]110/test_site_scripts/moduls/connects/mailsupload[.]php
- hxxp://107[.]191[.]62[.]136/js/prettyPhoto/images/prettyPhoto/default/infromation[.]php
This ransomware disables and deletes shadow or backup copies of files by running the following command:
vssadmin.exe Delete Shadows /All /Quiet
net stop vss
It also disables startup repair and recovery screen due to failures by running the following command:
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows SmartScreen"
With data: "C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe"
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows SmartScreen Updater"
With data: ""
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Indesing Microsoft"
With data: "C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe"
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*Indesing Microsoft"
With data: "C:\ProgramData\MicroSoftTMP\system32\conhost.exe"
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Indesing Microsoft Updater"
With data: ""
In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*Indesing Microsoft Updater"
With data: ""
Payload
Encrypts files
This threat searches for and encrypts files with the following file name extensions:
.1cd
.3dm
.3ds
.3fr
.3g2
.3gp
.3pr
.7z
.7zip
.aac
.ab4
.abd
.acc
.accdb
.accde
.accdr
.accdt
.ach
.acr
.act
.adb
.adp
.ads
.agdl
.ai
.aiff
.ait
.al
.aoi
.apj
.apk
.arw
.ascx
.asf
.asm
.asp
.aspx
.asset
.asx
.atb
.avi
.awg
.back
.backup
.backupdb
.bak
.bank
.bay
.bdb
.bgt
.bik
.bin
.bkp
.blend
.bmp
.bpw
.bsa
.c
.cash
.cdb
.cdf
.cdr
.cdr3
.cdr4
.cdr5
.cdr6
.cdrw
.cdx
.ce1
.ce2
.cer
.cfg
.cfn
.cgm
.cib
.class
.cls
.cmt
.config
.contact
.cpi
.cpp
.cr2
.craw
.crt
.crw
.cry
.cs
.csh
.csl
.css
.csv
.d3dbsp
.dac
.das
.dat
.db
.db3
.db_journal
.dbf
.dbx
.dc2
.dcr
.dcs
.ddd
.ddoc
.ddrw
.dds
.def
.der
.des
.design
.dgc
.dgn
.dit
.djvu
.dng
.doc
.docm
.docx
.dot
.dotm
.dotx
.drf
.drw
.dtd
.dwg
.dxb
.dxf
.dxg
.edb
.eml
.eps
.erbsql
.erf
.exf
.fdb
.ffd
.fff
.fh
.fhd
.fla
.flac
.flb
.flf
.flv
.flvv
.forge
.fpx
.fxg
.gbr
.gho
.gif
.gray
.grey
.groups
.gry
.h
.hbk
.hdd
.hpp
.html
.ibank
.ibd
.ibz
.idx
.iif
.iiq
.incpas
.indd
.info
.info_
.iwi
.jar
.java
.jnt
.jpe
.jpeg
.jpg
.js
.json
.k2p
.kc2
.kdbx
.kdc
.key
.kpdx
.kwm
.laccdb
.lbf
.lck
.ldf
.lit
.litemod
.litesql
.lock
.ltx
.lua
.m
.m2ts
.m3u
.m4a
.m4p
.m4v
.ma
.mab
.mapimail
.max
.mbx
.md
.mdb
.mdc
.mdf
.mef
.mfw
.mid
.mkv
.mlb
.mmw
.mny
.money
.moneywell
.mos
.mov
.mp3
.mp4
.mpeg
.mpg
.mrw
.msf
.msg
.mts
.myd
.nd
.ndd
.ndf
.nef
.nk2
.nop
.nrw
.ns2
.ns3
.ns4
.nsd
.nsf
.nsg
.nsh
.nvram
.nwb
.nx2
.nxl
.nyf
.oab
.obj
.odb
.odc
.odf
.odg
.odm
.odp
.ods
.odt
.ogg
.oil
.omg
.one
.orf
.ost
.otg
.oth
.otp
.ots
.ott
.p12
.p7b
.p7c
.pab
.pages
.pas
.pat
.pbf
.pcd
.pct
.pdb
.pdd
.pef
.pfx
.php
.pif
.pl
.plc
.plus_muhd
.pm
.pm!
.pmi
.pmj
.pml
.pmm
.pmo
.pmr
.pnc
.pnd
.png
.pnx
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.prf
.private
.ps
.psafe3
.psd
.pspimage
.pst
.ptx
.pub
.pwm
.py
.qba
.qbb
.qbm
.qbr
.qbw
.qbx
.qby
.qcow
.qcow2
.qed
.qtb
.r3d
.raf
.rar
.rat
.raw
.rdb
.re4
.rm
.rtf
.rvt
.rw2
.rwl
.rwz
.s3db
.safe
.sas7bdat
.sav
.save
.say
.sd0
.sda
.sdb
.sdf
.sh
.sldm
.sldx
.slm
.sql
.sqlite
.sqlite-shm
.sqlite-wal
.sqlite3
.sqlitedb
.sr2
.srb
.srf
.srs
.srt
.srw
.st4
.st5
.st6
.st7
.st8
.stc
.std
.sti
.stl
.stm
.stw
.stx
.svg
.swf
.sxc
.sxd
.sxg
.sxi
.sxm
.sxw
.tax
.tbb
.tbk
.tbn
.tex
.tga
.thm
.tif
.tiff
.tlg
.tlx
.txt
.upk
.usr
.vbox
.vdi
.vhd
.vhdx
.vmdk
.vmsd
.vmx
.vmxf
.vob
.vpd
.vsd
.wab
.wad
.wallet
.war
.wav
.wb2
.wma
.wmf
.wmv
.wpd
.wps
.x11
.x3f
.xis
.xla
.xlam
.xlk
.xlm
.xlr
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.xml
.xps
.xxx
.ycbcra
.yuv
.zip
It doesn't encrypt files and folders having the following list:
- $recycle.bin
- appdata
- application data
- boot
- cache
- cookies
- games
- inetcache
- microsoft
- nvidia
- packages
- program files
- program files (x86)
- programdata
- system volume information
- temp
- temporary internet files
- tmp
- webcache
- windows
- winnt
After encrypting files, this ransomware shows a ransom note as an HTML page in your web browser similar to the following:
It also drops plain text file # RESTORING FILES #.TXT with the same information, as follows:
Analysis by: Jireh SanicoLast update 12 September 2017