Home / malware Ransom:Win32/Empercrypt.A
First posted on 23 February 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Empercrypt.A.
Explanation :
Installation
This threat can create files on your PC, including:
- %LOCALAPPDATA%\del.bat
- %LOCALAPPDATA%\system.exe
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including:
- blockchain.info using port 443
blockchain.info is a legitimate BitCoin 3rd party site being used by the malware for its activity. It is possible that the site is used by the malware perpetrators in two ways:
Malware can connect to a remote host to do any of the following:
- Test for internet status by trying to connect to it
- Facilitate ransom related-payment using BitCoin
- Check for an Internet connection
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate
This malware description was published using automated analysis of file SHA1 038e914934edd96e0eb50ee25d5724f502b58f4f.Last update 23 February 2016
