Home / malwarePDF  

Ransom:Win32/Zekwacrypt.A


First posted on 24 June 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Zekwacrypt.A.

Explanation :

Installation

It modifies the following registry key:

  • In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\
    Sets value: ext
    With data:
  • In subkey: HKU\Administrator\Software\Classes\\
    Sets value: default
    With data: .run
  • In subkey: HKU\Administrator\Software\Classes\\shell\open\command
    Sets value: default
    With data: notepad “%documents%\_zkswrae_encrypted_readme.txt”


Payload

Encrypts your files

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:

.APR .BOX .dot .GML .mb .PAS .rt .VC6 .jas .bpw .dotm .GO .MCD .PDB .rtf .VCD .ari .BRD .dotx .GRB .md2 .pdd .RVM .VCPROJ .arw .BREP .dotXSI .GTABLE .md3 .pdf .RVT .vdi .srf .BSDL .dpm .GTC .MDA .PDI .rw2 .VDPROJ .1CD .bzip .DPR .GXK .MDB .PDX .rwl .vfd .3dm .C .dproj .gz .mdc .pef .rwx .vhd .3dmf .C2D .drf .gzip .MDE .pem .rwz .VHDL .3dmlw .c4d .DRW .H .MDF .pfx .S .vimproj .3ds .CAD .dsa .ha .MDS .php .S12 .VIP .3DV .cal3d .dsk .hdd .mdx .php2 .S19 .VLM .3dxml .cap .dsm .hdmov .mef .php3 .sav .vmc .3fr .CATDrawing .DSPF .HPP .mesh .php4 .SCAD .vmdk .3g2 .CATPart .dss .HS .mht .php5 .SCALA .vmem .3ga .CATProcess .dsv .htm .mhtml .php6 .SCDOC .vmsd .3gp .CATProduct .dtd .html .mid .php7 .SCE .vmsn .3gp2 .CBL .dts .HXX .midi .phps .SCI .vmss .3gpp .CBP .DWB .IAM .mka .phtml .SCM .vmtm .3mf .CC .DWF .ICD .mkv .PIPE .SD7 .vmx .4DB .CCC .DWG .IDW .ML .pl .SDB .vmxf .4DD .CCD .DXF .IFC .mlp .PLN .SDC .VND .4DIndx .CCM .E .ifo .mm3d .ply .SDF .vob .4DIndy .CCP4 .E2D .IGES .model .PM .SDI .VS .4DR .CCS .EAP .ihtml .mos .png .shtml .vsv .7z .cda .EASM .iiq .mov .pot .sia .vud .aac .CDI .EDIF .IMG .mp2 .potm .sib .vue .ABC .CDL .EDRW .imp .mp2v .potx .skp .vwx .ac .CDR .EFS .INC .mp3 .pov .sldasm .w3d .ac3 .cer .EGG .indd .mp4 .PP .SLDDRW .waData .ACCDB .cfg .EGT .info .mp4v .ppam .sldm .waIndx .ACCDE .cfl .eip .IPN .mpa .ppk .sldprt .waJournal .ACCDR .cfm .EL .IPT .mpc .pps .sldx .waModel .ACCDT .cgi .EMB .ISO .mpe .ppsm .SLN .wav .ace .CGM .EMF .ivf .mpeg .ppsx .smd .wb2 .ACP .cgr .eml .j2c .mpg .ppt .smk .WDB .ADA .CHML .EPRT .j2k .mpls .pptm .snd .webm .ADB .CIF .eps .jar .MPO .pptx .SPEF .WGL .ADF .CIR .epub .JAVA .mpv2 .PRC .SPI .wings .adp .CLJ .erf .jp2 .mpv4 .PRG .SQL .wm .ADS .CLS .ESS .jpc .MRC .PRO .SQLITE .wma .ADT .CMX .ESW .jpe .mrw .PRT .sr2 .WMDB .ADZ .CO .evo .jpeg .MS12 .ps .SREC .WMF .AEC .COB .EXCELLON .jpf .mts .psb .srw .wmp .AI .core3d .EXP .jpg .MYD .psd .ssh .wmv .aif .CPF .F .jpx .MYI .PSM .std .wpd .aifc .CPP .f4v .jsp .NCF .PSMODEL .STEP .wps .aiff .cr2 .F77 .JT .NDF .pst .STIL .wrl .ain .crt .F90 .k25 .nef .ptx .STK .wv .alac .crw .fac .kdb .nif .pub .STL .x .AMF .CS .fb2 .kdbx .NRG .pva .stm .X_B .amr .CSPROJ .fbx .kdc .nrw .pvs .SUB .X_T .amv .csv .FDB .KEXI .NSF .PWI .SV .X3D .an8 .ctm .fff .KEXIC .NTF .pxn .SVG .x3f .aob .CUE .flac .KEXIS .NV2 .PY .swf .XAR .aoi .CXX .flc .L .nvram .PYT .SWG .XE .ape .D .fli .las .OASIS .R .SXD .xhtml .apl .D64 .flic .lasso .obj .R3D .tak .xla .AR .DAA .flv .lassoapp .OCD .ra .tar .xlam .arc .dae .FM .LDB .ODB .raf .TCL .xll .arj .DAF .FMZ .LEF .ODG .ram .TCT .xlm .ART .DB .FOR .LISP .odm .rar .TCW .xls .ASC .DBA .FP .log .odp .raw .tex .xlsb .asf .DBF .FP3 .lwo .odt .RB .TIB .xlsm .ASM .DBPro123 .FP5 .lws .off .RC .tif .xlsx .asp .dcr .FP7 .lxo .ofr .RC2 .tiff .xlt .aspx .dcs .FRM .lzh .ofs .rec .tp .xltm .au .DEF .FRX .M .oga .RED .trp .xltx .avi .der .FS .m1a .ogex .REDS .ts .xlw .AWG .DFF .FSDB .m1v .ogg .REL .tta .xml .b3d .dfm .FTH .m2a .ogm .RESX .txt .XPL .B6T .DFT .FTN .m2p .ogv .RFA .u3d .XQ .BAS .DGK .g .m2t .OpenAccess .RIN .uc2 .XSI .bay .DGN .GBR .m2ts .opus .rk .UDL .XSL .bdmv .divx .GDB .m2v .ORA .RKT .UNV .Y .bik .DMG .gdoc .M4 .orf .RKTL .UPF .z3d .BIM .DMS .GDSII .m4a .ott .RLF .V .zip .BIN .DMT .GED .m4b .P .rm .V2D .bkf .dng .gif .m4r .p12 .rmi .VAP .blend .doc .glm .m4v .p7b .rmm .VB .block .docb .GM6 .ma .p7c .rmvb .VBG .bml .docm .GMD .maff .pages .rp .VBP .bmp .docx .GMK .max .PAR .rss .VBPROJ



It looks throught the files and removes files with the following names:
  • backup
  • backups


After the files are encrypted, the ransomware renames the files by appending ".[alphabet]{7}"to the affected file extension. For example:
  • file.png is renamed to file.png.zekwakc
  • file.bin is renamed to file.bin.zekwakc


It drops the following file after encryption in the C drive:
  • Clog.txt - It contains all the information that it encrypts probably for debugging purposes


The malware doesn't encrypt files in the directories that contains the following applications:
  • Microsoft
  • Windows
  • Borland
  • Content.IE5
  • Mozilla
  • Framework
  • Temp
  • I386
  • Torrents
  • Torrent


It creates the following file in %documents% folder:
  • psawfcsnbd_encrypted_readme.txt.bmp (same content as encrypted_readme.txt encrypted_readme.txt)
  • __encrypted_readme.txt


It drops a couple of text files in every directory it encrypts:
  • encrypted_readme.txt
  • encrypted_list.txt


Connects to a remote host


This ransomware does not require internet connection for encryption.

Last update 24 June 2016

 

TOP

Malware :

Family: