Home / malwarePDF  

Ransom:MSIL/JigsawLocker.A


First posted on 22 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:MSIL/JigsawLocker.A.

Explanation :

Installation

This malware can be downloaded from torrent sites or file sharing sites with names such as Mining_client.exe, BtcGenerator.exe, and BitcoinBlackMailer.exe.

This threat can create files on your PC, including:

  • %APPDATA% \google (x86)\chrome32.exe
  • %APPDATA% \frfx\firefox.exe
  • %LOCALAPPDATA% \DrpBx\drpbx.exe
  • %LOCALAPPDATA% \Adobe (x86)\AcroRd32.exe


Adds registry entries like the following to ensure that the malware is running at startup:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome32.exe"
With data: "%APPDATA%\google (x86)\chrome32.exe"

Sets value:"Firefox.exe"
With data: "%APPDATA%\frfx\firefox.exe"

When the malware is successfully installed, you'll see the following message:

The following notification message is then displayed which explains how to decrypt your documents:

Scrolling down the message, you'll see a warning which includes a countdown. You are instructed to use Bitcoins to transfer money to the attackers:



Payload

This ransomware encrypts files with the following extensions:

.1pa .Fim .Plt .sql .3dm .fla .pmd .Svg .3g2 .flv .png .svg .3gp .Fmv .pot .Swf .aaf .FPx .potm .swf .accdb .Fpx .potx .Tga .aep .Fx0 .PP4 .tif .aepx .Fx1 .Pp5 .Tiff .aet .Fxr .ppam .Tlg .Ai .Gem .Ppf .Ttf .ai .Gif .ppj .Txt .Aif .gif .pps .txt .aif .h .ppsm .v30 .as .idml .ppsx .vcf .as3 .iff .Ppt .vob .asf .Iif .ppt .Vsd .asp .Img .pptm .Wav .asx .indb .pptx .wav .avi .indd .prel .Wi .bmp .indl .Prn .wk3 .c .indt .prproj .wk4 .Cal .Ini .Ps .wma .Cdr .inx .ps .Wmf .Cdt .jar .psd .wmv .Cdx .java .Psp .Wpd .Cgn .jpeg .ptb .wpd .class .jpg .py .Wpg .Clk .js .Qba .wps .Cmx .Lgb .QBB .Xcf .Cnt .m3u .QBI .xla .cpp .m3u8 .QBM .xlam .Cpt .m4u .Qbo .xll .Cpx .Mac .Qbp .xlm .cs .max .QBR .Xls .Csl .mdb .Qbw .xls .csv .Met .Qbx .xlsb .Cur .mid .Qby .Xlsm .dat .mov .Qpd .xlsm .db .mp3 .Qsm .Xlsx .dbf .mp4 .Qss .xlsx .Des .mpa .Qst .xlt .doc .mpeg .Qwc .xltm .docb .mpg .ra .xltx .docm .msg .rar .xlw .docx .Mx0 .Raw .xml .dot .Nap .raw .XPM .dotm .Nd .rb .xqx .dotx .Pat .Rif .zip .Drw .Pcd .rtf .Ds4 .Pct .Rtp .Dsf .Pcx .Sct .Dwg .pdb .sdf .dwg .pdf .ses .dxf .Pfb .Set .efx .php .Shw .Eps .Pic .sldm .eps .plb .sldx

After the files are encrypted, we have seen variants of this malware rename the file extensions to either .fun or .btc.

Files are deleted in one hour intervals if the user does not pay within the given timeframe. It will proceed to encrypt more files until payment has been done.

It also creates the following files that provide information on the payment and encrypted files:
  • %APPDATA% \System32Work\Address.txt - Bitcoin payment address
  • %APPDATA% \System32Work\dr - Text file
  • %APPDATA% \System32Work\EncryptedFiles.txt - List of encrypted files


You can view the encrypted files by clicking the View encrypted files button on the ransom window. Encrypted and deleted files are displayed, for example:



Analysis by: Marianne Mallen

Last update 22 April 2016

 

TOP