Home / malwarePDF  

Ransom:Win32/SyncCrypt.A


First posted on 29 August 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/SyncCrypt.A.

Explanation :

Installation

This threat may be downloaded from the web by Trojan downloaders, such as TrojanDownloader:JS/Telicodeq.A.

When run, it creates the following files:

  • %TEMP%\BackupClient\sync.exe (ransomware)
  • %TEMP%\BackupClient\readme.png (ransom note image)
  • %TEMP%\BackupClient\readme.html (ransom note)
  • %TEMP%\BackupClient\tmp.bat (self-delete batch file, post-encryption)


Payload

Encrypts files

This ransomware searches for and encrypts files with the following file name extensions:

.7z

.7zip

.accdb

.accde

.accdr

.ach

.adp

.aes

.ait

.apk

.arc

.arw

.asc

.asm

.asp

.aspx

.asset

.awg

.back

.backup

.backupdb

.bak

.bat

.bay

.bdb

.bgt

.bkp

.blend

.bmp

.bpw

.brd

.bsa

.bz2

.cdf

.cdr

.cdr3

.cdr4

.cdr5

.cdr6

.cdrw

.cdx

.cer

.cfg

.class

.cls

.config

.contact

.cpp

.craw

.crt

.crw

.csh

.css

.csv

.d3dbsp

.das

.dat

.db_journal

.dbf

.dbx

.dcr

.dcs

.ddd

.ddoc

.dds

.der

.des

.design

.dif

.dit

.djv

.djvu

.doc

.docm

.docx

.dot

.dotm

.dotx

.drf

.drw

.dwg

.dxb

.dxf

.edb

.eml

.eps

.erbsql

.erf

.fdb

.ffd

.fff

.fhd

.fla

.flac

.flf

.fpx

.frm

.gif

.gpg

.gry

.hbk

.hdd

.hpp

.html

.hwp

.iif

.iiq

.indd

.iwi

.jar

.java

.jnt

.jpe

.jpeg

.jpg

.kdbx

.kdc

.key

.kwm

.laccdb

.latex

.lbf

.ldf

.lit

.litesql

.lua

.lz

.lzh

.lzma

.lzo

.lzx

.m2ts

.m4a

.mapimail

.max

.mbx

.mdb

.mdf

.mfw

.mid

.midi

.mlb

.mml

.mmw

.mny

.mocha

.moneywell

.mpa

.mpe

.mpeg

.mpg

.mpga

.mpp

.mrw

.ms11

.msg

.mvb

.myd

.myi

.ndf

.nef

.nml

.nrw

.nsh

.nvram

.nxl

.nyf

.oab

.obj

.odb

.odc

.odf

.odg

.odi

.odm

.odp

.ods

.odt

.ogg

.ogv

.otg

.oth

.otp

.ots

.ott

.p12

.p7b

.p7m

.p7r

.p7s

.pab

.package

.pages

.pas

.pat

.pbm

.pcd

.pct

.pcx

.pdb

.pdd

.pdf

.pef

.pem

.pfr

.pfx

.pgm

.php

.pict

.pls

.png

.pnm

.pntg

.pot

.potm

.potx

.ppam

.ppm

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.ppz

.prf

.profile

.ps

.psafe3

.psd

.pspimage

.pst

.ptx

.pub

.pwm

.qba

.qbb

.qbm

.qbr

.qbw

.qbx

.qby

.qcow

.qcow2

.qpw

.r00

.raf

.ram

.rar

.ras

.rat

.raw

.rdb

.reg

.rgb

.rjs

.rspt

.rtf

.rtx

.rvt

.rwl

.rwz

.safe

.sav

.save

.scd

.sch

.scm

.sd2

.sda

.sdc

.sdd

.sdf

.sdp

.ser

.sh

.shar

.shw

.sid

.sit

.sitx

.skm

.skp

.smf

.snd

.spl

.sql

.sqlite

.sqlite3

.sqlitedb

.srw

.ssm

.sst

.stc

.std

.sti

.stm

.stw

.stx

.svg

.svi

.swf

.sxc

.sxg

.sxi

.sxm

.sxw

.tar

.tbz

.tbz2

.tex

.tgz

.tif

.tiff

.tlz

.txt

.txz

.uop

.uot

.upk

.ustar

.vbox

.vbs

.vcd

.vcf

.vdi

.vhd

.vhdx

.vmdk

.vmsd

.vmx

.vmxf

.vob

.vor

.wab

.wad

.wallet

.wav

.wax

.wb1

.wb2

.wb3

.wbmp

.wcm

.wdb

.webm

.webp

.wks

.wma

.wp5

.wpd

.wps

.wri

.wsc

.wvx

.xlam

.xlc

.xlk

.xlm

.xlr

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.xml

.xpm

.xps

.xsd

.z

.zip

.zoo



It adds the following file name extension to encrypted files:
  • .kk


It does not encrypt files with the following strings in their file path:
  • \$recycle.bin\
  • \desktop\readme\
  • program files (x86)\
  • program files\
  • programdata\
  • system volume information\
  • windows\
  • winnt\


The ransom note contains the following message:







Analysis by: Jireh Sanico

Last update 29 August 2017

 

TOP

Malware :

Family: