Home / malware Ransom:Win32/Milicry.A
First posted on 15 September 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Milicry.A.
Explanation :
Installation
When run, this threat creates a randomly named registry entry:
In subkey: HKEY_CURRENT_USER\Software\
Sets value:
With data:
This threat drops the following files:
- %desktop%\!Recovery_
.html - HTML version of the ransom note instruction - %desktop%\!Recovery_
.txt - Text version of the ransom note instruction - %temp%\
.exe - copy of the malware - %temp%\
.html - a copy of the HTML ransom note - %startup%\
.lnk - opens the !Recovery_ .html ransom note dropped on the user's %Desktop% folder
Example ransom note:
List of targeted file extensions:
$ac d07 indt npc qbx t13 _vc dac ini nv qby t14 00c dat int? nv2 qbz t15 07g db intu oab qch t99 07i dbf inv obi qcow ta1 08i dch inx odb qdf ta2 09i dcr ipe odc qdfx ta4 09t ddd ipg odg qdt ta5 10t dds itf odm qel ta6 11t defx jar odp qem ta8 123 der java ods qfi ta9 13t des jng odt qfx tar 1pa dgc jp2 oet qif tax 1pe dif jpeg ofc qix tax0 2011 dip jpg ofx qme tax1 2012 djv js old qml tax2 2013 djvu jsd omf qmt tb2 2014 dng jsda op qmtf tbk 2015 doc jsp orf qnx tbp 2016 docb kb7 ost qob tdr 2017 docm kd3 otg qpb text 210 docx kdc otp qpd tfx 3dm dot key ots qpg tga 3ds dotm kmo ott qph tgz 3g2 dotx kmy p08 qpi tif 3gp drw lay p12 qsd tiff 3me ds4 lay6 p7b qsm tkr 3pe dsb lcd p7c qss tlg 500 dsf ldc paq qst tom 7z dtau ldf pas qtx tpl aac dtd ldr pat quic trm aaf dtl let pcd quo trn ab4 dwg lgb pcif qw5 tt10 ac2 dxf lhr pct qwc tt11 acc dxi lid pcx qwmo tt12 accd ebc lin pd6 qxf tt13 ach ebd lld pdb r3d tt14 aci ebq lmr pdd ra tt15 acm ec8 log pdf raf tt20 acr efs lua pem rar ttf aep efsl lz per raw txf aepx efx m pfb rb txt aes emd m10 pfd rcs u08 aet eml m11 pfx rda u10 afm emp m12 pg rdy u11 ai ens m14 php reb u12 aif ent m15 pic rec uop amj epa m16 pl resx uot arc epb m3u plb rif v30 as eps m3u8 pls rm vb as3 eqb m4a plt rpf vbpf asc ert m4u pma rss vbs asf esk m4v pmd rtf vcf asm ess mac png rtp vdf asp esv max pns rw2 vdi asx etq mbsb por rwl vmb ati ets md pot rz vmdk avi exp mda potm s12 vmx back fa1 mdb potx s7z vnd bak fa2 mdf pp4 saf vob bat fca mef pp5 saj vsd bay fcpa mem ppam say vyp bc8 fcpr met ppf sba vyr bc9 fcr meta ppj sbc wac bd2 fef mhtm pps sbd wav bd3 ffd mid ppsm sbf wb2 bgt fim mkv ppsx scd wi bk2 fla ml2 ppt sch wk1 bmp flac ml9 pptm sct wk3 bpf flv mlb pptx sdf wk4 bpw fmv mlc pr0 sdy wks brd fon mmb pr1 seam wma brw fpx mml pr2 ses wmf btif frm mmw pr3 set wmv bz2 fx0 mn1 pr4 shw wpd c fx1 mn2 pr5 sic wpg cal fxr mn3 prel skg wps cat fxw mn4 prf sldm x3f cb fyc mn5 prn sldx xaa cd gdb mn6 prpr slk xcf cdf gem mn7 ps slp xeq cdr gfi mn8 psd sql xhtm cdt gif mn9 psp sqli xla cdx gnc mne pst sr2 xlam cf8 gpc mnp ptb srf xlc cf9 gpg mny ptdb ssg xlk cfdi gsb mone ptk stc xll cfp gto mov ptx std xlm cgm gz mp2 pvc sti xlr cgn h mp3 pxa stm xls ch h10 mp4 py str xlsb chg h11 mpa q00 stw xlsm cht h12 mpe q01 svg xlsx clas hbk mpeg q06 swf xlt clk hif mpg q07 sxc xltm cmd hpp mql q08 sxd xltx cmx hsr mrq q09 sxi xlw cnt html ms11 q43 sxm xml cntk hts msg q98 sxw xpm coa hwp mwi qb1 t00 xqx cpp i2b mws qb20 t01 yuv cpt iban mx0 qba t02 zdb cpw ibd myd qbb t03 zip cpx ico mye qbi t04 zipx crt idml myi qbk t05 zix cs iff myox qbm t06 zka csl iif n43 qbmb t07 #vc csr img nap qbmd t08 css imp nd qbo t09 csv indb nef qbp t10 cur indd nl2 qbr t11 cus indl nni qbw t12 This threat avoids encrypting files with the following substring names:
- $recycle.bin
- $recycle.binall users
- appdata
- applicationdata
- boot
- cache2
- content.ie5
- cookies
- driverstore
- gac_msil
- games
- gog games
- history.ie5
- httpcache
- intel
- league of legends
- microsoft\x0amy_qwemsadkjasd
- my games
- node_modules
- nvidia
- program files
- program files (x86)
- programdata
- steamapps
- system volume information
- temp
- tmp
- windows
Payload
Encrypts files
Encrypts files found in fixed, remote, and RAM drives specifically avoiding drives A and B. Each successfully encrypted file is renamed with .cry extension.
Deletes shadow copies
Deletes shadow files to prevent you from restoring your files from a local backup.
Uploads machine information
Uploads machine specific information and encrypted data to:
- 37.196.205.154 at UDP port 4444
- pastee.org
- imgur.com
Analysis by: Jireh SanicoLast update 15 September 2016