Home / malware

PDF

Win32/Takabum

First posted on 08 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Takabum.

Explanation :

Installation

This threat can create files in the %TEMP% folder, including:

• A fake notice file (in rich-text format, .rft) with the same name as the .scr that it arrives in, appended with a date. For example:
• TOS-update-2016-march-06.scr
• TOS-update-2016-march-06.rtf
• .gif with the following image:

We have seen the message in the .rtf file to be a plagiarized version of an updated terms of service notification. In the following example, the notification is a copy of a Google blog form 2012 about updated privacy policies and terms of service - Google is no way associated with this malware:



Payload

This ransomware searches for files in all of the targeted folders with the following extensions and encrypts them:

​

• .268
• .ai
• .ani
• .apk
• .arch00
• .arw
• .asset
• .avi
• .bar
• .bat
• .bay
• .bc6
• .bc7
• .big
• .bik
• .bkf
• .bkp
• .blf
• .blob
• .bsa
• .bup
• .cab
• .cas
• .cat
• .cdf-ms
• .cdr
• .cer
• .cfr
• .chm
• .com
• .cpl
• .cr2
• .crt
• .crw
• .css
• .csv
• .cur
• .d3dbsp
• .das
• .dat
• .dayzprofile
• .dazip
• .db0
• .dba
• .dbf

• .dbfv
• .dcr
• .der
• .desc
• .dll
• .dmp
• .dng
• .doc
• .docm
• .docx
• .dot
• .drv
• .dwg
• .dxf
• .dxg
• .epk
• .eps
• .erf
• .esm
• .exe
• .exif
• .ff
• .flv
• .fon
• .forge
• .fos
• .fpk
• .fsh
• .gdb
• .gho
• .gif
• .gpd
• .hkdb
• .hkx
• .hlp
• .hplg
• .htm
• .html
• .hvpl
• .ibank
• .ico
• .icxs
• .idl
• .ifo
• .indd

• .inf
• .inf_loc
• .ini
• .itdb
• .itl
• .itm
• .iwd
• .iwi
• .jfif
• .jpe
• .jpeg
• .jpg
• .js
• .kdb
• .kdc
• .kf
• .layout
• .lbf
• .lck
• .lib
• .litemod
• .lnk
• .log
• .log1
• .log2
• .lrf
• .ltx
• .lvl
• .m2
• .m3u
• .m4a
• .man
• .manifest
• .map
• .mcgame
• .mcmeta
• .mdb
• .mdbackup
• .mddata
• .mdf
• .mef
• .menu
• .mht
• .mlwivc
• .mlx

• .mof
• .mov
• .mp4
• .mpg
• .mpp
• .mpqge
• .mrw
• .mrwref
• .msg
• .msi
• .msp
• .mui
• .mum
• .ncf
• .nef
• .nlp
• .nls
• .nrw
• .ntl
• .ocx
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt
• .orf
• .p12
• .p7b
• .p7c
• .pak
• .pdb
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .pgp
• .pkpass
• .pnf
• .png
• .ppd
• .ppsx
• .ppt
• .pptm

• .pptx
• .psd
• .psk
• .pst
• .ptx
• .py
• .qdf
• .qic
• .r3d
• .raf
• .raw
• .rb
• .rdp
• .re4
• .regtrans-ms
• .resx
• .rgss3a
• .rim
• .rofl
• .rtf
• .rw2
• .rwl
• .sav
• .sb
• .sc2save
• .scr
• .shs
• .sid
• .sidd
• .sidn
• .sie
• .sis
• .slm
• .snx
• .so
• .sql
• .sr2
• .srf
• .srw
• .sum
• .svg
• .swf
• .syncdb
• .sys
• .t12

• .t13
• .tax
• .tc
• .thm
• .thmx
• .tif
• .tor
• .ttf
• .txt
• .unity3d
• .upk
• .vcf
• .vdf
• .vfs0
• .vob
• .vpk
• .vpp_pc
• .vsd
• .vtf
• .w3x
• .wallet
• .wav
• .wb2
• .wma
• .wmf
• .wmo
• .wmv
• .wotreplay
• .wpd
• .wps
• .x3f
• .xdr
• .xf
• .xlk
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xml
• .xrm-ms
• .xsd
• .xxx
• .ztm

After the files are encrypted, the ransomware renames the files by appending random 5 to 7 characters to the affected file extension. For example:

• file.png is renamed to file.png.sdfjk
• file.bin is renamed to file.bin.sdfjk

The malware doesn't encrypt files in the following directories:

• \chache\
• \chaches\
• \chrome\
• \history\
• \internet explorer\
• \microsoft\
• \mozilla\
• \program files\
• \temp\

It also avoids the following files:

• bootfont.bin
• bootmgr
• bootnxt
• bootsect.bak

It creates a file in every directory where files have been encrypted that explains how to decrypt your documents. The warning includes a countdown and the key words "Maktub Locker" and "Warning! Your personal files are encrypted". You are instructed to use the Tor browser to go to a specific web address and transfer money to the attackers.

The file's name is _DECRYPT_INFO_<5 to 7 random characters>.HTML, and might look like the following:

The linked page contains more information about how to decrypt your files and transfer money to the attackers.



Analysis by Carmen Liang

Last update 08 April 2016

 

TOP