Home / malware

PDF

Ransom:JS/CryptoRaa.A

First posted on 06 July 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:JS/CryptoRaa.A.

Explanation :

Installation

This threat can drop and open the following fake error notice in the %desktop% directory:

It drops the following files in the %documents% directory:

• Doc_attached_: the ransom message
• St.exe

It drops a ransom note (!!!README!!!.rtf) in the %desktop% directory.

It modifies the following registry keys:

• In subkey: HKCU\Administrator\Software\Microsoft\Windows\CurrentVersion\run
  Sets value:
  With data:
• In subkey: HKCU\RAA\Raa-fnl\
  Sets value: < >
  With data: < >

Payload

Encrypts your files

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:

• .cd
• .cdr
• .csv
• .dbf
• .doc
• .dwg
• .jpg
• .lcd
• .locked
• .mdb
• .pdf
• .png
• .psd
• .rar
• .rtf
• .xls
• .zip

Connects to a remote host

This threat does not require an internet connection to encrypt files.

The malware doesn't encrypt files in the following directories:

• Program Files
• Program Files (x86)
• Windows
• Recycle.Bin
• Recycler
• AppData
• Temp
• ProgramData
• Microsoft

Analysis by: Carmen Liang

Last update 06 July 2016

 

TOP