Home / malware

PDF

Ransom:Win32/Laksbades

First posted on 22 June 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Laksbades.

Explanation :

Installation

It drops a copy in the sub-folders under %ProgramData% or %APPDATA% depending on the operating system.

It modifies the following registry key:

In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\run
Sets value:
With data:

Payload

Encrypts files

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:

0.323 .distz .lzo .pko .sst .xpm 0.509 .djv .lzx .pl .stc .xps .3d .djvu .m13 .pls .std .xsd .3ds .dl .m14 .pmd .sti .xul .7z .dll .m3u .png .stl .xwd .7z .dmg .m3u .png .stw .z .a .dng .m4a .pnm .sv4cpio .zip .aab .doc .maf .pnq .sv4crc .zip .aac .doc .mam .pntg .svg .zoo .aac .docm .man .pot .svg .aam .docx .mar .pot .svgz .aas .dot .max .potx .svi .abr .dot .mdb .ppm .swf .abw .dotm .mdb .pps .swf .accda .dotx .mdf .pps .swf1 .accdb .drw .mdi .ppsx .sxc .accdc .dv .me .ppt .sxc .accde .dvi .mht .ppt .sxg .accdp .dwg .mht .pptm .sxi .accdt .dxf .mid .pptx .sxm .accdu .dxr .midi .ppz .sxw .ace .ebk .mjf .prproj .sxw .ade .eml .mng .ps .t .ai .emz .mny .psb .tar .ai .eps .mocha .psd .targa .aif .evy .moov .psd .tax .aifc .exe .mov .pst .tbz .aiff .exe .mov .ptb .tbz2 .air .fdb .movie .pts .tcl .alz .fdf .mp2 .pub .tex .ani .fif .mp2 .pub .texi .apk .fla .mp3 .pwi .texinfo .arj .flc .mp3 .qbm .tgz .art .fli .mp3 .qbo .tif .asf .flm .mp4 .qbw .tif .asf .flv .mp4 .qcp .tlg .ashx .fml .mpa .qdf .tlz .asm .gdb .mpd .qif .torrent .asp .gdoc .mpe .qpw .tpl .aspx .gif .mpeg .qt .tr .asx .gif .mpeg .qtc .trm .asx .gl .mpega .qtif .troff .au .gnumeric .mpg .qtl .tsp .avi .gsm .mpg .qtx .ttz .avi .gtar .mpga .ra .txt .bak .gz .mpkg .ram .txt .bat .gzip .mpp .rar .txz .bcpio .h .mpp .rar .u3d .big .h++ .mpt .ras .udeb .bik .hdf .ms .rdf .uin .bkf .hh .msg .rf .uls .bkp .hi .msi .rgb .urls .bmp .hlp .mvb .rjs .ustar .bmp .hpf .mxu .rm .vbs .boz .hpp .nba .rm .vcd .bz .hqx .nbf .rmf .vcf .bz2 .hta .nco .rmp .vcf .c .htc .nix .rms .vor .c++ .htm .nml .rmx .vsd .c4d .htm .nrg .rnx .vsl .ca .html .o .rp .wav .cab .html .oda .rpm .wav .cab .htt .odb .rsml .wax .cat .hxx .odc .rss .wb1 .cc .ico .odf .rt .wb2 .ccn .idb .odf .rtf .wb3 .cco .idx .odg .rtsp .wbmp .cdf .ief .odg .rtx .wcm .cdr .iii .odi .rv .wdb .cdr .ims .odm .sav .wdb .cdt .ind .odp .save .webm .cdt .ins .ods .scd .webm .cer .iso .ods .scm .webp .cer .iso .odt .sd2 .wks .cert .ivf .odt .sda .wm .chm .jar .ofx .sda .wma .chm .jar .ogg .sdc .wma .chrt .java .ogv .sdc .wmd .cil .jng .old .sdd .wmf .class .jpe .one .sdd .wml .class .jpeg .opml .sdf .wmlc .clp .jpeg .otg .sdp .wmls .com .jpg .oth .sdw .wmlsc .cpio .jpg .otp .ser .wmp .cpp .js .ots .setpay .wms .cpt .js .ott .setreg .wmv .cpt .json .ott .sgi .wmv .cqk .jsp .p .sgm .wmx .crd .kar .p10 .sgml .wmz .crl .karbon .p12 .sh .wp5 .crt .kfo .p7b .shar .wpd .cs .kon .p7b .shtml .wpd .csh .kpr .p7m .shw .wpl .csh .kpt .p7r .sid .wps .csr .kwd .p7s .sit .wri .css .kwt .package .sitx .wsc .css .laccdb .pak .skd .wvx .csv .latex .pas .skm .xbm .cxx .lcc .pat .skp .xbm .dar .ldif .pbm .skp .xfdf .dat .lha .pcx .skt .xht .db .log .pdf .smf .xhtml .dbf .lrm .pdf .smi .xlb .dbf .ls .pem .smil .xls .dbx .lsf .pfr .snd .xls .dcr .lst .pgm .snp .xlsm .dds .lsx .php .spl .xlsx .deb .lz .pic .sql .xml .dir .lzh .pict .sqlite .xml .dist .lzma .pkg .ssm .xpi

The malware doesn't encrypt files under the following folder:

• Windows

The malware doesn't encrypt the following files:

• chrome.exe
• iexplorer.exe

It drops the following ransom notes:

Connects to a remote host

This malware does not require internet connection to encrypt files.



Analysis by Carmen Liang

Last update 22 June 2016

 

TOP