Home / malwarePDF  

Ransom:Win32/Uiwix.A!rsm


First posted on 19 May 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Uiwix.A!rsm.

Explanation :

This ransomware can arrive on a machine by leveraging the following vulnerability:

  • Microsoft Windows SMB Server (MS17-010) Vulnerability


Installation

The malware creates the following named mutex:
  • hfdXrXzQBcKLlsrZ


The malware will not run if a debugger is present, or if any of the following virtualized or sandboxed environments are found:
  • Avast
  • Comodo
  • Cuckoo
  • Sandboxie
  • Sunblet Sandbox
  • VirtualBox
  • VirtualPC
  • VMWare
  • WpePro


Payload

Attempts to encrypt files

The ransomware attempts to encrypt all the files on the machine, except for the following:
  • Files that are in the following folders:
    • :\Windows
      :\Program Files
  • Files with file names that contain any of the following strings:
    • .com
    • .sys
    • boot.ini
    • Bootfont.bin
    • Bootmgr
    • BOOTNXT
    • BOOTSECT.BAK
    • NTDETECT.COM
    • Ntldr
    • NTUSER.DAT
    • PDOXUSRS.NET


It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Once encryption is carried out, the malware appends a unique identifier to the encrypted file, along with the ".UIWIX" extension.

For example, if a file named picture.jpg is encrypted, its resulting name will be picture.jpg._.UIWIX.

Demands ransom

A text file containing the ransom note, named _DECODE_FILES.txt, is also dropped in the malware's current directory. The ransom note contains the following text:

>>> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: To decrypt your files, you need to buy special software.
Do notattempt to decode or modify files, it may be broken.
To restore data, follow the instructions! You can learnmore at this site:


If a resource is unavailable for a long time to install and use the tor browser.
After you start the Tor browser you need to open this link Steals credentials


The malware can steal credentials and other information from the following browsers:
  • Chrome
  • Comodo Dragon
  • Microsoft Edge
  • Firefox
  • Internet Explorer
  • Opera
  • Safari
  • Yandex


It can also steal credentials from the following applications:
  • FileZilla
  • Jabber
  • Miranda
  • Outlook
  • Rdp
  • SmartFtp
  • Thunderbird
  • Windows Live


Attempts to connect to URLs

The malware may try to contact the following URLs:

  • http://.onion/gt34987.php
  • https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip
  • http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip






Analysis by Andrea Lelli

Last update 19 May 2017

 

TOP

Malware :

Family: