Home / malwarePDF  

Ransom:Win32/Threatfin


First posted on 14 May 2015.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Threatfin.

Explanation :

Threat behavior

Installation

We have seen this threat being installed by other malware, such as Backdoor:Win32/Bedep.

The malware is installed as a dynamic link library (DLL) file that can be loaded by other malware and dropped in the following locations as either:

  • %TEMP% \ie2.dl or
  • %TEMP% \reg.dll


It can create the following registry entries to ensure it runs each time you start your PC:

In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "IE11"
With data: "regsvr32 "%temp%\ie2.dll""

or

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WINUP"
With data: "regsvr32 "%temp%\reg.dll"

It drops the following files on your desktop:

  • 1.jpg
  • 2.jpg
  • 3.jpg
  • 4.jpg
  • 5.jpg
  • HELP_DECRYPT.html


These image files can be shown as part of the malware's malicious payload.

Payload

Prevents you from accessing your PC

This threat shows a full-screen message preventing you from accessing your desktop. The message tells you to pay a ransom to regain access to your PC. This type of threat is called ransomware.

Below are two examples of the images the threat displays:





Some variants of this threat will launch a window with title "CryptoBot" that displays actions performed by the malware, such as downloading and encrypting files on your PC.



This file is installed as a text file:

%TEMP% \crypto_bot.log

Encrypts your files

The threat encrypts files on your PC with the following file extensions:

  • 3fr
  • accdb
  • ai
  • arw
  • bay
  • cdr
  • cer
  • cr2
  • crt
  • crw
  • css
  • dbf
  • dcr
  • der
  • dng
  • doc
  • docm
  • docx
  • dwg
  • dxf
  • dxg
  • eps
  • erf
  • htm
  • indd
  • jpe
  • jpg
  • kdc
  • mdb
  • mdf
  • mef
  • mrw
  • nef
  • nrw
  • odb
  • odc
  • odm
  • odp
  • ods
  • odt
  • orf
  • p12
  • p7b
  • p7c
  • pdd
  • pdf
  • pef
  • pem
  • pfx
  • ppt
  • pptm
  • pptx
  • psd
  • pst
  • ptx
  • r3d
  • raf
  • raw
  • rtf
  • rw2
  • rwl
  • sr2
  • srf
  • srw
  • wallt
  • wb2
  • wmv
  • wpd
  • wps
  • x3f
  • xlk
  • xls
  • xlsb
  • xlsm
  • xlsx


Contacts remote host

It attempts to connect to 65.49.8.104 at TCP port 443 to send and receive data from a remote server.



Analysis by Marianne Mallen

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %temp%\ie2.dl
    %temp%\reg.dll
    1.jpg
    2.jpg
    3.jpg
    4.jpg
    5.jpg
    HELP_DECRYPT.html
  • You see these entries or keys in your registry:

    In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "IE11"
    With data: "regsvr32 "%temp%\ie2.dll""

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "WINUP"
    With data: "regsvr32 "%temp%\reg.dll"
  • You see these images, or something similar:





Last update 14 May 2015

 

TOP

Malware :