Home / malware

PDF

Ransom:Win32/Exxroute.A

First posted on 22 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Exxroute.A.

Explanation :

Installation

This DLL can be registered by the exploit kit by using rundll32 with a custom function name to execute in the system.


Payload

Encrypts files

This ransomware can encrypt files on your PC. It drops the following ransom notes or image files in folders where it has performed the encryption:

Then, it appends encrypted files with .crypt extension for the following file formats:

.3dm .docx .mdb .potx .tex .3ds .dot .mdf .ppam .tga .3g2 .dotm .mdl .pps .tgz .3gp .dotx .mesh .ppsm .thm .7z .dtd .mfd .ppsx .tif .GIF .dwg .micro .ppt .tiff .PspScript .dxf .mid .pptm .tlb .WMF .eml .mkv .pptx .tmp .accdb .eps .mml .prf .txt .aes .exe .mov .priv .uop .ai .fdb .mp3 .private .uot .aif .fla .mp4 .ps .url .apk .flv .mpa .psd .vb .app .frm .mpg .pspimage .vbs .arc .gadget .ms11 .pte .vcf .asc .gbk .msi .py .vcxproj .asf .gbr .mtrl .pyc .vdi .asm .ged .myd .qcow2 .vmdk .asp .gif .myi .ra .vmt .aspx .gpg .nef .rar .vmx .asx .gpx .note .raw .vob .avi .gz .obj .rm .vtf .bat .htm .ocx .rss .vtx .bmp .html .odb .rtf .vvd .brd .hwp .odg .rul .wav .bz2 .ibd .odp .scf .wks .cab .ibooks .ods .sch .wma .cer .ico .odt .sdf .wmv .cfg .iff .ogg .sh .wpd .cfm .img .otg .sitx .wps .cgi .indd .otp .sldx .wsf .cgm .ini .ots .slk .xcodeproj .class .jar .ott .sln .xhtml .cmd .java .p12 .so .xlc .cpp .jks .package .sol .xlm .crt .jpg .pages .sql .xlr .cs .js .paq .sqlite3 .xls .csr .jsp .pas .sqlitedb .xlsb .css .jspx .pct .srt .xlsm .csv .key .pdb .sso .xlsx .cue .kml .pdf .stc .xlt .db .kmz .pem .std .xltm .dbf .lay .php .sti .xltx .dch .lay6 .phy .stw .xlw .dcu .ldf .phys .svg .xml .dds .localstorage .pif .swa .xnb .dif .localstorage-journal .pl .swf .xpt .dip .log .plugin .sxc .yuv .djv .lua .pm .sxd .zip .djvu .m3u .pme .sxi .zipx .dll .m4a .pmt .sxm .doc .m4v .png .sxw .docb .manifest .pot .tar .docm .max .potm .tbk

It avoids the following folders with substrings during the file encryption process, which are mostly related to system directories to keep the system running:

• AppData
• Application Data
• Boot
• Google\Chrome
• Microsoft\Windows
• Microsoft
• Plugins
• Program Files
• Recycle.Bin
• System Volume Information
• Windows
• temp
• thumbs.db
• winnt

Steals user information

It also searches for BitCoin wallet accounts by looking into certain processes related to BitCoin and find .WALLET files in the system.



Analysis by Marianne Mallen

Last update 22 April 2016

 

TOP