Home / malware Ransom:Win32/Polyglot.A
First posted on 19 October 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Polyglot.A.
Explanation :
Installation
Once run in the system, it creates a mutex called "HelloWorldItsJokeFromMars" to ensure one copy is running in the system.
It creates several tasks/jobs and copies of itself in the current user's profile and public user profile with random filenames, for example:
- %APPDATA% \Music\pbbcsvuy.exe
- %APPDATA% \Videos\jtwsfjjl.exe
- %PUBLIC% \Pictures\ktjtjanz.exe
- %PUBLIC% \Videos\axjfijmf.exe
These will have corresponding autorun keys in the registry to allow its execution on system startup:
In subkey: HCKU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: ""
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: ""
With data: ""
For example:
In subkey: HCKU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "buwjirno"
With data: "c:\users\public\music\owkibdgd.exe"
Payload
This threat encrypts files and asks you to pay money to a malicious hacker.
It creates a temporary copy of the file it will encrypt and names it with a .a19 and ap19 extension. After the threat successfully encrypts the files, it will rename it back to its original filename / extension.
It also drops ReadMeFilesDecrypt!!!.txt and !!!Readme For Decrypt!!!.txt in folders where it encrypts files and this contains the following ransom message:
It will also drop an image file with a random name in the %TEMP% folder and will be made into the desktop wallpaper after file encryption, for example:
Another symptom of this threat is a dialog window that provides instructions on how to pay the ransom using Bitcoin on a Tor .onion site with the user's personal IDs, for example:
Once the victim visits the .onion payment server page, they will be prompted to enter their personal IDs:
Victims will then be lead to the online payment page for the malware:
This threat also drops a file named bg.log where the malware was initially run.
The file is used to log all the actions done in the machine such as encryption, connecting to the command and control server, attempts to compress files, decrypt files and other actions:
BG_CryptFile: Failed to create archive:
BG_DecryptFileFromServer: Failed open file:
BG_DecryptFileFromServer: File not crypted:
BG_DecryptFileFromServer: Failed create file:
BG_DecryptFileFromServer: BG_GetServerKey - error.
Failed uncompress file:
BG_DecryptFileLocal: Failed open file:
BG_DecryptFileLocal: File not crypted:
BG_DecryptFileLocal: Failed create file:
BG_DecryptFileLocal: BG_GetServerKey - error.
BG_DecryptFileLocal: Failed uncompress file:
BG_DecryptAllowed: !BG_GetBTCPay - error.
BG_TopProcessDisk: Start processing disk :
BG_TopProcessDisk: End processing disk :
BG_GetTopCryptedFiles: Start...
BG_GetTopCryptedFiles: End...
BG_DecryptProcessDisk: Start processing disk :
BG_DecryptProcessDisk: End processing disk :
BG_EncryptProcessDisk: Start processing disk :
BG_EncryptProcessDisk: End processing disk :
BG_CryptMachine: Start...
BG_CryptMachine: Failed create thread.
BG_CryptMachine: End...
BG_DeCryptMachine: Start...
BG_DeCryptMachine: Failed create thread.
BG_DeCryptMachine: g_connectError !!!
BG_DeCryptMachine: End...
Analysis by: Marianne MallenLast update 19 October 2016