RANSOM_JIGSAW.F116FN

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %Application Data%\Frfx\firefox.exe
• %AppDataLocal%\Drpbx\drpbx.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following non-malicious files:

• %Application Data%\System32Work\Address.txt - bitcoin address
• %Application Data%\System32Work\EncryptedFileList.txt - list of encrypted files
• %Application Data%\System32Work\dr

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\Frfx
• %AppDataLocal%\Drpbx
• %Application Data%\System32Work

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
firefox.exe = "%Application Data%\Frfx\firefox.exe"

Other System Modifications

This Trojan modifies the following file(s):

• It encrypts files and appends the extension .epic

Other Details

This Trojan encrypts files with the following extensions:

• .jpg
• .jpeg
• .raw
• .tif
• .gif
• .png
• .bmp
• .accdb
• .db
• .dbf
• .mdb
• .pdb
• .sql
• .c
• .cpp
• .cs
• .h
• .php
• .asp
• .rb
• .java
• .jar
• .class
• .py
• .js
• .3dm
• .max
• .dwg
• .dxf
• .aaf
• .aep
• .aepx
• .plb
• .prel
• .prproj
• .aet
• .ppj
• .psd
• .indd
• .indl
• .indt
• .indb
• .inx
• .idml
• .pmd
• .xqx
• .xqx
• .ai
• .eps
• .ps
• .svg
• .swf
• .fla
• .as3
• .as
• .txt
• .doc
• .dot
• .docx
• .docm
• .dotx
• .dotm
• .docb
• .rtf
• .wpd
• .wps
• .msg
• .pdf
• .xls
• .xlt
• .xlm
• .xlsx
• .xlsm
• .xltx
• .xltm
• .xlsb
• .xla
• .xlam
• .xll
• .xlw
• .ppt
• .pot
• .pps
• .pptx
• .pptm
• .potx
• .potm
• .ppam
• .ppsx
• .ppsm
• .sldx
• .sldm
• .wav
• .mp3
• .aif
• .iff
• .m3u
• .m4u
• .mid
• .mpa
• .wma
• .ra
• .avi
• .mov
• .mp4
• .3gp
• .mpeg
• .3g2
• .asf
• .asx
• .flv
• .mpg
• .wmv
• .vob
• .m3u8
• .dat
• .csv
• .efx
• .sdf
• .vcf
• .xml
• .ses
• .Qbw
• .QBB
• .QBM
• .QBI
• .QBR
• .Cnt
• .Des
• .v30
• .Qbo
• .Ini
• .Lgb
• .Qwc
• .Qbp
• .Aif
• .Qba
• .Tlg
• .Qbx
• .Qby
• .1pa
• .Qpd
• .Txt
• .Set
• .Iif
• .Nd
• .Rtp
• .Tlg
• .Wav
• .Qsm
• .Qss
• .Qst
• .Fx0
• .Fx1
• .Mx0
• .FPx
• .Fxr
• .Fim
• .ptb
• .Ai
• .Pfb
• .Cgn
• .Vsd
• .Cdr
• .Cmx
• .Cpt
• .Csl
• .Cur
• .Des
• .Dsf
• .Ds4
• .Drw
• .Dwg
• .Eps
• .Ps
• .Prn
• .Gif
• .Pcd
• .Pct
• .Pcx
• .Plt
• .Rif
• .Svg
• .Swf
• .Tga
• .Tiff
• .Psp
• .Ttf
• .Wpd
• .Wpg
• .Wi
• .Raw
• .Wmf
• .Txt
• .Cal
• .Cpx
• .Shw
• .Clk
• .Cdx
• .Cdt
• .Fpx
• .Fmv
• .Img
• .Gem
• .Xcf
• .Pic
• .Mac
• .Met
• .PP4
• .Pp5
• .Ppf
• .Xls
• .Xlsx
• .Xlsm
• .Ppt
• .Nap
• .Pat
• .Ps
• .Prn
• .Sct
• .Vsd
• .wk3
• .wk4
• .XPM
• .zip
• .rar

It does the following:

• It deletes 1000 files when system is restarted by the user
• It deletes a file per hour when ransom amount is not yet paid

NOTES:

This ransomware displays a window containing its ransom note: