RANSOM_HPLOCKY.SMJBB

This Trojan may be downloaded by other malware/grayware from remote sites.

It connects to certain websites to send and receive information. It deletes the initially executed copy of itself.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• X2KM_LOCKY.MVIL

Installation

This Trojan drops the following files:

• (Folder of Encrypted Files}\OSIRIS-{Random Hex Values}.htm → Ransom Note

It drops and executes the following files:

• %User Profile%\DesktopOSIRIS.htm → Ransom Note
• %User Profile%\DesktopOSIRIS.bmp → Ransom Note, image used as wallpaper

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This Trojan modifies the following file(s):

• It encrypts files in fixed, removable, RAM disk drives, and network shares.

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = "0"

(Note: The default value data of the said registry entry is {user preference}.)

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = "0"

(Note: The default value data of the said registry entry is {user preference}.)

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Desktop%\DesktopOSIRIS.bmp

(Note: The default value data of the said registry entry is {user preference}.)

Other Details

This Trojan connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.14.95/checkupdate
• http://{BLOCKED}.{BLOCKED}.136.67/checkupdate

It encrypts files with the following extensions:

• .001
• .002
• .003
• .004
• .005
• .006
• .007
• .008
• .009
• .01
• .011
• .123
• .602
• .1cd
• .3dm
• .3ds
• .3fr
• .3g2
• .3gp
• .3pr
• .7z
• .7zip
• .aac
• .ab4
• .accdb
• .accde
• .accdr
• .accdt
• .ach
• .acr
• .act
• .adb
• .adp
• .ads
• .aes
• .agdl
• .ai
• .aiff
• .ait
• .al
• .aoi
• .apj
• .apk
• .ARC
• .arw
• .asc
• .asf
• .asm
• .asp
• .aspx
• .asset
• .asx
• .avi
• .awg
• .back
• .backup
• .backupdb
• .bak
• .bank
• .bat
• .bay
• .bdb
• .bgt
• .bik
• .bin
• .bkp
• .blend
• .bmp
• .bpw
• .brd
• .bsa
• .bz2
• .c
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .ce1
• .ce2
• .cer
• .cfg
• .cgm
• .cib
• .class
• .cls
• .cmd
• .cmt
• .config
• .contact
• .cpi
• .cpp
• .cr2
• .craw
• .crt
• .crw
• .cs
• .csh
• .csl
• .csr
• .css
• .csv
• .CSV
• .d3dbsp
• .dac
• .das
• .dat
• .db
• .db_journal
• .db3
• .dbf
• .dbx
• .dc2
• .dch
• .dcr
• .dcs
• .ddd
• .ddoc
• .ddrw
• .dds
• .der
• .des
• .design
• .dgc
• .dif
• .dip
• .dit
• .djv
• .djvu
• .dng
• .doc
• .DOC
• .docb
• .docm
• .docx
• .dot
• .DOT
• .dotm
• .dotx
• .drf
• .drw
• .dtd
• .dwg
• .dxb
• .dxf
• .dxg
• .edb
• .eml
• .eps
• .erbsql
• .erf
• .exf
• .fdb
• .ffd
• .fff
• .fh
• .fhd
• .fla
• .flac
• .flf
• .flv
• .flvv
• .forge
• .fpx
• .frm
• .fxg
• .gif
• .gpg
• .gray
• .grey
• .groups
• .gry
• .gz
• .h
• .hbk
• .hdd
• .hpp
• .html
• .hwp
• .ibank
• .ibd
• .ibz
• .idx
• .iif
• .iiq
• .incpas
• .indd
• .iwi
• .jar
• .java
• .jnt
• .jpe
• .jpeg
• .jpg
• .js
• .kc2
• .kdbx
• .kdc
• .key
• .kpdx
• .kwm
• .laccdb
• .lay
• .lay6
• .lbf
• .ldf
• .lit
• .litemod
• .litesql
• .log
• .ltx
• .lua
• .m
• .m2ts
• .m3u
• .m4a
• .m4p
• .m4u
• .m4v
• .mapimail
• .max
• .mbx
• .md
• .mdb
• .mdc
• .mdf
• .mef
• .mfw
• .mid
• .mkv
• .mlb
• .mml
• .mmw
• .mny
• .moneywell
• .mos
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mrw
• .ms11
• .ms11 (Security copy)
• .msg
• .myd
• .MYD
• .MYI
• .n64
• .nd
• .ndd
• .ndf
• .nef
• .NEF
• .nk2
• .nop
• .nrw
• .ns2
• .ns3
• .ns4
• .nsd
• .nsf
• .nsg
• .nsh
• .nvram
• .nwb
• .nx2
• .nxl
• .nyf
• .oab
• .obj
• .odb
• .odc
• .odf
• .odg
• .odm
• .odp
• .ods
• .odt
• .ogg
• .oil
• .onetoc2
• .orf
• .ost
• .otg
• .oth
• .otp
• .ots
• .ott
• .p12
• .p7b
• .p7c
• .pab
• .pages
• .PAQ
• .pas
• .pat
• .pcd
• .pct
• .pdb
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .php
• .pif
• .pl
• .plc
• .plus_muhd
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .PPT
• .pptm
• .pptx
• .prf
• .ps
• .psafe3
• .psd
• .pspimage
• .pst
• .ptx
• .pwm
• .py
• .qba
• .qbb
• .qbm
• .qbr
• .qbw
• .qbx
• .qby
• .qcow
• .qcow2
• .qed
• .r3d
• .raf
• .rar
• .rat
• .raw
• .rb
• .rdb
• .re4
• .rm
• .rtf
• .RTF
• .rvt
• .rw2
• .rwl
• .rwz
• .s3db
• .safe
• .sas7bdat
• .sav
• .save
• .say
• .sch
• .sd0
• .sda
• .sdf
• .sh
• .sldm
• .sldx
• .slk
• .sql
• .sqlite
• .sqlite3
• .SQLITE3
• .sqlitedb
• .SQLITEDB
• .sr2
• .srf
• .srt
• .srw
• .st4
• .st5
• .st6
• .st7
• .st8
• .stc
• .std
• .sti
• .stm
• .stw
• .stx
• .svg
• .swf
• .sxc
• .sxd
• .sxg
• .sxi
• .sxm
• .sxw
• .tar
• .tar
• .tbk
• .tex
• .tga
• .tgz
• .thm
• .tif
• .tiff
• .tlg
• .txt
• .uop
• .uot
• .upk
• .vb
• .vbox
• .vbs
• .vdi
• .vhd
• .vhdx
• .vmdk
• .vmsd
• .vmx
• .vmxf
• .vob
• .wab
• .wad
• .wallet
• .wav
• .wb2
• .wk1
• .wks
• .wma
• .wmv
• .wpd
• .wps
• .x11
• .x3f
• .xis
• .xla
• .xlam
• .xlc
• .xlk
• .xlm
• .xlr
• .xls
• .XLS
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .ycbcra
• .yuv
• .zip

It renames encrypted files using the following names:

• {first 8 characters of ID}--{next 4 characters of ID}--{last 4 characters of ID}--{8 hex characters}--{12 hex characters}.osiris

It does the following:

• It prevents encrypting files containing any of the strings in its full path name:
  • Windows
  • Boot
  • System Volume Information
  • $Recycle.Bin
  • thumbs.db
  • temp
  • Program Files
  • Program Files (x86)
  • AppData
  • Application Data
  • winnt
  • tmp
  • _Locky_recover_instructions.txt
  • _Locky_recover_instructions.bmp
  • _HELP_instructions.txt
  • _HELP_instructions.bmp
  • _HELP_instructions.html
• It deletes shadow copies by executing the following command:
  • vssadmin.exe Delete Shadows /Quiet /All

It deletes the initially executed copy of itself

NOTES:

It changes the wallpaper with the following image:

It drops the following ransom note: