Analysis by: Nikko Tamana
ALIASES:

DeepScan:Generic.Ransom.Amnesia.F42DEF8A (Bitdefender), Trj/RansomCrypt.D (Panda)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Ransomware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is capable of encrypting files in the affected system.

  TECHNICAL DETAILS

File Size: 67072 bytes
File Type: EXE
Initial Samples Received Date: 02 Nov 2017

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

  • %User Temp%\{GUID}.bat

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %Application Data%\Ghrome.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following processes:

  • %System%\cmd.exe /c vssadmin Delete Shadows /for=C: /All
  • %System%\cmd.exe /c vssadmin Delete Shadows /for=D: /All
  • %System%\cmd.exe /c vssadmin Delete Shadows /for=E: /All
  • %System%\cmd.exe /c vssadmin Delete Shadows /for=F: /All
  • %System%\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
  • %System%\cmd.exe /c wmic SHADOWCOPY DELETE
  • %System%\cmd.exe /c vssadmin Delete Shadows /All /Quiet
  • %System%\cmd.exe /c bcdedit /set {default} recoveryenabled No
  • %System%\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It leaves text files that serve as ransom notes containing the following:

  • {encrypted file path}\HOW TO RECOVER ENCRYPTED FILES.TXT

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKCU\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{B5135AD2-D7D9-FFDC-0A8E-143026FB1938} = %Application Data%\Ghrome.exe

Other System Modifications

This Ransomware adds the following registry keys:

HKCU\Software\{B5135AD2-D7D9-FFDC-0A8E-143026FB1938}

It modifies the Internet Explorer Privacy Settings.

Other Details

This Ransomware is capable of encrypting files in the affected system.