Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsSecurityUpdate' = '<Full path to file>'
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsSecurityUpdate' = '<Full path to file>'
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\210252809.jpeg
- %HOMEPATH%\desktop\000814251_video_01.avi
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\dashborder_144.bmp
- %HOMEPATH%\desktop\delete.avi
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\toolbar.bmp
Modifies file system
Creates the following files
- %APPDATA%\key\key.txt
- %HOMEPATH%\desktop\000814251_video_01.avi.wncry
- %HOMEPATH%\desktop\210252809.jpeg.wncry
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx.wncry
- %HOMEPATH%\desktop\dashborder_144.bmp.wncry
- %HOMEPATH%\desktop\delete.avi.wncry
Sets the 'hidden' attribute to the following files
- %APPDATA%\key\key.txt
Changes user data files extensions (Trojan.Encoder).
