W32/Filecoder.DI!tr

Analysis

W32/Filecoder.DI!tr is a type of ransomware trojan. Once executed, it encrypts the user's important files such as documents and images, and then demands for a ransom to be paid in order to get the decryption key to recover the files.

• The malware has anti-debugging capabilities, which prevents itself from running in a virtual machine and while some debugging tools are running.


• It encrypts the user's data files such as .JPG, .C, .H, .PY, .DOC, .XLS, and .EML files.


• It does not encrypt .EXE, .DLL, .TXT, and .HTML files. The executables and DLL files are not encrypted to make sure that the operating system can still run properly. The .TXT and .HTML are not encrypted most probably because some of the files that it drops which contain the ransom note message are also .TXT and .HTML files.


• It drops a copy of itself to the Windows folder with a randomized file name.


• It drops the following files in every folder where the malware has encrypted at least one file in the folder:
  
  • DECRYPT_INSTRUCTIONS.html
  • DECRYPT_INSTRUCTIONS.txt
  These files contain the ransom message of the malware.


• It drops the following data files:
  
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename2]\00000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\01000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\02000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\03000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\04000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\05000000
  • undefinedAllUsersProfileundefined\Application Data\[RandomFilename3]\06000000


• The malware applies the following registry modification:
  
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    
    • [RandomFilename4] = "undefinedWindowsundefined\[RandomFoldername1].exe", e.g., azagotef = "C:\WINDOWS\ywelykev.exe"
    This automatically executes the dropped file every time the infected user logs on.


• The malware modifies the file name of the file that it encrypts by adding .encrypted  to the extension name of the file (e.g., "Blue hills.jpg" to "Blue hill.jpg.encrypted").


• The malware opens another instance of explorer.exe and injects code into it. These codes open the default text editor on the machine to display the ransom message written in one of its dropped .TXT files. The injected codes also open the default web browser to open one of its dropped .HMTL files, which also contain its ransom message.


• When injecting to explorer.exe, the malware creates a mutex named owawejuhesazawologypyjujoqacipa.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.