Analysis
VBS/Agent.PFR!tr.dldr is a generic detection for a type of Visual Basic script downloader trojan that downloads the Locky ransomware onto the compromised computer. Since this is a generic detection, files that are detected as VBS/Agent.PFR!tr.dldr may have varying behavior.
Along with W32/Locky.FWSD!tr.ransom below are examples of some of its characteristics/behavior:
- It downloads the Locky ransomware as the following file:
- Affected files of this Ransomware will use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.ykcol, where X is any alphanumeric character.
- It attempts to connect to the following URLs:
- hxxp://amma{Removed}.it/jhdsgvc74?
- hxxp://idea{Removed}.net/p66/jhdsgvc74
- hxxp://anim{Removed}.net/jhdsgvc74?
- Below is an example of the Ransom notes: