Forum for analysis and discussion about malware.
Post Reply
User avatar
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Mon Dec 08, 2014 9:11 am

Malware that infects executable files on victim computer and ask to pay ransom in BTC.

Each infected executable is overwritted by copy of malware with saved icon of original executable. Massive executables infecting gives this malware ability to survive removal and re-infect PC.

Runs via

Alters Windows Explorer settings:
1) file extensions -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2) hidden files -> reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Turn off UAC -> reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Monitors user activity -> blocks execution of several programs by looking for specific windows titles/classnames, including malware process names.
The following names are identified:
1) Windows Task Manager
2) Run
3) Open
4) malware process names (thus preventing to view process properties for example)
5) RegEdit_RegEdit

Capable of infecting removal drives.


Example of infected file -> ... /analysis/ (used gmer found on infected computer)

One of the VT reports for sample in archive ... /analysis/
Dont be confused by high VT detection ratio - the only 4 products here correctly detect this malware.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
Posts: 29
Joined: Thu Oct 06, 2011 4:10 pm
Location: Colombia

Sun Jul 17, 2016 3:01 am


I don't know if this Ransomware is active again, looks like that nothing has changed in his functionality.

805.0 KB ... /analysis/

You do not have the required permissions to view the files attached to this post.
Twitter: @nyxbone
Post Reply