Home / malware

PDF

Ransom:Win32/Bucbi

First posted on 14 May 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Bucbi.

Explanation :

Installation

This ransomware can be downloaded by other malware such as TrojanDownloader:Win32/Brucryp, or can be installed by a remote user after a successful brute force attack with an RDP Brute tool.

It can be deployed by the command: /install

When it runs, it will drop a copy of itself in %LOCALAPPDATA%\.exe (for example, %LOCALAPPDATA%\ompvqabf.exe).

It creates a registry entry so that it runs each time you start your PC, as part of its installation routine :

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "@"
With data: "%LOCALAPPDATA%\.exe"

Payload

This ransomware can encrypt the contents of files with the following extension names but retain their original filename:

3fr dng mdf pef srf accdb doc mef pem srw arw docm mht pfx sxw bay docx mrw pht tif bmp dwg nef ppt txt cdr dxf nrw pptm wb2 cer dxg odb pptx wpd chm eps odc psd wps cpp erf odm pst x3f cr2 fb2 odp ptx xlam crt gif ods r3d xlk crw img odt raf xls csv indd orf rar xlsb cxx jpe p12 raw xlsm dbf jpeg p7b rtf xlsx dcr jpg p7c rw2 xltm der kdc pdd rwl xltx djvu mdb pdf sr2 zip

It also drops a text file with name .log, (for example, 33d7ae7e458.log), in $%ALLUSERSPROFILE% folder (C:\ProgramData) that logs actions on the machine such as:

• signaling the process start of malware
• generating keys
• file processing / enumeration started
• performing network / local encryption
• encrypting files

After encrypting files in the machine, it will display this window with instructions on how to decrypt files / payment method (Bitcoin):

This malware description was analyzed based on file SHA1 6f44651177e6d8840b0a39e9254e8ba5904117a6.





Analysis by Marianne Mallen

Last update 14 May 2016

 

TOP