Home / malwarePDF  

Win32/Mischa


First posted on 25 May 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Mischa.

Explanation :

Installation

This threat can arrive through a drive-by download with the following name:

  • PDFBewerbungsmappe.exe


Payload

This ransomware searches for files in all of the targeted folders with the following extensions and encrypts them:

.3dm .dds .max .pspimage .3ds .default .mdb .pst .3fr .der .mdf .ptx .3g2 .dfm .mef .pub .3ga .directory .mkv .py .3gp .disc .mobi .qt .a2c .dll .mov .r3d .aa .dmg .movie .ra .aa3 .dng .mp1 .raf .aac .doc .mp2 .ram .accdb .docm .mp3 .rar .aepx .docx .mp4 .raw .ai .dtd .mp4v .result .aif .dvd .mpa .rll .amr .dwg .mpe .rm .ape .dxf .mpeg .rpf .apnx .eip .mpg .rtf .ari .emf .mpv2 .rw2 .arw .eml .mrw .rwl .asf .eps .msg .sql .asp .epub .mts .sqlite .aspx .erf .mui .sqllite .asx .exe .myi .sr2 .avi .fff .nef .srf .azw .flv .nrg .srt .azw1 .frm .nri .srw .azw3 .gfx .nrw .svg .azw4 .gif .number .swf .bak .gzip .obj .tga .bat .h .odb .tiff .bay .htm .odc .toast .bin .html .odf .ts .bmp .ico .odm .txt .camproj .idl .odp .vbs .cat .iiq .ods .vcd .ccd .indd .odt .vlc .cdi .inf .ogg .vmdk .cdr .ini .orf .vmx .cer .iso .ost .vob .cert .jar .p12 .wav .cfg .java .p7b .wb2 .cgi .jfif .p7c .wdb .class .jge .pages .wma .cmf .jpe .pas .wmv .cnf .jpeg .pbk .wpd .conf .jpg .pdd .wps .config .js .pdf .x3f .cpp .json .pef .xlk .cr2 .jsp .pem .xls .crt .k25 .pfx .xlsb .crw .kdc .php .xlsm .crwl .key .png .xlsx .cs .ldf .po .xml .csv .lib .pps .xps .cue .lit .ppt .xsl .dash .lnk .pptm .yml .dat .localstorage .pptx .yuv .db .log .prf .zip .dbf .m3u .props .dcr .m4a .ps .dcu .m4v .psd

After the files are encrypted, the ransomware renames the files by appending random characters to the affected file extension. For example:

  • AUTOEXEC.BAT is renamed to AUTOEXEC.BAT.7QoH
  • eula.1028.txt is renamed to eula.1028.txt.7QoH
  • install.exe is renamed to install.exe.cQRi
  • install.ini is renamed to install.ini.cQRi
  • install.res.1028.dll is renamed to install.res.1028.dll.7QoH


The malware might not encrypt files inside folders with the following substrings:
  • \$Recycle.Bin
  • \Chrome
  • \Internet Explorer
  • \Local
  • \LocalLow
  • \Microsoft
  • \Mozilla Firefox
  • \Opera
  • \Temp
  • \Windows


It drops ransom notes similar to the following screenshots:



Analysis by: Jireh Sanico

Last update 25 May 2016

 

TOP

Malware :