Security home

 

Home / malwarePDF  

Win32/Shieldcrypt


First posted on 12 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Win32/Shieldcrypt.

Explanation :

Installation


We have seen that this ransomware may use and install a copy of itself using different names such as:

  • %ProgramData% \MicroSoftWare\SmartScreen\SmartScreen.exe
  • %ProgramData% \MicroSoftTMP\system32\conhost.exe


It may report and post information to:
  • hxxp://45[.]76[.]81[.]110/test_site_scripts/moduls/connects/mailsupload[.]php
  • hxxp://107[.]191[.]62[.]136/js/prettyPhoto/images/prettyPhoto/default/infromation[.]php


This ransomware disables and deletes shadow or backup copies of files by running the following command:

vssadmin.exe Delete Shadows /All /Quiet
net stop vss

It also disables startup repair and recovery screen due to failures by running the following command:

bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows SmartScreen"
With data: "C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe"

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows SmartScreen Updater"
With data: ""

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Indesing Microsoft"
With data: "C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe"

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*Indesing Microsoft"
With data: "C:\ProgramData\MicroSoftTMP\system32\conhost.exe"

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
Sets value: "Indesing Microsoft Updater"
With data: ""

In subkey: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*Indesing Microsoft Updater"
With data: ""

Payload

Encrypts files

This threat searches for and encrypts files with the following file name extensions:

.1cd

.3dm

.3ds

.3fr

.3g2

.3gp

.3pr

.7z

.7zip

.aac

.ab4

.abd

.acc

.accdb

.accde

.accdr

.accdt

.ach

.acr

.act

.adb

.adp

.ads

.agdl

.ai

.aiff

.ait

.al

.aoi

.apj

.apk

.arw

.ascx

.asf

.asm

.asp

.aspx

.asset

.asx

.atb

.avi

.awg

.back

.backup

.backupdb

.bak

.bank

.bay

.bdb

.bgt

.bik

.bin

.bkp

.blend

.bmp

.bpw

.bsa

.c

.cash

.cdb

.cdf

.cdr

.cdr3

.cdr4

.cdr5

.cdr6

.cdrw

.cdx

.ce1

.ce2

.cer

.cfg

.cfn

.cgm

.cib

.class

.cls

.cmt

.config

.contact

.cpi

.cpp

.cr2

.craw

.crt

.crw

.cry

.cs

.csh

.csl

.css

.csv

.d3dbsp

.dac

.das

.dat

.db

.db3

.db_journal

.dbf

.dbx

.dc2

.dcr

.dcs

.ddd

.ddoc

.ddrw

.dds

.def

.der

.des

.design

.dgc

.dgn

.dit

.djvu

.dng

.doc

.docm

.docx

.dot

.dotm

.dotx

.drf

.drw

.dtd

.dwg

.dxb

.dxf

.dxg

.edb

.eml

.eps

.erbsql

.erf

.exf

.fdb

.ffd

.fff

.fh

.fhd

.fla

.flac

.flb

.flf

.flv

.flvv

.forge

.fpx

.fxg

.gbr

.gho

.gif

.gray

.grey

.groups

.gry

.h

.hbk

.hdd

.hpp

.html

.ibank

.ibd

.ibz

.idx

.iif

.iiq

.incpas

.indd

.info

.info_

.iwi

.jar

.java

.jnt

.jpe

.jpeg

.jpg

.js

.json

.k2p

.kc2

.kdbx

.kdc

.key

.kpdx

.kwm

.laccdb

.lbf

.lck

.ldf

.lit

.litemod

.litesql

.lock

.ltx

.lua

.m

.m2ts

.m3u

.m4a

.m4p

.m4v

.ma

.mab

.mapimail

.max

.mbx

.md

.mdb

.mdc

.mdf

.mef

.mfw

.mid

.mkv

.mlb

.mmw

.mny

.money

.moneywell

.mos

.mov

.mp3

.mp4

.mpeg

.mpg

.mrw

.msf

.msg

.mts

.myd

.nd

.ndd

.ndf

.nef

.nk2

.nop

.nrw

.ns2

.ns3

.ns4

.nsd

.nsf

.nsg

.nsh

.nvram

.nwb

.nx2

.nxl

.nyf

.oab

.obj

.odb

.odc

.odf

.odg

.odm

.odp

.ods

.odt

.ogg

.oil

.omg

.one

.orf

.ost

.otg

.oth

.otp

.ots

.ott

.p12

.p7b

.p7c

.pab

.pages

.pas

.pat

.pbf

.pcd

.pct

.pdb

.pdd

.pdf

.pef

.pfx

.php

.pif

.pl

.plc

.plus_muhd

.pm

.pm!

.pmi

.pmj

.pml

.pmm

.pmo

.pmr

.pnc

.pnd

.png

.pnx

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.prf

.private

.ps

.psafe3

.psd

.pspimage

.pst

.ptx

.pub

.pwm

.py

.qba

.qbb

.qbm

.qbr

.qbw

.qbx

.qby

.qcow

.qcow2

.qed

.qtb

.r3d

.raf

.rar

.rat

.raw

.rdb

.re4

.rm

.rtf

.rvt

.rw2

.rwl

.rwz

.s3db

.safe

.sas7bdat

.sav

.save

.say

.sd0

.sda

.sdb

.sdf

.sh

.sldm

.sldx

.slm

.sql

.sqlite

.sqlite-shm

.sqlite-wal

.sqlite3

.sqlitedb

.sr2

.srb

.srf

.srs

.srt

.srw

.st4

.st5

.st6

.st7

.st8

.stc

.std

.sti

.stl

.stm

.stw

.stx

.svg

.swf

.sxc

.sxd

.sxg

.sxi

.sxm

.sxw

.tax

.tbb

.tbk

.tbn

.tex

.tga

.thm

.tif

.tiff

.tlg

.tlx

.txt

.upk

.usr

.vbox

.vdi

.vhd

.vhdx

.vmdk

.vmsd

.vmx

.vmxf

.vob

.vpd

.vsd

.wab

.wad

.wallet

.war

.wav

.wb2

.wma

.wmf

.wmv

.wpd

.wps

.x11

.x3f

.xis

.xla

.xlam

.xlk

.xlm

.xlr

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.xml

.xps

.xxx

.ycbcra

.yuv

.zip

It doesn't encrypt files and folders having the following list:
  • $recycle.bin
  • appdata
  • application data
  • boot
  • cache
  • cookies
  • games
  • inetcache
  • microsoft
  • nvidia
  • packages
  • program files
  • program files (x86)
  • programdata
  • system volume information
  • temp
  • temporary internet files
  • tmp
  • webcache
  • windows
  • winnt


After encrypting files, this ransomware shows a ransom note as an HTML page in your web browser similar to the following:

It also drops plain text file # RESTORING FILES #.TXT with the same information, as follows:





Analysis by: Jireh Sanico

Last update 12 September 2017

 

TOP

Malware :