Security home

 

Home / malwarePDF  

Ransom:Win32/Sorikrypt.A


First posted on 17 June 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Sorikrypt.A.

Explanation :

Arrival and installation

This ransomware is generated by attackers using a free ransomware construction called Xorcist. The kit allows attackers to build fully customized ransomware in terms of target files, file name extension for encrypted files, ransom note message and file name, and unlock password.

Based on the sample analyzed (SHA1:503fcaa5a63abf3bda11b40a10903d7261133484), when executed, this ransomware creates copies of itself in the %TEMP% folder using a random file name. It then creates the following autostart entry in the registry:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Alcmeter"
With data: "%TEMP%\"

It may also creates additional registry keys, for example:

In subkey: HKEY_CLASSES_ROOT\.bs7912
Sets value: "(Default)"
With data: "QVHXQDQKOFLBYBV"

In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV
Sets value: "(Default)"
With data: "CRYPTED!"

In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV\DefaultIcon
Sets value: "(Default)"
With data: ",0"

In subkey: HKEY_CLASSES_ROOT\QVHXQDQKOFLBYBV\shell\open\command
Sets value: "(Default)"
With data: ""

Payload

Encrypts files

This ransomware can encrypts files. Based on the sample analyzed, it encrypts data with certain file name extensions, for example:

  • .txt
  • .html
  • .pdf
  • .bmp
  • .pif
  • .jpg
  • .wav
  • .wma
  • .lnk


It appends the following string to the file name of encrypted files:
  • .bs7912


It can also create the following file:
  • HOW TO DECRYPT FILES.txt


It can also display a ransom note, which can be an image that is saved in resource and extracted and displayed during execution.





Analysis by Steven Zhou

Last update 17 June 2017

 

TOP

Malware :

Family: