Home / malware

PDF

Ransom:Win32/Firecrypt.A

First posted on 10 January 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Firecrypt.A.

Explanation :

Installation

When launched, this ransomware copies itself as a randomly named file in the following folder:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Payload

This ransomware searchers for files with the following extensions in all folders and encrypts them:

• .aep
• .asp
• .aspx
• .csv
• .csx
• .doc
• .docx
• .htm
• .html
• .jpg
• .mdb
• .mp3
• .pdf
• .php
• .png
• .psd
• .sln
• .sql
• .torrent
• .txt

After encrypting the files, it renames the files by appending ".firecrypt" to their file extensions. For example, it renames .html files to .html.firecrypt and .doc files to .doc.firecrypt.

This ransomware might save a list of the encrypted files in the following text file:

%APPDATA%\SysWin32\files.txt

It also creates the following HTML file:

%USERPROFILE%\Desktop\-READ_ME.html

When opened, this HTML file displays the following ransom note:



Denial of Service

This ransomware might attempt to access the following legitimate URL:

hxxp://www.pta.gov.pk/index.php

It does this to generate junk traffic as part of a denial-of-service (DoS) attack against the website.





Analysis by Andrea Lelli

Last update 10 January 2017

 

TOP