SecurityHome.eu Ransom:Win32/Mambretor.A

Home / malware PDF

Ransom:Win32/Mambretor.A

First posted on 27 September 2016.
Source: Microsoft
Aliases :
There are no other names known for Ransom:Win32/Mambretor.A.
Explanation :
Installation

When installed, this threat creates the following files:

C:\DC22\dcapi.dll

C:\DC22\dccon.exe

C:\DC22\dcinst.exe

C:\DC22\dcrypt.exe

C:\DC22\dcrypt.sys

C:\DC22\log_file.txt

C:\DC22\mount.exe

C:\DC22\netpass.exe

C:\DC22\netpass.txt

C:\DC22\netuse.txt

Payload

This threat attempts to encrypt local hard drives and accessible mapped network drives.

It creates a service named "DefragmentService" and adds a user named "mythbusters" with password "123456".

It then reboots the PC. At the next boot, the malicious service begins the encryption process, which may take several minutes.

If the infection is successful, the PC will display the following message at the next reboot:

Analysis by Andrea Lelli
Last update 27 September 2016

TOP

Malware :

Backdoor:Win32/Heloag.A
Exploit:Win32/CVE-2011-3402
Trojan:Win32/Obfac
Exploit:Win32/Pdfjsc.YP
TrojanDownloader:Win32/Bofang.B

Last 20

Family:

Ransom:Win32/Mambretor.A