- Distribution Method : Unknown
- MD5 : ad26ea4a337d8cea617e75fb6d47980c
- Major Detection Name : Trojan.Ransom.Shade (ALYac), Ransom:Win32/Troldesh.A (Microsoft)
- Encrypted File Pattern : <Random Filename>.<Random>.crypted000007
- Malicious File Creation Location :
- C:\ProgramData\Csrss (Hidden(H) / System(S) Fold attribute)
- C:\ProgramData\Csrss\csrss.exe (= DDFDF952.exe, Hidden(H) / System(S) File attribute)
- C:\ProgramData\Drivers (Hidden(H) / System(S) Fold attribute)
- C:\ProgramData\Drivers\csrss.exe (= 3717F103.exe, Hidden(H) / System(S) File attribute)
- C:\ProgramData\services (Hidden(H) / System(S) Fold attribute)
- C:\ProgramData\services\csrss.exe (= 38A9B669.exe, Hidden(H) / System(S) File attribute)
- C:\ProgramData\Windows (Hidden(H) / System(S) Fold attribute)
- C:\ProgramData\Windows\csrss.exe
- C:\Users\%UserName%\AppData\Local\Temp\38A9B669.exe
- C:\Users\%UserName%\AppData\Local\Temp\3717F103.exe
- C:\Users\%UserName%\AppData\Local\Temp\DDFDF952.exe
- Payment Instruction File : README1.txt / README2.txt / README3.txt / README4.txt / README5.txt / README6.txt / README7.txt / README8.txt / README9.txt / README10.txt
- Major Characteristics :
- The Russian and English users targeted
- Generates additional malware (information extortion + trying to access multiple webserver administrator accounts)
- Changes desktop background (C:\Users\%UserName%\AppData\Roaming\<Random>.bmp)
List