urlscan.io logo urlscan.io
SecurityTrails logo

malwiki.org Open in urlscan Pro
208.110.85.45  Public Scan

Back to summary
URL: https://malwiki.org/index.php?title=AVCrypt
Submission: On December 26 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

/index.php

<form action="/index.php" id="searchform">
  <div id="simpleSearch">
    <input type="search" name="search" placeholder="Search Malware Wiki" autocapitalize="sentences" title="Search the Database [alt-shift-f]" accesskey="f" id="searchInput"><input type="hidden" value="Special:Search" name="title"><input type="submit"
      name="fulltext" value="Search" title="Search the pages for this text" id="mw-searchButton" class="searchButton mw-fallbackSearchButton"><input type="submit" name="go" value="Go" title="Go to a page with this exact name if it exists"
      id="searchButton" class="searchButton">
  </div>
</form>

Text Content

Welcome to the Computer Security Wiki! You can help us by expanding stubs,
create new articles and improve current articles.
You can also help us by logging-in or creating an account!




AVCRYPT

From Malware Wiki

Jump to: navigation, search

AVCrypt AVCrypt.jpg TypeRansomware, TrojanDateMarch 21st, 2018PlatformMicrosoft
WindowsFile TypeWin32 PE executable
(.EXE)Alias(es)Trojan-Ransom.Win32.Blocker.kwyx(Kasperksy)

Ransom:Win32/Pactelung.A(Microsoft)

TrojanRansom.AVCrypt.a(Jiangmin)MD5248144f924d49b37312da171f14f4131SHA-11e9ed5f2520c4eb60222c5cd539b14f31699f1baSHA-25658c7c883785ad27434ca8c9fc20b02885c9c24e884d7f6f1c0cc2908a3e111f2SSDEEP49152:jBB3TDq5DXAo3Q/lchXnmF69YH9dIrbU/zuaVJGBgzUgQ7x3fR2CzjUxCl+fnIfk:VBAb3Q/GoF66H9d+Yua9zUgoj7A4GILwAuthentihash88dae99a6b0b6049ab623791c3e167e4dc652b1649561ec588bfa581b01b84bfIMPhash60d2343887bb0065c132532c469e2bd3
This box: view • talk • edit

AVCrypt is a ransomware that was discovered by Lawrence Abrams and Michael
Gillespie.


PAYLOAD


TRANSMISSION

AVCrypt is distributed by spam emails, peer-to-peer [P2P] networks, third party
software download sources, fake software update tools, and trojans.


INFECTION

When AVCrypt is executed, it will sit idle for a brief period, extract an
embedded TOR client, and connect to the bxp44w3qwwrmuupc.onion command & control
server where it will transmit the encryption key, timezone, and Windows version
of the victim. There appears to be an error in this transmission, as it appends
other content from memory as part of the key.

AVCrypt will then attempt to remove installed security software from the
victim's computer. It does this in two ways; by specifically targeting Windows
Defender and Malwarebytes and by querying for installed AV software and then
attempting to remove them.

AVCrypt will then delete Windows services required for the proper operation of
Malwarebytes and Windows Defender. AVCrypt Deletes the following formats:

MBAMService
MBAMSwissArmy 
MBAMChameleon 
MBAMWebProtection
MBAMFarflt
ESProtectionDriver
MBAMProtection
Schedule
WPDBusEnum
TermService
SDRSVC
RasMan
PcaSvc
MsMpSvc
SharedAccess
wscsvc
srservice
VSS
swprv
WerSvc
MpsSvc
WinDefend
wuauserv


It does this using a command like the following format:

cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc 
delete "MBAMService";


It then queries to see what AV software is registered with Windows Security
Center and attempts to delete it via WMIC.

cmd.exe /C wmic product where ( Vendor like "%Emsisoft%" ) call uninstall 
/nointeractive & shutdown /a & shutdown /a & shutdown /a;


The above command, though, was not able to uninstall Emsisoft in this manner. It
is unknown if it would work with other AV software.

While Windows will continue to function after these services are deleted, there
will likely be issues in the proper operation of Windows. 

It will then scan for files to encrypt, and when it encrypts a file, will rename
it to the +[original_name]. For example, a file called test.jpg would be
encrypted and then renamed to +test.jpg. In each folder that a file is
encrypted, it will also create a ransom note named +HOW_TO_UNLOCK.txt. This
ransom note does not contain any contact information or instructions. They just
simply state "lol n".

While running, it will also add and delete a variety of registry values in order
to reduce the security of the computer.

The added registry values include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes	.cmd;.exe;.bat;
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows	%AppData%\[username].exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows	C:\Users\User\AppData\Roaming\User.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware	1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring	1


Some of the changed values include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Security Center\cval	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization	"0"	(old value="1")


When done, it executes a batch file named +.bat that performs a cleanup of any
dropped files, clears event logs, terminates the ransomware process, and removes
the autorun entry.

Retrieved from "https://malwiki.org/index.php?title=AVCrypt&oldid=34837"

Categories:
 * Ransomware
 * Win32 ransomware
 * Win32
 * Microsoft Windows
 * Trojan
 * Win32 trojan
 * Wiper
 * Win32 wiper




NAVIGATION MENU


PERSONAL TOOLS

 * Log in


NAMESPACES

 * Page
 * Discussion


VARIANTS




VIEWS

 * Read
 * View source
 * View history


MORE




SEARCH




NAVIGATION

 * Main page
 * Recent changes
 * Random page


POLICIES

 * Manual of Style
 * Rules
 * Sourcing Policy
 * Deletion Policy
 * List of Recognized Countries
 * Discord Policy


TOOLS

 * What links here
 * Related changes
 * Special pages
 * Printable version
 * Permanent link
 * Page information

 * This page was last edited on 25 May 2021, at 14:40.

 * Privacy policy
 * About Malware Wiki
 * Disclaimers

 *