Ransom.Win32.MATRIX.J

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Path}\ALL_dmpfl.fldp
• {Malware Path}\log.txt
• %Application Data%\{Random Characters}.bmp → used as wallpaper
• %Application Data%\{Random Characters}.bat → contains commands to remove volume shadow copies and disable system recovery
• %Application Data%\{Random Characters}.vbs → contains commands to create scheduled task
• {Malware Path}\{Random Characters}.exe → used for file handle manipulation
• {Malware Path}\{Random Characters}.bat → contains commands to take ownership of a file

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system:

• {Malware Path}\{Random Characters}.exe

It adds the following processes:

• "%System%\cmd.exe" /C copy /V /Y "{Malware Path}\{Malware Filename}.exe" "{Malware Path}\{Random Characters}.exe"
• "{Malware Path}\{Random Characters}.exe" -n → if executed without argument
• "%System%\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "%Application Data%\{Random Characters}.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
• "%System%\cmd.exe" /C wscript //B //Nologo "%Application Data%\{Random Characters}.vbs"
• cmd /c ""{Malware Path}\{Random Characters}.bat" "%Program Files%\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• JackJackOhhJackMute → if executed without argument
• JackJackOhhJackMuteDONW → if executed with argument

Other System Modifications

This Ransomware deletes the following files:

• %Application Data%\{Random Characters}.bat
• %Application Data%\{Random Characters}.vbs

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Application Data%\{Random Characters}.bmp

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = 0

HKEY_CURRENT_USER\Control Panel\Desktop
TileWallpaper = 0

It sets the system's desktop wallpaper to the following image:

Information Theft

This Ransomware gathers the following data:

• Computer name
• User name
• System Integrity Level

Other Details

This Ransomware connects to the following website to send and receive information:

• http://{BLOCKED}p.{BLOCKED}z.org/addrec.php?apikey=jdpr_apikey&compuser={Computer Name}|{User Name}&sid={Random Characters}&phase=START

It does the following:

• It encrypts files located in the following locations:
  
  • Shared Drives
  • Removable Drives
  • Fixed Drives
  • RamDisk
• It deletes shadow copies by executing the following commands:
  
  • vssadmin Delete Shadows /All /Quiet
  • wmic SHADOWCOPY DELETE
• It disables system recovery by executing the following commands:
  
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
• It deletes the scheduled task with the following task name:
  
  • DSHCA

It accepts the following parameters:

• -n → if not run with parameters

It adds the following scheduled tasks:

• Task name: DHSCA
  Schedule: Every 5 minutes
  Task to be run: %Application Data%\{Random Characters}.bat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• BOOTMGR
• BOOTSECK.BAT
• DEFAULT.RDP
• HIBERFIL.SYS
• ICONCACHE.DB
• NTUSER.DAT
• NTUSER.DAT.LOG
• NTUSER.DAT.LOG1
• NTUSER.DAT.LOG2
• NTUSER.POL
• PAGEFILE.SYS
• SWAPFILE.SYS
• THUMBS.DB
• WORDPAD.EXE

It avoids encrypting files with the following strings in their file path:

• (X86)\ACRONIS\
• (X86)\BACKUP MANAGER\
• (X86)\BACKUPCLIENT\
• (X86)\CARBONITE\
• (X86)\DROPBOX\
• (X86)\GOOGLE\DRIVE\
• (X86)\MICROSOFT ONEDRIVE\
• (X86)\ONEDRIVE\
• \$RECYCLE.BIN\
• \7-ZIP\
• \ASPNET_CLIENT\
• \AVAST
• \AVDEFENDER
• \AVG
• \BITDEFENDER
• \BOOT\
• \COMMON FILES\
• \DEFAULT USER\
• \DVD MAKER\
• \ESET
• \INTERNET EXPLORER\
• \KASPERSKY LAB
• \KASPERSKYLAB
• \MALWAREBYTES
• \MCAFEE
• \MICROSOFT OFFICE\
• \MICROSOFT SILVERLIGHT\
• \MICROSOFT\CRYPTO\
• \MICROSOFT\OFFICE\
• \MICROSOFT\PROVISIONING\
• \MSOCACHE\
• \PANDA SECURITY
• \PERFLOGS\
• \PROGRAMDATA\MICROSOFT\
• \REFERENCE ASSEMBLIES\
• \SOPHOS
• \SYMANTEC ENDPOINT
• \TEMP\
• \TOR BROWSER\
• \TRENDMICRO
• \WINDOWS DEFENDER\
• \WINDOWS MEDIA PLAYER\
• \WINDOWS NT\
• \WINDOWS SIDEBAR\
• \WINDOWS.OLD\
• \WINDOWS10UPGRADE\
• \WINDOWS\
• \WINDOWSAPPS\
• \WINDOWSPOWERSHELL\
• \WINRAR\
• FILES\ACRONIS\
• FILES\BACKUP MANAGER\
• FILES\BACKUPCLIENT\
• FILES\CARBONITE\
• FILES\DROPBOX\
• FILES\GOOGLE\DRIVE\
• FILES\MICROSOFT ONEDRIVE\
• FILES\ONEDRIVE\
• VNC\

It renames encrypted files using the following names:

• [{BLOCKED}uran@aol.com].{8 Random Characters}-{8 Random Characters}.JDPR

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\JDPR_README.rtf
  
  

It avoids encrypting files with the following file extensions:

• .BLF
• .BMP
• .DLL
• .ICO
• .JDPR
• .LOG
• .LOG1
• .LOG2
• .RBS
• .RDP
• .REGTRANS-MS
• .RTF
• .SEARCH-MS
• .SEK
• .SETTINGCONTENT-MS
• .TMP
• .VBS
• .XML