Ransom.MSIL.ANNABELLE.A
MSIL/Filecoder.DP!tr.ransom (FORTINET), Ransom:MSIL/FileCoder!MTB (MICROSOFT)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Ransomware may be unknowingly downloaded by a user while visiting malicious websites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It encrypts files found in specific folders.
TECHNICAL DETAILS
Arrival Details
This Ransomware may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Ransomware drops and executes the following files:
- MBRiCoreX.exe
It adds the following processes:
- %System%\vssadmin.exe vssadmin delete shadows /all /quiet
- %System%\NetSh.exe NetSh Advfirewall set allprofiles state off
- %System%\Shutdown.exe -r -t 00 -f
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
UpdateBackUp = {Malware Path}
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UpdateBackUp = {Malware Path}
HKEY_LOCAL_MACHINE\Software\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Run
UpdateBackUp = {Malware Path}
Other System Modifications
This Ransomware modifies the following registry entries:
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows
DisableCMD = 2
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft
DisableCMD = 2
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows
DisableCMD = 2
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2
HKEY_CURRENT_USER\Software\Policies\
Microsoft
DisableCMD = 2
HKEY_CURRENT_USER\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1
HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1
HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WinDefend = 3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WinDefend = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoControlPanel = 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot\Minimal
MinimalX = 1
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = {Malware Path}\{Malware Filename}.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1
Propagation
This Ransomware drops the following copy(ies) of itself in all removable drives:
- {Removable Drive}:\Copter.flv.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=Copter.flv.exe
shellexecute=Copter.flv.exe
Process Termination
This Ransomware terminates the following processes if found running in the affected system's memory:
- ProcessHacker
- procexp64
- msconfig
- taskmgr
- chrome
- firefox
- regedit
- opera
- UserAccountControlSettings
- yandex
- microsoftedge
- microsoftedgecp
- iexplore
Other Details
This Ransomware does the following:
- It disables the following:
- Windows Defender
- System Restore
- Task Manager
- CMD
- Run Command
- Control Panel
- Safe Boot
- Registry Tools
- Windows Script Host
- USB driver
It disables executing the following applications by adding the following registry entries:- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{application}
- Debugger = RIP
where {application} are as follows:- msconfig.exe
- taskmgr.exe
- cmd.exe
- chrome.exe
- firefox.exe
- opera.exe
- microsoftedge.exe
- microsoftedgecp.exe
- notepad++.exe
- iexplore.exe
- notepad.exe
- MSASCuiL.exe
- mmc.exe
- gpedit.msc
- UserAccountControlSettings.exe
- Autoruns64.exe
- Autoruns.exe
- systemexplorer.exe
- taskkill.exe
- powershell.exe
- yandex.exe
- attrib.exe
- bcdedit.exe
- sethc.exe
- mspaint.exe
- dllhost.exe
- rundll.exe
- rundll32.exe
- cabinet.dll
- chkdsk.exe
- DBGHELP.exe
- DCIMAN32.exe
- wmplayer.exe
- ksuser.dll
- mpg4dmod.dll
- mydocs.dll
- rasman.dll
- shellstyle.dll
- secpol.msc
- url.dll
- usbui.dll
- webcheck.dll
- recoverydrive.exe
- logoff.exe
- control.exe
- explorer.exe
- regedit.exe
- csrss.exe
It also connects to http://{BLOCKED}somatic.com/
Ransomware Routine
This Ransomware encrypts files found in the following folders:
- %User Profile%\Downloads
- %User Profile%\Desktop
- D:\
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It appends the following extension to the file name of the encrypted files:
- .ANNABELLE
NOTES:
This ransomware displays the following message box:
It then reboots the system and displays this lock screen:
Once the user clicks the button “Credit”, it displays the following:
Once the user clicks the button “Information”, it displays the following:
Once the user clicks the button “Encrypted Files”, it displays the following:
Once the user clicks the button “Check Payment / Get Code”, it displays the following:
The unlock key is: wHYecVx64uX2zjVedeTeyRLN
It displays the following window that shows the decryption process of the malware:
It reboots the system and displays the malware's MBR, making the system unbootable:
SOLUTION
NOTES:
Restore the system from backup or reinstall the operating system (OS). The system may be made bootable by doing a system repair using a Windows installer disk.
Did this description help? Tell us how we did.