Fandom

Malware Wiki

DigiPop.xp

1,321pages on
this wiki
Add New Page
Comments2 Share

Trojan-Ransom.Win32.DigiPop.xp or DigiPop.xp is a ransomware trojan which removes certain software from the memory, as well as perform numerous other actions.

BehaviorEdit

InternalEdit

The trojan will perform the following actions.

  • The trojan will attempt to unload the following processes from System Memory.
Tmas.exe
ekrn.exe
gcasServ.exe
msscli.exe
avp.exe
dwengine.exe
avastsvc.exe
avguard.exe
winroute.exe
zlclient.exe
op_mon.exe
  • It attempts to find the "SharedAccess" service and terminates it.
  • It attempts to call the following Application Extensions for the "__register_frame_info" and "_Jv_RegisterClasses" sub-routines respectively.
%WorkDir%\libgcc_s_dw2-1.dll
%WorkDir%\libgcj_s.dll
  • It drops a single .ddr file into the Application Data under the name "efhhcwck.ddr" [1598 bytes in size]. It also drops the file "efhhcwck.exe" into AppData.
  • It drops the following registry keys
[HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"0X29A"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"

The latter makes sure the program starts upon bootup.

  • It also drops the following link
%USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk
  • The trojan is launched twice, second time with the DNNL parameter. The process is always running twice. If one is terminated, the other one will recreate it.

ExternalEdit

  • The trojan sends requests to the following IP address:
188.***.168
  • The requests are as follows:
HTTP/1.0
GET
/_req/?type=e&sid=2&sw=00000000000000000&ostype=2&ossp=2&osbits=0&osfwtype=2&  osrights=255
/_req/?type=m&sid=2&sw=00000000000000000

PayloadEdit

After the Internal and External activity, the payload will trigger.

1. It deletes the original trojan file
2. It creates a unique identifier to insure the process is unique:

Global\dobeDNNLjpgo


3. It drops the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 "DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
 "NoLogoff" = "1"


The above should be self-explanatory, the ransomware locks the user from both Task Manager and the Shut-Down sub-menu.

4. The trojan locks the user into a proxy by changing Internet Explorer settings.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
 "MigrateProxy" = "1"
 "ProxyEnable" = "1"
 "ProxyServer" = "http=127.0.0.1:41653;"


5. In addition to the above, it deletes the following keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
 "ProxyOverride"
 "AutoConfigURL"


6. When other browsers are run, the trojan creates a blacklist of the following sites.

www.drweb.com/unlocker
www.esetnod32.ru/.support/winlock
http://virusinfo.info/deblocker
http://support.kaspersky.ru/viruses/deblocker


7. The trojan will constantly check for the following processes in system memory, and terminate them as appropriate.

far.exe
msconfig.exe
taskmgr.exe
taskkill.exe
avz.exe
regedit.exe
procmon.exe

It will then offer to undo these actions for a fee, however this is not recommended on any level.

RemovalEdit

1. Boot into a bootable environment [Safe Mode, Hiren's Boot CD etc.]

2. Delete the following files:

%USERPROFILE%\Application Data\efhhcwck.ddr 
%USERPROFILE%\Application Data\efhhcwck.exe
%USERPROFILE%\Start Menu\Programs\Startup\healm_jamc.lnk

3. Delete the following registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
 "0X29A"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "PC Health Status" = "%USERPROFILE%\Application Data\efhhcwck.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 "DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
 "NoLogoff" = "1"

4. Restore the original values of the following keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
 "MigrateProxy"
 "ProxyEnable"
 "ProxyServer"
 "ProxyOverride"
 "AutoConfigURL"

5. Clean up with an anti-virus software.

SourcesEdit

Securelist (Kaspersky Labs), Trojan-Ransom.Win32.DigiPog.xp

Technical InfoEdit

HashesEdit

MD5: 5433BBDADE3E6801BAC602D2FD636E74

SHA1: 95D34CCFBC0E8B0DDDC12B120634ED686F6A8721

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.