SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

MarsJoke Ransomware Targets State And Local Government Agencies (Sep 30, 2016)


The Dell Sonicwall Threats Research team observed reports of a new Ransomware family Named MarsJoke [GAV: FileCryptor.A_2] which targets state and local government agencies actively spreading in the wild.

The Malware encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Malware uses the following icons:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%\Start Menu\Programs\Startup\Malware.exe

    • C:\WINDOWS\Tasks\exgnygmf.job

    • C:\Documents and Settings\!!! For Decrypt !!!.bat

    • C:\Documents and Settings\!!! Readme For Decrypt !!!.txt

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software

    • %Userprofile%\Start Menu\Programs\Startup\Malware.exe

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Local

    • %Userprofile%\Start Menu\Programs\Startup\Malware.exe

The Trojan adds the following files to the Windows Task Job to ensure persistence upon reboot:

The Malware runs following commands on the system:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\ Start Menu \ folder and creates another process named Malware.exe.

The Malware encrypts the victims files with a strong AES 256 encryption.

Encrypted files keep their original extension. Temporary files with .a19 and .ap19 file extensions are used during the encryption process but are deleted when the process is finished.

After encrypting all the personal documents and files it shows the following picture:

Command and Control (C&C) Traffic

The Malware performs C&C communication over 80 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: FileCryptor.A_2 (Trojan)


Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW04