The third instance of Zeppelin is mainly for file encryption. First it will check available drives in the system by iterating drives from Z: to A:. It only looks for certain drive types which are: unknown, removable, fixed, remote and RAM disk drives.
Then, all directories except Windows Operating System-related, Internet browsers and among other folders, will be traversed to encrypt all files in it. These whitelisted folders and its files are avoided to ensure the proper execution of the malware.Continue reading