Analisado por: Anthony Joe Melgarejo   
 Plataforma:

Windows

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Trojan

  • Destrutivo:
    Não

  • Criptografado:
     

  • In the Wild:
    Sim

  Visão geral


  Detalhes técnicos

Tipo de compactação: 788,480 bytes
Tipo de arquivo: EXE
Data de recebimento das amostras iniciais: 30 agosto 2015

Installation

Schleust die folgenden Dateien ein:

  • %All Users Profile%\Desktop\how to decrypt files.lnk
  • %System Root%\{random numbers}\lsass86vl.exe
  • %System Root%\{random numbers}\howtodecryptaesfiles.htm
  • %System Root%\{random numbers}\howtodecryptaesfiles2.htm
  • %System Root%\{random numbers}\{random numbers}.list
  • %System Root%\ProgramData\svtstcrs\stplsctkvbs.dll
  • %System Root%\ProgramData\svcfnmainstvestvs\stppthmainfv.dll
  • %System Root%\ProgramData\svcfnmainstvestvs\xerrors.txt
  • %System Root%\ProgramData\{random numbers 1}\svchost.exe
  • %System Root%\ProgramData\{random numbers 2}\svchost.exe
  • %System Root%\ProgramData\{random numbers 3}\{random numbers}.bat
  • %System Root%\ProgramData\{random numbers 3}\{random numbers}.txt
  • %System Root%\ProgramData\{random numbers 3}\{random numbers}.dlls
  • %System Root%\ProgramData\{random numbers 4}\{random numbers}.dll
  • %System Root%\ProgramData\{random numbers 4}\{random numbers}fspall1.dll
  • %System Root%\ProgramData\{random numbers 4}\BKR{random numbers}.dll
  • %System Root%\ProgramData\{random numbers 4}\BKR2{random numbers}.dll
  • %System Root%\ProgramData\{random numbers 4}\BDR{random numbers}.dll
  • %System%\{random numbers}.dll
  • %System%\default2.sfx
  • %System%\decryptaesfiles.htm
  • %System%\btlogoffusrsmtv.bat
  • %System%\wblsys32vt86exkdll.dll
  • %System Root%\{random numbers}\svchost.exe

(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Erstellt die folgenden Ordner:

  • %System Root%\{random numbers}
  • %System Root%\ProgramData\svcfnmainstvestvs
  • %System Root%\ProgramData\svtstcrs
  • %System Root%\ProgramData\{random numbers 1}
  • %System Root%\ProgramData\{random numbers 2}
  • %System Root%\ProgramData\{random numbers 3}
  • %System Root%\ProgramData\{random numbers 4}

(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Autostart-Technik

Registriert sich als Systemdienst, damit sie bei jedem Systemstart automatisch ausgeführt wird, indem sie die folgenden Registrierungseinträge hinzufügt:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSamSs
ImagePath = {malware file path}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSamSs
DisplayName = "Windows Security Accounts Manager"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSamSs
Description = "The startup of this service signals to other services that the Security Accounts Manager (SAM) is ready to accept other requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled."

Erstellt folgende Registrierungseinträge, um die eingeschleuste Komponente bei jedem Systemstart automatisch auszuführen:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
%System Root%\{random numbers}\howtodecryptaesfiles = %System Root%\{random numbers}\howtodecryptaesfiles.htm

Registriert sich als Systemdienst, damit die Ausführung bei jedem Systemstart automatisch erfolgt, indem die folgenden Registrierungsschlüssel hinzufügt werden:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSamSs

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
ForceQueueMode = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
IncludeShutdownErrs = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
Disabled = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
DisableArchive = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
DisableQueue = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
DontSendAdditionalData = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
ForceQueue = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Windows Error Reporting
LoggingDisabled = "1"

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
IncludeMicrosoftApps = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
IncludeKernelFaults = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
DoReport = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
ShowUI = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
PCHealth\ErrorReporting
AllOrNone = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\CrashControl
CrashDumpEnabled = "0"

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\CrashControl
LogEvent = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FastUserSwitchingCompatibility
Start = "4"

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteRegistry
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\sr
Start = "4"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SSDPSRV
Start = "4"

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WebClient
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"

(Note: The default value data of the said registry entry is 2.)

Andere Details

Benennt verschlüsselte Dateien in folgende Namen um:

  • {original filename}(!! to get password email id {victim ID} brinfo15@gmail.com!!).exe