Analisado por: John Donnie Celestre   
 

Ransom:Win32/Redeye (MICROSOFT); W32/Generic!tr (FORTINET)

 Plataforma:

Windows

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Ransomware

  • Destrutivo:
    Não

  • Criptografado:
    Sim

  • In the Wild:
    Sim

  Visão geral

Canal de infecção: Fallen gelassen von anderer Malware

Legt eine AUTORUN.INF-Datei ab, um automatisch die eingeschleusten Kopien auszuführen, wenn ein Benutzer auf die Laufwerke eines betroffenen Systems zugreift.

  Detalhes técnicos

Tipo de compactação: 11,099,136 bytes
Tipo de arquivo: EXE
Residente na memória: Sim
Data de recebimento das amostras iniciais: 07 junho 2018
Carga útil: Encrypts files, , Connects to URLs/IPs, Terminates processes

Installation

Schleust die folgenden Dateien ein:

  • %System Root%\Save1.txt
  • %System Root%\autorun.inf
  • %System Root%\Windows\Nope.txt
  • %System Root%\Windows\Detect.txt
  • %System Root%\Windows\AfterMBR.txt
  • %System Root%\redeyebmp.bmp -> used as wallpaper

(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Schleust die folgenden Eigenkopien in das betroffene System ein:

  • %User Temp%\{malware name}.exe

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000, XP und Server 2003.)

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = %User Temp%\{malware name}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = %User Temp%\{malware name}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = %User Temp%\{malware name}.exe

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge als Teil der Installationsroutine hinzu:

HKEY_CURRENT_USER\Control Panel\Desktop
WallPaper = %System Root%\redeyebmp.bmp

HKEY_CURRENT_USER\Software\ShortCutInfection
Mr.Wolf = True

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender
ServiceKeepAlive = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
ServiceKeepAlive = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
ForceUpdateFromMU = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
ForceUpdateFromMU = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
UpdateOnStartUp = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoControlPanel = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDrives = 4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDrives = 4

Dateiinfektion

Vermeidet es, die folgenden Dateien zu infizieren:

  • desktop.ini

Verbreitung

Schleust folgende Kopien von sich selbst in alle physischen und Wechsellaufwerke ein:

  • {Logical Drives}:\windows.exe

Legt eine AUTORUN.INF-Datei ab, um automatisch die eingeschleusten Kopien auszuführen, wenn ein Benutzer auf die Laufwerke eines betroffenen Systems zugreift.

Prozessbeendigung

Beendet Prozesse oder Dienste, die einen oder mehrere dieser Zeichenfolgen enthalten, wenn sie im Speicher des betroffenen Systems ausgeführt werden:

  • SbieCtrl
  • ProcessHacker
  • procexp64
  • msconfig
  • taskmgr
  • chrome
  • firefox
  • regedit
  • opera
  • UserAccountControlSettings
  • yandex
  • microsoftedge
  • microsoftedgecp
  • iexplore

  Solução

Mecanismo de varredura mínima: 9.850
Primeiro arquivo padrão VSAPI: 14.300.06
Data do lançamento do primeiro padrão VSAPI: 07 junho 2018
VSAPI OPR Pattern Version: 14.301.00
VSAPI OPR Pattern veröffentlicht am: 08 junho 2018
Participe da nossa pesquisa!