Ransom.MSIL.THANOS.FAIT

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• taskkill" /F taskkill.exe /IMRaccineSettings.exe
• reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• reg" delete HKCU\Software\Raccine /F
• schtasks" /DELETE /TN "Raccine Rules Updater" /F
• cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• sc.exe config Dnscache start= auto
• sc.exe config FDResPub start= auto
• sc.exe config SSDPSRV start= auto
• sc.exe config upnphost start= auto
• sc.exe config SQLTELEMETRY start= disabled
• sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
• sc.exe config SQLWriter start= disabled
• sc.exe config SstpSvc start= disabled
• taskkill.exe /IMmspub.exe /F
• taskkill.exe /IMmydesktopqos.exe /F
• taskkill.exe /IMmydesktopservice.exe /F
• taskkill.exe /IMmysqld.exe /F
• taskkill.exe /IMsqbcoreservice.exe /F
• taskkill.exe /IMfirefoxconfig.exe /F
• taskkill.exe /IMagntsvc.exe /F
• taskkill.exe /IMthebat.exe /F
• taskkill.exe /IMsteam.exe /F
• taskkill.exe /IMencsvc.exe /F
• taskkill.exe /IMexcel.exe /F
• taskkill.exe /IMCNTAoSMgr.exe /F
• taskkill.exe /IMsqlwriter.exe /F
• taskkill.exe /IMtbirdconfig.exe /F
• taskkill.exe /IMdbeng50.exe /F
• taskkill.exe /IMthebat64.exe /F
• taskkill.exe /IMocomm.exe /F
• taskkill.exe /IMinfopath.exe /F
• taskkill.exe /IMmbamtray.exe /F
• taskkill.exe /IMzoolz.exe /F
• taskkill.exe /IMthunderbird.exe /F
• taskkill.exe /IMdbsnmp.exe /F
• taskkill.exe /IMxfssvccon.exe /F
• taskkill.exe /IMmspub.exe /F
• taskkill.exe /IMNtrtscan.exe /F
• taskkill.exe /IMisqlplussvc.exe /F
• taskkill.exe /IMonenote.exe /F
• taskkill.exe /IMPccNTMon.exe /F
• taskkill.exe /IMmsaccess.exe /F
• taskkill.exe /IMoutlook.exe /F
• taskkill.exe /IMtmlisten.exe /F
• taskkill.exe /IMmsftesql.exe /F
• taskkill.exe /IMpowerpnt.exe /F
• taskkill.exe /IMmydesktopqos.exe /F
• taskkill.exe /IMvisio.exe /F
• taskkill.exe /IMmydesktopservice.exe /F
• taskkill.exe /IMwinword.exe /F
• taskkill.exe /IMmysqld-nt.exe /F
• taskkill.exe /IMwordpad.exe /F
• taskkill.exe /IMmysqld-opt.exe /F
• taskkill.exe /IMocautoupds.exe /F
• taskkill.exe /IMocssd.exe /F
• taskkill.exe /IMoracle.exe /F
• taskkill.exe /IMsqlagent.exe /F
• taskkill.exe /IMsqlbrowser.exe /F
• taskkill.exe /IMsqlservr.exe /F
• taskkill.exe /IMsynctime.exe /F
• powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• %System%\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "{Malware Path}\{Malware File Name}.exe

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Se ejecuta y, a continuación, se elimina.

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\ba21af1d-a1b4-4f98-bda4-bf441d085299

Técnica de inicio automático

Este malware infiltra el/los archivo(s) siguiente(s) en la carpeta de inicio del usuario de Windows para permitir su ejecución automática cada vez que se inicia el sistema:

• %Programs%\Startup\{Malware File Name}.exe
• %Programs%\Startup\mystartup.lnk

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = Information...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeText = All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = Information...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticetext = All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop...

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG

Otros detalles

Hace lo siguiente:

• It encrypts all available drives (except for CDROMs).
• It empties the recycle bin.
• It terminates processes with private memory size larger than 209715200 bytes and its process name does not match the following strings:
• {Malware Name}
• chrome
• opera
• msedge
• iexplore
• firefox
• explorer
• wininit
• winlogon
• SearchApp
• SearchIndexer
• SearchUI
• It deletes the following subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
• vssadmin.exe
• wmic.exe
• wbadmin.exe
• bcdedit.exe
• powershell.exe
• diskshadow.exe
• net.exe
• It scans specific database related file extensions:
• db
• dbf
• accdb
• dbx
• mdb
• mdf
• epf
• ndf
• ldf
• 1cd
• sdf
• nsf
• fp7
• cat
• log
• It checks if the following modules are loaded in memory:
• SbieDll.dll
• It checks the machine's manufacturer and model information if it has the following strings:
• VIRTUAL
• vmware
• VirtualBox
• It enumerates the following process:
• lsass.exe
• svchst.exe
• crss.exe
• chrome32.exe
• firefox.exe
• calc.exe
• mysqld.exe
• dllhst.exe
• opera32.exe
• memop.exe
• spoolcv.exe
• ctfmon.exe
• SkypeApp.exe
• It terminates the following services:
• avpsus
• McAfeeDLPAgentService
• mfewc
• BMR Boot Service
• NetBackup BMR MTFTP Service
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• RTVscan
• QBFCService
• QBIDPService
• Intuit.QuickBooks.FCS
• QBCFMonitorService
• YooBackup
• YooIT
• zhudongfangyu
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• veeam
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• AcrSch2Svc
• AcronisAgent
• CASAD2DWebSvc
• CAARCUpdateSvc
• sophos
• “Acronis VSS Provider”
• MsDtsServer
• IISAdmin
• MSExchangeES
• “Sophos Agent”
• EraserSvc11710
• “Enterprise Client Service”
• “SQL Backups
• MsDtsServer100
• NetMsmqActivator
• MSExchangeIS
• “Sophos AutoUpdate Service”
• SamSs
• ReportServer
• “SQLsafe Backup Service”
• MsDtsServer110
• POP3Svc
• MSExchangeMGMT
• “Sophos Clean Service”
• SMTPSvc
• ReportServer$SQL_2008
• “SQLsafe Filter Service”
• msftesql$PROD
• SstpSvc
• MSExchangeMTA
• “Sophos Device Control Service”
• ReportServer$SYSTEM_BGC
• “Symantec System Recovery”
• MSOLAP$SQL_2008
• UI0Detect
• MSExchangeSA
• “Sophos File Scanner Service”
• ReportServer$TPS
• “Veeam Backup Catalog Data Service”
• MSOLAP$SYSTEM_BGC
• W3Svc
• MSExchangeSRS
• “Sophos Health Service”
• ReportServer$TPSAMA
• “Zoolz 2 Service”
• MSOLAP$TPS
• “aphidmonitorservice”
• msexchangeadtopology
• “Sophos MCS Agent”
• AcrSch2Svc
• MSOLAP$TPSAMA
• “intel(r) proset monitoring service”
• msexchangeimap4
• “Sophos MCS Client”
• ARSM
• MSSQL$BKUPEXEC
• unistoresvc_1af40a
• “Sophos Message Router”
• BackupExecAgentAccelerator
• MSSQL$ECWDB2
• audioendpointbuilder
• “Sophos Safestore Service”
• BackupExecAgentBrowser
• MSSQL$PRACTICEMGT
• “Sophos System Protection Service”
• BackupExecDeviceMediaService
• MSSQL$PRACTTICEBGC
• “Sophos Web Control Service”
• BackupExecJobEngine
• MSSQL$PROD
• AcronisAgent
• BackupExecManagementService
• MSSQL$PROFXENGAGEMENT
• Antivirus
• BackupExecRPCService
• MSSQL$SBSMONITORING /
• MSSQL$SBSMONITORING
• AVP
• BackupExecVSSProvider
• MSSQL$SHAREPOINT
• DCAgent
• bedbg
• MSSQL$SQL_2008
• EhttpSrv
• MMS
• MSSQL$SQLEXPRESS
• ekrn
• mozyprobackup
• MSSQL$SYSTEM_BGC
• EPSecurityService
• MSSQL$VEEAMSQL2008R2
• MSSQL$TPS
• EPUpdateService
• ntrtscan
• MSSQL$TPSAMA
• EsgShKernel
• PDVFSService
• MSSQL$VEEAMSQL2008R2
• ESHASRV
• SDRSVC
• MSSQL$VEEAMSQL2012
• FA_Scheduler
• SQLAgent$VEEAMSQL2008R2
• MSSQLFDLauncher$PROFXENGAGEMENT
• KAVFS
• SQLWriter
• MSSQLFDLauncher$SBSMONITORING
• KAVFSGT
• VeeamBackupSvc
• MSSQLFDLauncher$SHAREPOINT
• kavfsslp
• VeeamBrokerSvc
• MSSQLFDLauncher$SQL_2008
• klnagent
• VeeamCatalogSvc
• MSSQLFDLauncher$SYSTEM_BGC
• macmnsvc
• VeeamCloudSvc
• MSSQLFDLauncher$TPS
• masvc
• VeeamDeploymentService
• MSSQLFDLauncher$TPSAMA
• MBAMService
• VeeamDeploySvc
• MSSQLSERVER
• MBEndpointAgent
• VeeamEnterpriseManagerSvc
• MSSQLServerADHelper
• McAfeeEngineService
• VeeamHvIntegrationSvc
• MSSQLServerADHelper100
• McAfeeFramework
• VeeamMountSvc
• MSSQLServerOLAPService
• McAfeeFrameworkMcAfeeFramework
• VeeamNFSSvc
• MySQL57
• McShield
• VeeamRESTSvc
• MySQL80
• McTaskManager
• VeeamTransportSvc
• OracleClientCache80
• mfefire
• wbengine
• ReportServer$SQL_2008
• mfemms
• wbengine
• RESvc
• mfevtp
• sms_site_sql_backup
• SQLAgent$BKUPEXEC
• MSSQL$SOPHOS
• SQLAgent$CITRIX_METAFRAME
• sacsvr
• SQLAgent$CXDB
• SAVAdminService
• SQLAgent$ECWDB2
• SAVService
• SQLAgent$PRACTTICEBGC
• SepMasterService
• SQLAgent$PRACTTICEMGT
• ShMonitor
• SQLAgent$PROD
• Smcinst
• SQLAgent$PROFXENGAGEMENT
• SmcService
• SQLAgent$SBSMONITORING
• SntpService
• SQLAgent$SHAREPOINT
• sophossps
• SQLAgent$SQL_2008
• SQLAgent$SOPHOS
• SQLAgent$SQLEXPRESS
• svcGenericHost
• SQLAgent$SYSTEM_BGC
• swi_filter
• SQLAgent$TPS
• swi_service
• SQLAgent$TPSAMA
• swi_update
• SQLAgent$VEEAMSQL2008R2
• swi_update_64
• SQLAgent$VEEAMSQL2012
• TmCCSF
• SQLBrowser
• tmlisten
• SQLSafeOLRService
• TrueKey
• SQLSERVERAGENT
• TrueKeyScheduler
• SQLTELEMETRY
• TrueKeyServiceHelper
• SQLTELEMETRY$ECWDB2
• WRSVC
• mssql$vim_sqlexp
• vapiendpoint
• It displays the following text after restarting the system:
  
• It displays a balloon tip containing the following text: