Ransom.Win64.SNATCH.YADBA.enc

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Malware file path}\{random characters1}.bat → used to query for services, is deleted afterwards
• {Malware file path}\{random characters2}.bat → used to delete shadow copies, is deleted afterwards
• {Malware file path}\{random characters3}.bat → used to register itself as a service, is deleted afterwards
• {Malware file path}\{random characters4}.bat → used to enable safe mode, is deleted afterwards
• {Malware file path}\{random characters5}.bat → used to check if safe mode is enabled, is deleted afterwards
• {Malware file path}\{random characters6}.bat → used to delete itself, is deleted afterwards
• {Malware file path}\{random characters7}.bat → used to reboot the system, is deleted afterwards

Agrega los procesos siguientes:

• If the file name contains the string "safe":
  • sc create YfFomRpcSsWBSi binPath={Malware file path}\{Malware file name}" DisaplayName="Provides Remote Procedure Call features via remotely accessible Named Pipes tJuyRbOi" start=auto
• If the file name does not contain the string "safe":
  • SC QUERY → query for services
  • FINDSTR SERVICE_NAME → collect service names
  • net stop YfFomRpcSsWBSi → terminates existing service of itself
  • vssadmin delete shadows /all /quiet → delete shadow copies
  • cmd /c ping 127.0.0.1
  • del /f {Malware file name} → delete itself
• REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control" /v SystemStartOptions → query for system start options if set to safeboot
• If the system start options is not set to safeboot:
  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS" /VE /T REG_SZ /F /D Service
  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\YfFomRpcSsWBSi" /VE /T REG_SZ /F /D Service → enables the service in safe mode
  • bcdedit /set {current} safeboot minimal → forces the Windows to restart in safe mode
  • %Windows%\Sysnative\bcdedit.exe /set {current} safeboot minimal
  • %Windows%\SysWOW64\bcdedit.exe /set {current} safeboot minimal
  • %System%\bcdedit.exe /set {current} safeboot minimal
  • %Windows%\Sysnative\bcdedit.exe → check if safe mode is enabled
  • shutdown /r /f /t 00 → reboot the system
  • %Windows%\SysWOW64\shutdown.exe /r /f /t 00
  • %System%\shutdown.exe /r /f /t 00
  • %Windows%\Sysnative\shutdown.exe /r /f /t 00

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

Técnica de inicio automático

Agrega las siguientes entradas para permitir su propia ejecución en modo seguro:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
VSS
{Default} = Service → if the system start options is not set to safeboot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
YfFomRpcSsWBSi
{Default} = Service → if the system start options is not set to safeboot

Inicia los servicios siguientes:

• Service Name: YfFomRpcSsWBSi
  Display Name: Provides Remote Procedure Call features via remotely accessible Named Pipes tJuyRbOi
  Image Path: {Malware File Path}\{Malware file name}

Finalización del proceso

Finaliza procesos o servicios que contienen una de las cadenas siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• SQL
• BACKUP
• TEAM
• EXCHANGE

Otros detalles

Requiere la existencia de los archivos siguientes para ejecutarse correctamente:

• Qt5Core.dll
• Qt5Gui.dll
• Qt5Network.dll
• Qt5Qml.dll
• Qt5Widgets.dll
• Qt5Xml.dll
• SafeDataTransform.exe → used to load the shellcode and decrypt the ransomware
• apimswincoreconsolel110.dll
• apimswincoreconsolel120.dll
• apimswincoredatetimel110.dll
• apimswincoredebugl110.dll
• apimswincoreerrorhandlingl110.dll
• apimswincorefilel110.dll
• apimswincorefilel120.dll
• apimswincorefilel210.dll
• apimswincorehandlel110.dll
• apimswincoreheapl110.dll
• apimswincoreinterlockedl110.dll
• apimswincorelibraryloaderl110.dll
• apimswincorelocalizationl120.dll
• apimswincorememoryl110.dll
• apimswincorenamedpipel110.dll
• apimswincoreprocessenvironmentl110.dll
• apimswincoreprocessthreadsl110.dll
• apimswincoreprocessthreadsl111.dll
• apimswincoreprofilel110.dll
• apimswincorertlsupportl110.dll
• apimswincorestringl110.dll
• apimswincoresynchl110.dll
• apimswincoresynchl120.dll
• apimswincoresysinfol110.dll
• apimswincoretimezonel110.dll
• apimswincoreutill110.dll
• apimswincrtconiol110.dll
• apimswincrtconvertl110.dll
• apimswincrtenvironmentl110.dll
• apimswincrtfilesysteml110.dll
• apimswincrtheapl110.dll
• apimswincrtlocalel110.dll
• apimswincrtmathl110.dll
• apimswincrtmultibytel110.dll
• apimswincrtprivatel110.dll
• apimswincrtprocessl110.dll
• apimswincrtruntimel110.dll
• apimswincrtstdiol110.dll
• apimswincrtstringl110.dll
• apimswincrttimel110.dll
• apimswincrtutilityl110.dll
• concrt140.dll
• howdoi.txt
• libmap64.dll
• libxl.dll
• msvcp140.dll
• msvcp140_1.dll
• msvcp140_2.dll
• msvcp140_atomic_wait.dll
• msvcp140_codecvt_ids.dll
• other_licenses.txt
• ucrtbase.dll
• ulha64.dll
• unins000.dat
• vccorlib140.dll
• vcruntime140.dll
• vcruntime140_1.dll

Hace lo siguiente:

• It affects all existing drives from A: to Z:.
• It checks if the file name contains the string "safe".
  • If yes, it registers itself as a service.
  • If no,
    • It terminates existing service of itself.
    • It deletes shadow copies.
    • It executes and deletes itself.
• It checks if the system start options is set to safeboot.
  • If yes, it starts the service.
  • If no,
    • It registers itself as a service and enables it in safe mode.
    • It forces the Windows to restart in safe mode.
    • It reboots the system to perform its malicious routine.