Ransom.Linux.NOESCAPE.THFOEBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• /{Shell Script File Path}/motd ← Ransom note in motd format
• /{Shell Script File Path}/index.html ← Ransom note in html format

Robo de información

Acepta los siguientes parámetros:

• /{Specific path to encrypt}/

Otros detalles

Hace lo siguiente:

• It requires the following file to proceed to its routines:
  • script_linux.sh <- Detected as Trojan.SH.NOESCAPE.THFOEBC
• It empties the trash/recycle bin by deleting the following folder recursively:
  • /.local/share/Trash/info/
  • /.local/share/Trash/files/
• It performs cleanup after execution by deleting the following files:
  • Log files
  • Backup files
  • /{Malware File Path}/{Malware Filename}.elf
  • /{Malware File Path}/index.html
  • /{Malware File Path}/motd
• It replaces the /etc/motd with the ransom note
• It uses the following configuration setup:
  • Local Configuration Key:
    • Local ID: 164f8295-{Random Characters}
    • IV Key: {Random Characters}
    • MP Key: {Random Characters}
  • Extensions:
    • Ignore: [elf, exe, lib, bin, sys]
    • Full: [sql]
  • Settings:
    • Build type: Linux
    • Add to autorun: False
    • Interval: 0
    • Print note: False
    • Set wallpaper: False
    • Large file size: 1024 mb
    • Spot size: 10 mb