Ransom.Win32.GANDCRAB.THOIBOAK

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、特定のWebサイトにアクセスし、情報を送受信します。 マルウェアは、実行後、自身を削除します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

• Global\{Random Hex}.lock

他のシステム変更

マルウェアは、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
private = {Key}

HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
public = {Key}

プロセスの終了

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exeisqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exeagntsvc.exe
• agntsvc.exeencsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• sqlservr.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe

情報漏えい

マルウェアは、以下の情報を収集します。

• Username
• Computer Name
• Network
• System Language
• Machine Keyboard Layout
• OS Version and Platform
• AV products installed
• Processor
• IP Address
• Network and Local Drives information
• Ransom ID
• GandCrab Internal Info:
  • id
  • sub_id
  • version
  • action

その他

マルウェアは、以下のWebサイトにアクセスし、情報を送受信します。

• http://{URL}/{string1}/{string2}/{string3}.{string4}
• Where URL is equal to the following:
  • {BLOCKED}rno.com
  • {BLOCKED}.{BLOCKED}.1.219
  • {BLOCKED}.{BLOCKED}.113.170
  • {BLOCKED}.{BLOCKED}.17.237
  • {BLOCKED}.{BLOCKED}.96.238
  • {BLOCKED}.{BLOCKED}.99.104
  • {BLOCKED}.{BLOCKED}.17.9
  • {BLOCKED}.{BLOCKED}.99.165
  • {BLOCKED}questions.ru
  • {BLOCKED}.{BLOCKED}.17.155
  • {BLOCKED}.{BLOCKED}.187.178
  • {BLOCKED}ngbrazil.com
  • {BLOCKED}.{BLOCKED}.60.222
  • {BLOCKED}flats.com
  • {BLOCKED}.{BLOCKED}.241.0
  • {BLOCKED}n.cn
  • {BLOCKED}ndicraft.com
  • {BLOCKED}ocarro.com.br
  • {BLOCKED}t.fr
  • {BLOCKED}ultibrasil.com.br
  • {BLOCKED}.io
  • {BLOCKED}tessa.com
  • {BLOCKED}veis.imb.br
  • {BLOCKED}ampustaksi.com.tr
  • {BLOCKED}sna.com.ua
  • {BLOCKED}.com
  • {BLOCKED}kpick.com
  • {BLOCKED}selamatankerja.co
  • {BLOCKED}intakeaway.com
  • {BLOCKED}ayrimenkul.com
  • {BLOCKED}analuxe.lviv.ua
  • {BLOCKED}m.be
  • {BLOCKED}afas.org
  • {BLOCKED}rdin.com
  • {BLOCKED}tsouverts.org
  • {BLOCKED}nas.kiev.ua
  • {BLOCKED}ontractors.com.au
  • {BLOCKED}.mx
  • {BLOCKED}oft.in
  • {BLOCKED}urk.club
  • {BLOCKED}agroupbd.com
  • {BLOCKED}stay.com
  • {BLOCKED}inhduong.com
  • {BLOCKED}me.ru
  • {BLOCKED}uilder.com
  • {BLOCKED}arscooter.com
  • {BLOCKED}aevents.com
  • {BLOCKED}latpars.ir
  • {BLOCKED}ries-acl-37.fr
  • {BLOCKED}iya.com
  • {BLOCKED}feder.com
  • {BLOCKED}intpl.com
  • {BLOCKED}.com
  • {BLOCKED}mpany.ru
  • {BLOCKED}tore.com
  • {BLOCKED}rdupain.it
  • {BLOCKED}isbuildcon.com
  • {BLOCKED}roupllc.com
  • {BLOCKED}edding.ru
  • {BLOCKED}ate.com.ua
  • {BLOCKED}night.cz
  • {BLOCKED}rdstone.com
  • {BLOCKED}vestforum.com
  • {BLOCKED}pieds.be
  • {BLOCKED}ooomdevserver.com
  • {BLOCKED}itabela.com
  • {BLOCKED}oducciones.com.gt
  • {BLOCKED}resa.com
  • {BLOCKED}ickphotography.es
  • {BLOCKED}ackpt.com
  • {BLOCKED}.top
  • {BLOCKED}carpet.com
  • {BLOCKED}hos.com
  • {BLOCKED}adental.com.au
  • {BLOCKED}stest9.uk
  • {BLOCKED}ud.com
  • {BLOCKED}kids.com.ua
  • {BLOCKED}beyenal.com
  • {BLOCKED}gsanhuyphat68.com
  • {BLOCKED}hukuk.com
  • {BLOCKED}ch.com
  • {BLOCKED}c.org
  • {BLOCKED}t.co.kr
  • {BLOCKED}herstech.com
  • {BLOCKED}bride.net
  • {BLOCKED}lk.ca
  • {BLOCKED}obabyphotographyseattle.com
  • {BLOCKED}.com.ve
  • {BLOCKED}com-berlin.de
  • {BLOCKED}folks.com
  • {BLOCKED}tyempire.com
  • {BLOCKED}me-fishing-croatia.hr
  • {BLOCKED}blue.com
  • {BLOCKED}schell.com
  • {BLOCKED}dlife.in
  • blog.{BLOCKED}t.com
  • blog.{BLOCKED}od.mx
  • blog.{BLOCKED}e.com
  • blog.{BLOCKED}angfagao.com
  • blog.{BLOCKED}aiwan.com
  • {BLOCKED}lm.eu
  • {BLOCKED}eed.club
  • {BLOCKED}ngrosebd.com
  • {BLOCKED}llhdb.com
  • {BLOCKED}que.com
  • {BLOCKED}owradio.com
  • {BLOCKED}odelbastarr.com
  • {BLOCKED}gbmoredjsteve.com
  • boucherie.{BLOCKED}hefrais.com
  • {BLOCKED}t-pascal.fr
  • {BLOCKED}r.com.ua
  • {BLOCKED}enceiling.com.hk
  • {BLOCKED}p.co.id
  • {BLOCKED}oiles.com
  • {BLOCKED}oft.com
  • {BLOCKED}htrinh.net
  • {BLOCKED}hcondotel.site
  • {BLOCKED}palcity.top
  • {BLOCKED}united.com
  • {BLOCKED}on7tanphu.com
  • {BLOCKED}evanlines.com
  • {BLOCKED}ck.ncplinc.net
  • {BLOCKED}flirtings.com
  • {BLOCKED}etnam.com
  • {BLOCKED}.fr
  • {BLOCKED}x.com
  • {BLOCKED}.net
  • {BLOCKED}swadefinance.co.uk
  • charm.andreea.{BLOCKED}droni.ro
  • {BLOCKED}show.com
  • {BLOCKED}ana.ru
  • {BLOCKED}ung.info
  • {BLOCKED}itoshow.com
  • {BLOCKED}ia-ciudadana.es
  • {BLOCKED}k.com
  • citrus.{BLOCKED}v.ua
  • {BLOCKED}osetselfstorage.com
  • {BLOCKED}ripcustomercare.com
  • {BLOCKED}adentaldelgado.es
  • {BLOCKED}ueesthetiquepasteur.com
  • cms.{BLOCKED}achundkulturstiftung.de
  • {BLOCKED}hservicos.com.br
  • {BLOCKED}yetsanthaomeo.com
  • {BLOCKED}rketing.agency
  • {BLOCKED}t.com
  • {BLOCKED}.no
  • {BLOCKED}encesdiary.com
  • {BLOCKED}ssodesignam.com.br
  • {BLOCKED}tsbank.cc
  • {BLOCKED}i.ga
  • {BLOCKED}rv.pixelsco.com
  • {BLOCKED}.cn
  • {BLOCKED}marketplace.eu
  • {BLOCKED}adelsureste.com
  • {BLOCKED}ceans-td.com
  • {BLOCKED}lhilldesign.com
  • {BLOCKED}g.ase.ro
  • {BLOCKED}r.ro
  • {BLOCKED}t.eu
  • {BLOCKED}roms.cba.pl
  • {BLOCKED}egas.com
  • {BLOCKED}ent.com
  • {BLOCKED}-services.com
  • {BLOCKED}stsystems.com
  • {BLOCKED}carpentry.training
  • {BLOCKED}g.party
  • {BLOCKED}chamber.org
  • {BLOCKED}guridad.com
  • deneme2.{BLOCKED}ber.net
  • {BLOCKED}ays.ru
  • {BLOCKED}ptivevideoproductions.com
  • {BLOCKED}dawnschool.com
  • dev.{BLOCKED}ywilshiremedical.com
  • {BLOCKED}.com.br
  • {BLOCKED}rmatique.ca
  • {BLOCKED}orgasmo.cl
  • {BLOCKED}lharf.com
  • {BLOCKED}.com
  • {BLOCKED}emena.com
  • {BLOCKED}tusa.com
  • {BLOCKED}petshop.life
  • {BLOCKED}s.com.br
  • {BLOCKED}anquoc.com
  • {BLOCKED}gigimuda.com
  • {BLOCKED}edia.com
  • drummelo.{BLOCKED}ista.org
  • dsc.{BLOCKED}almea.info
  • {BLOCKED}hings.com
  • {BLOCKED}raditions.nl
  • {BLOCKED}a.com.br
  • {BLOCKED}iketler.com
  • {BLOCKED}turf.org
  • {BLOCKED}ergy.co.nz
  • {BLOCKED}te.com
  • {BLOCKED}t.nu
  • {BLOCKED}-vent.ru
  • {BLOCKED}ea.biz
  • {BLOCKED}aplanmark.com.br
  • {BLOCKED}a.com
  • {BLOCKED}e.biz
  • {BLOCKED}asar.com
  • {BLOCKED}ictrainproductions.com
  • {BLOCKED}obox.org
  • {BLOCKED}o-beckers.de
  • {BLOCKED}opastuh.ru
  • {BLOCKED}ck.com
  • {BLOCKED}hope.org
  • {BLOCKED}lagosta.cat
  • {BLOCKED}-utama.com
  • {BLOCKED}r.es
  • {BLOCKED}bostad.se
  • {BLOCKED}ondezigns.com
  • {BLOCKED}diovisual.com
  • {BLOCKED}pisy.cba.pl
  • {BLOCKED}rrstrom.com
  • {BLOCKED}grup.com.tr
  • {BLOCKED}arpati.com
  • {BLOCKED}-girls.services
  • {BLOCKED}scompany.com
  • {BLOCKED}ial-campinggear.com
  • {BLOCKED}ecimientos.sintinovoy.sevapp20.com
  • {BLOCKED}x.org
  • {BLOCKED}alip.com
  • {BLOCKED}.com
  • {BLOCKED}stemsrl.net
  • {BLOCKED}nclinic.com
  • {BLOCKED}hingsale.com
  • {BLOCKED}to.ru
  • {BLOCKED}h.lu
  • {BLOCKED}ctor.mobi
  • {BLOCKED}h.org.tr
  • {BLOCKED}.online
  • {BLOCKED}adesenacpe.edu.br
  • {BLOCKED}e.com
  • {BLOCKED}.foco.cl
  • {BLOCKED}kiprzemek.cba.pl
  • {BLOCKED}renterprising.com
  • {BLOCKED}enty.com
  • {BLOCKED}idadpma.com
  • {BLOCKED}feveda.com.ve
  • {BLOCKED}ight.ru
  • {BLOCKED}jodi.com
  • {BLOCKED}asepromotions.co.za
  • {BLOCKED}ms.mx
  • {BLOCKED}lumbria.it
  • {BLOCKED}.mobi
  • {BLOCKED}ily.org
  • {BLOCKED}etal.net
  • {BLOCKED}y.cba.pl
  • {BLOCKED}s-china.com
  • {BLOCKED}crepelle.com
  • {BLOCKED}ncemarketingtraining.com
  • {BLOCKED}iritgroup.altervista.org
  • {BLOCKED}trition.com.tr
  • {BLOCKED}tszott.cba.pl
  • {BLOCKED}corp.es
  • {BLOCKED}onetransportation.com
  • {BLOCKED}n.com
  • {BLOCKED}ermocaldeiras.com.br
  • {BLOCKED}iptraction.com
  • {BLOCKED}donationtoday.com
  • {BLOCKED}rkeynow.com
  • {BLOCKED}j.adv.br
  • {BLOCKED}lconstructions.in
  • {BLOCKED}cafiorino1.altervista.org
  • {BLOCKED}anes.altervista.org
  • {BLOCKED}ster.ml
  • {BLOCKED}les-noisetiers.fr
  • {BLOCKED}y.com
  • {BLOCKED}ball24h.com
  • {BLOCKED}anau.com
  • {BLOCKED}y.org.in
  • {BLOCKED}d.website
  • {BLOCKED}tore.com
  • {BLOCKED}dinn.us
  • {BLOCKED}rajasthan.allappshere.in
  • {BLOCKED}iddleeastgate.com
  • {BLOCKED}radecorp.com
  • {BLOCKED}world-md.ru
  • {BLOCKED}n.studio
  • {BLOCKED}dcheesereviews.com
  • {BLOCKED}erfetto.com.br
  • {BLOCKED}com.cf
  • {BLOCKED}li.fi
  • {BLOCKED}o.ir
  • {BLOCKED}oulsonfire.com
  • {BLOCKED}s.vn
  • {BLOCKED}onito.com
  • {BLOCKED}.com
  • {BLOCKED}obalholding.com
  • {BLOCKED}inhkientaocuocdoi.com
  • {BLOCKED}ftbay.ru
  • {BLOCKED}interiordecorators.com
  • {BLOCKED}esign.com
  • {BLOCKED}lopezr.com
  • {BLOCKED}heatpumps.nz
  • {BLOCKED}ang.com
  • {BLOCKED}tal.com
  • {BLOCKED}etaksi.net
  • {BLOCKED}ulness.com.ua
  • {BLOCKED}andrestaurantgroup.com
  • {BLOCKED}ongroup.com
  • {BLOCKED}hoidsorted.com
  • {BLOCKED}khoemanhtunhien.com
  • {BLOCKED}untrycamo.com
  • {BLOCKED}ignonline.com
  • {BLOCKED}ngjiang.com
  • {BLOCKED}tury.com
  • {BLOCKED}isha.com
  • {BLOCKED}ravel2018.com
  • {BLOCKED}app.com
  • {BLOCKED}tocatchacold.com
  • {BLOCKED}d.gov.co
  • {BLOCKED}e.fr
  • {BLOCKED}radio.com
  • {BLOCKED}gham.com
  • {BLOCKED}gillusion.com
  • {BLOCKED}art.fr
  • {BLOCKED}ams.ir
  • {BLOCKED}nostours.com
  • {BLOCKED}.com
  • {BLOCKED}eex.com
  • {BLOCKED}u.com
  • {BLOCKED}a-quest.com.ua
  • {BLOCKED}ec.com.mx
  • {BLOCKED}ushipyard.com
  • {BLOCKED}group.com
  • {BLOCKED}atica.uss.cl
  • {BLOCKED}ut-journalisme.fr
  • {BLOCKED}network.com.ng
  • {BLOCKED}lower.ee
  • {BLOCKED}ors-by-catherine.com
  • {BLOCKED}ab.com.sg
  • {BLOCKED}ener.org
  • {BLOCKED}e.com.vn
  • {BLOCKED}booth.com.au
  • {BLOCKED}t.com
  • {BLOCKED}er.net
  • {BLOCKED}aat.com.tr
  • {BLOCKED}ul212tesisat.com
  • {BLOCKED}lier.com.au
  • {BLOCKED}.com.br
  • {BLOCKED}e-opalac.cba.pl
  • {BLOCKED}kongtrul.org.tw
  • {BLOCKED}tel.com
  • {BLOCKED}g-ug.ru
  • {BLOCKED}aphics.com
  • {BLOCKED}kinasi.com
  • {BLOCKED}ore.com
  • {BLOCKED}adeplata23.com
  • jupiter.csit.{BLOCKED}t.edu.au
  • {BLOCKED}dans.com
  • {BLOCKED}anna.no
  • {BLOCKED}orp.link
  • {BLOCKED}n.net
  • {BLOCKED}on-restauracja.cba.pl
  • {BLOCKED}aria-crm.pl
  • {BLOCKED}treet.com
  • {BLOCKED}anatco.com
  • {BLOCKED}ou.be
  • {BLOCKED}marketing.com
  • {BLOCKED}i.com
  • {BLOCKED}-fenster.ch
  • {BLOCKED}clark.com
  • {BLOCKED}darexpress.com
  • {BLOCKED}rash.ir
  • {BLOCKED}.com
  • {BLOCKED}on.org
  • {BLOCKED}rtvn.com
  • {BLOCKED}nh345.com
  • {BLOCKED}wood.store
  • {BLOCKED}tgiao.com
  • {BLOCKED}akdee.com
  • {BLOCKED}laza.com
  • {BLOCKED}kingcare.com
  • {BLOCKED}leng.com
  • {BLOCKED}an.cba.pl
  • {BLOCKED}tplus.ru
  • {BLOCKED}ypolyana123.ru
  • {BLOCKED}d.ru
  • {BLOCKED}n.com
  • {BLOCKED}lar.kz
  • {BLOCKED}m.com
  • {BLOCKED}cizade.com.tr
  • {BLOCKED}.com.au
  • {BLOCKED}t.org
  • {BLOCKED}gtrans.com
  • {BLOCKED}rkscalifornia.org
  • {BLOCKED}oyang.com
  • {BLOCKED}rma.com
  • ldm.{BLOCKED}rocknews.org
  • lealengenharia.{BLOCKED}agemdesit
  • {BLOCKED}uit.fr
  • {BLOCKED}ley.com
  • {BLOCKED}.polri.go.id
  • {BLOCKED}inesdedemain.com
  • {BLOCKED}f.dk
  • lgg.{BLOCKED}v.br
  • life.{BLOCKED}.com
  • lloyd.www.{BLOCKED}ve-platform.net
  • {BLOCKED}ents.com
  • {BLOCKED}ckimnguyenphat.com.vn
  • {BLOCKED}rb-rezept.com
  • {BLOCKED}haiduong.com
  • {BLOCKED}ocellitancredi.com
  • {BLOCKED}s.co.uk
  • {BLOCKED}s.pt
  • {BLOCKED}entreprise.dk
  • {BLOCKED}inoadvogados.com.br
  • {BLOCKED}a.it
  • {BLOCKED}actrice-web.com
  • {BLOCKED}iler.com
  • {BLOCKED}isleri.com
  • {BLOCKED}.cba.pl
  • {BLOCKED}nnelly.com
  • {BLOCKED}pert.com
  • {BLOCKED}p.pro
  • {BLOCKED}enirvana.com
  • {BLOCKED}ap.com
  • {BLOCKED}ionacif.com
  • {BLOCKED}d.com
  • {BLOCKED}d.cba.pl
  • {BLOCKED}kson.com
  • {BLOCKED}a.com
  • {BLOCKED}b.com
  • {BLOCKED}aching.fr
  • {BLOCKED}up.co.uk
  • {BLOCKED}.com.ua
  • {BLOCKED}dim.org
  • {BLOCKED}c.ma
  • {BLOCKED}nc.com
  • {BLOCKED}.ir
  • {BLOCKED}eb.com
  • {BLOCKED}ao7.com
  • {BLOCKED}iaparacoaches.com.br
  • {BLOCKED}ur.com
  • {BLOCKED}nd.me
  • {BLOCKED}resultado.com
  • {BLOCKED}bg.com
  • {BLOCKED}tllc.com
  • {BLOCKED}kapner.com
  • {BLOCKED}.hu
  • {BLOCKED}a.kg
  • {BLOCKED}r.com
  • {BLOCKED}typhotoworkshops.com
  • {BLOCKED}z.com
  • {BLOCKED}erjack.com
  • {BLOCKED}ens.com
  • {BLOCKED}tracting.ca
  • {BLOCKED}t.com.kw
  • {BLOCKED}ai.pl
  • {BLOCKED}z.com
  • {BLOCKED}geulis.com
  • {BLOCKED}olita.es
  • {BLOCKED}ng.cn
  • {BLOCKED}360.pl
  • {BLOCKED}.com
  • {BLOCKED}ertainment.com
  • {BLOCKED}tudio.com.my
  • {BLOCKED}est.com
  • {BLOCKED}i24.ru
  • {BLOCKED}dea.com
  • {BLOCKED}azr.com
  • {BLOCKED}distributor.com
  • {BLOCKED}esurgerythailand.com
  • {BLOCKED}rsonal.com.ua
  • {BLOCKED}iedesperchesboukhatem.fr
  • {BLOCKED}ealty.com
  • {BLOCKED}carelandscape.com
  • {BLOCKED}nenda.com
  • nazareimoveis.{BLOCKED}emporario.com.br
  • {BLOCKED}s.info
  • {BLOCKED}luavm.com
  • {BLOCKED}da.ru
  • {BLOCKED}.dk
  • {BLOCKED}nstructioncorp.com
  • {BLOCKED}r.com
  • {BLOCKED}.cn
  • {BLOCKED}earth.com
  • {BLOCKED}nyc.com
  • {BLOCKED}tinasat.com.br
  • {BLOCKED}cordo.com
  • {BLOCKED}trolina.com
  • {BLOCKED}i-danasnje.info
  • {BLOCKED}group.com
  • nurfian.{BLOCKED}um.com
  • {BLOCKED}lmastah.com
  • {BLOCKED}ervice.ru
  • {BLOCKED}inen.com
  • {BLOCKED}tockfilms.com
  • {BLOCKED}nsult.com
  • {BLOCKED}school.com.br
  • {BLOCKED}etih.com
  • {BLOCKED}.ro
  • {BLOCKED}businesskhabar.com
  • {BLOCKED}itshop.com
  • {BLOCKED}eerd.nl
  • {BLOCKED}costruzioneabruzzo.piattaforma.eu
  • {BLOCKED}da.info
  • optikchrtek.{BLOCKED}oud.cz
  • {BLOCKED}l.co.il
  • {BLOCKED}m.com
  • {BLOCKED}ontics.ir
  • {BLOCKED}event.com.ua
  • {BLOCKED}mafoto.com
  • {BLOCKED}esofe.com
  • {BLOCKED}viez.com
  • {BLOCKED}oodgood.com
  • {BLOCKED}nkeren.xyz
  • {BLOCKED}dia.se
  • {BLOCKED}ndshandyman.com
  • {BLOCKED}go.com
  • {BLOCKED}caligrafosevilla.es
  • {BLOCKED}fund.org
  • {BLOCKED}photo.ru
  • {BLOCKED}thaoland.com
  • {BLOCKED}apparel.no
  • {BLOCKED}lancus.pl
  • {BLOCKED}deck.com
  • {BLOCKED}r.com
  • {BLOCKED}urghbbq.com
  • {BLOCKED}onsel.com
  • {BLOCKED}ormacontralaprivatizaciondelcyii.org
  • {BLOCKED}csamongus.com
  • poly.{BLOCKED}polyblow.com.br
  • {BLOCKED}ow.com.br
  • {BLOCKED}.angryventures.com
  • {BLOCKED}da74.ru
  • {BLOCKED}cetalentos.com.br
  • {BLOCKED}tseitai.com
  • {BLOCKED}rkservicesinc.com
  • {BLOCKED}adedeflandre.com
  • {BLOCKED}esdeflex.com.br
  • {BLOCKED}to.ru
  • {BLOCKED}p.vn
  • questraworld.{BLOCKED}video.com
  • {BLOCKED}glish.com
  • {BLOCKED}rssupply.us
  • {BLOCKED}n.cba.pl
  • {BLOCKED}.com
  • {BLOCKED}co.ir
  • {BLOCKED}tivemg.com
  • {BLOCKED}en.com
  • {BLOCKED}.com.ua
  • {BLOCKED}ovin.ir
  • {BLOCKED}o.com.br
  • {BLOCKED}rica.com.mx
  • {BLOCKED}ravel.com
  • {BLOCKED}h.fr
  • {BLOCKED}b.com.pl
  • {BLOCKED}o.com
  • {BLOCKED}s.top
  • {BLOCKED}l.world
  • {BLOCKED}allenentertainment.com
  • {BLOCKED}ios.com
  • {BLOCKED}ampsnorth.robomateplus.com
  • {BLOCKED}ev.com
  • {BLOCKED}ide.es
  • {BLOCKED}ct3272.org
  • {BLOCKED}e.com.mx
  • {BLOCKED}al.by
  • {BLOCKED}ankaravekil.com
  • {BLOCKED}s.cl
  • {BLOCKED}dan.es
  • {BLOCKED}nali.com
  • {BLOCKED}netcctv.com
  • {BLOCKED}edu.com
  • {BLOCKED}ans.com
  • {BLOCKED}adi.com
  • {BLOCKED}lloff-italy.web5s.com
  • {BLOCKED}u.vn
  • {BLOCKED}eriatrics.org
  • {BLOCKED}casinoterpercaya.com
  • {BLOCKED}app.be
  • {BLOCKED}ierparis75.ovh
  • {BLOCKED}illars.org.uk
  • {BLOCKED}ningzone.com
  • {BLOCKED}am.com
  • {BLOCKED}gflames.com
  • {BLOCKED}k.com
  • {BLOCKED}k.com
  • shop.{BLOCKED}istest.ir
  • {BLOCKED}restschools.com
  • {BLOCKED}um.com.ua
  • {BLOCKED}ibilisim.com
  • {BLOCKED}iindonesia.co.id
  • {BLOCKED}ia.vn
  • {BLOCKED}rde.com
  • sites.{BLOCKED}blueskydigital.com.au
  • {BLOCKED}matabunda.com
  • {BLOCKED}d.cba.pl
  • {BLOCKED}chnik.de
  • {BLOCKED}ealer.fr
  • {BLOCKED}e-gruttepier.nl
  • {BLOCKED}dset.com
  • {BLOCKED}-jkt.sch.id
  • {BLOCKED}oli.org
  • {BLOCKED}reation.com
  • {BLOCKED}kagd.com
  • social.{BLOCKED}opv.pp.ua
  • {BLOCKED}ine.kiev.ua
  • {BLOCKED}.org
  • {BLOCKED}nko.dp.ua
  • {BLOCKED}osing.ir
  • {BLOCKED}rgym.nl
  • {BLOCKED}dmanzi.com
  • {BLOCKED}ton.com
  • {BLOCKED}s.dk
  • {BLOCKED}los.ru
  • {BLOCKED}ohio.pbd-dev.com
  • {BLOCKED}omputer.com.br
  • {BLOCKED}artingnow.com
  • {BLOCKED}ofminthill.com
  • {BLOCKED}orlddirect.co.uk
  • {BLOCKED}rkameratene.no
  • {BLOCKED}erin-duisburg.net
  • {BLOCKED}delcarratore.it
  • {BLOCKED}viedrama.online
  • {BLOCKED}n.com
  • {BLOCKED}sa.com
  • {BLOCKED}sbestphotography.com
  • {BLOCKED}ne-city-ciputra.net
  • {BLOCKED}hirty.pl
  • {BLOCKED}k.com
  • {BLOCKED}.ga
  • {BLOCKED}ermei.xyz
  • {BLOCKED}ro.ru
  • {BLOCKED}spectehnika.ru
  • {BLOCKED}a.today
  • {BLOCKED}esona.com
  • {BLOCKED}ardiologist.com
  • {BLOCKED}de.info
  • {BLOCKED}erview.com.vn
  • test.{BLOCKED}ia.se
  • test.{BLOCKED}-experten.be
  • test.{BLOCKED}.pl
  • test.{BLOCKED}cevherat.com
  • test.{BLOCKED}theveeview.com
  • test.{BLOCKED}webing.io
  • testing.{BLOCKED}tallawang.com
  • {BLOCKED}y-work.ru
  • {BLOCKED}exports.com
  • {BLOCKED}larsisters.ca
  • {BLOCKED}iwebvn.com
  • {BLOCKED}spire.co.uk
  • {BLOCKED}tatrockwells.com
  • {BLOCKED}velnext.com
  • {BLOCKED}ikalavathi.info
  • {BLOCKED}nabis.com
  • {BLOCKED}phamgia.com
  • {BLOCKED}townbooks.com
  • {BLOCKED}duc.info
  • {BLOCKED}hinipassofundo.com.br
  • {BLOCKED}mores.com.br
  • {BLOCKED}lenka.ru
  • {BLOCKED}t-hobby.com
  • {BLOCKED}.ru
  • {BLOCKED}.es
  • {BLOCKED}inegames.pro
  • {BLOCKED}odazha.ru
  • {BLOCKED}nbygger.se
  • {BLOCKED}eship.top
  • {BLOCKED}low.world
  • {BLOCKED}ds.ir
  • {BLOCKED}tanewsende.com
  • {BLOCKED}hoh.com
  • {BLOCKED}es.in
  • {BLOCKED}uisman.com
  • {BLOCKED}v.ru
  • {BLOCKED}s.ir
  • {BLOCKED}.org.ua
  • {BLOCKED}site.aithent.com
  • {BLOCKED}undation.es
  • {BLOCKED}ndacion.es
  • {BLOCKED}ndacion.eu
  • {BLOCKED}ormervn.com
  • {BLOCKED}mani.net
  • {BLOCKED}t.se
  • {BLOCKED}-int.karibuni.be
  • {BLOCKED}dgoals.com
  • {BLOCKED}college.com.au
  • {BLOCKED}media.cf
  • {BLOCKED}ctg.com
  • {BLOCKED}motors.in
  • {BLOCKED}.com.br
  • {BLOCKED}13.hospedagemdesites.ws
  • {BLOCKED}ply.com
  • {BLOCKED}ey.com
  • {BLOCKED}.ru
  • {BLOCKED}vereventvideo.com
  • {BLOCKED}esign.ru
  • {BLOCKED}zdelamorena.com
  • {BLOCKED}losbenimar.es
  • {BLOCKED}ro.com
  • {BLOCKED}afilho.com.br
  • {BLOCKED}urs-tut.ru
  • {BLOCKED}x.us
  • {BLOCKED}evanguard.co.uk
  • {BLOCKED}escangio.viethomes.land
  • {BLOCKED}decor.net
  • {BLOCKED}xi.net
  • {BLOCKED}lisseta.com
  • {BLOCKED}usebangladesh.com
  • {BLOCKED}ainvest.com.br
  • {BLOCKED}s.com.vn
  • {BLOCKED}c.com
  • {BLOCKED}urse.com
  • {BLOCKED}ouropinions.net
  • {BLOCKED}r.kz
  • {BLOCKED}irek.com
  • {BLOCKED}withmakeup.co.uk
  • {BLOCKED}aftcustom.com
  • {BLOCKED}keting.cinfoway.in
  • {BLOCKED}ox.com
  • {BLOCKED}chts-pyramide.tk
  • {BLOCKED}allery.ru
  • {BLOCKED}sslifescience.com
  • {BLOCKED}trealty.com
  • {BLOCKED}power-music.cba.pl
  • {BLOCKED}t.tk
  • {BLOCKED}arroy.fr
  • {BLOCKED}thangz.com
  • {BLOCKED}edy.ru
  • {BLOCKED}y.com
  • {BLOCKED}mpoptions.com
  • {BLOCKED}amifier.com
  • wp.{BLOCKED}s.men
  • wp.{BLOCKED}t.fr
  • {BLOCKED}emi.com
  • {BLOCKED}k.com
  • www.{BLOCKED}1.sr
  • www.{BLOCKED}rasil.com
  • www.{BLOCKED}c.com
  • www.{BLOCKED}a.co.uk
  • www.{BLOCKED}a.tn
  • www.{BLOCKED}huoc.com.vn
  • www.{BLOCKED}rentacars.com
  • www.{BLOCKED}tmanipisak.com
  • www.{BLOCKED}eupdate.ir
  • www.{BLOCKED}ives-zoliennes.fr
  • www.{BLOCKED}ngarayan.com
  • www.{BLOCKED}nkundig.at
  • www.{BLOCKED}pointpl.com
  • www.{BLOCKED}d.cz
  • www.{BLOCKED}sigortaaydin.com
  • www.{BLOCKED}t.co.kr
  • www.{BLOCKED}lerimpex.com
  • www.{BLOCKED}wiseacademy.com
  • www.{BLOCKED}adbandimperatives.org
  • www.{BLOCKED}cure.fr
  • www.{BLOCKED}av.hu
  • www.{BLOCKED}touch.uk.com
  • www.{BLOCKED}mare.it
  • www.{BLOCKED}alaptop.com
  • www.{BLOCKED}xs.biz
  • www.{BLOCKED}ire.com
  • www.{BLOCKED}deayrs.com
  • www.{BLOCKED}obindumcltd.com
  • www.{BLOCKED}havetoshine.com
  • www.{BLOCKED}rsskn.com
  • www.{BLOCKED}inapetrou.co.uk
  • www.{BLOCKED}dent.com
  • www.{BLOCKED}ransport.fr
  • www.{BLOCKED}guardthemovie.com
  • www.{BLOCKED}y.com.br
  • www.{BLOCKED}tiasystems.com
  • www.{BLOCKED}shotevents.com
  • www.{BLOCKED}lpyme.biz
  • www.{BLOCKED}rsants.com
  • www.{BLOCKED}shinn.com
  • www.{BLOCKED}lecharro.com
  • www.{BLOCKED}radodai.com
  • www.{BLOCKED}servicesgroup.com
  • www.{BLOCKED}lsistemas.com.br
  • www.{BLOCKED}uri.edu.in
  • www.{BLOCKED}chool.vn
  • www.{BLOCKED}i.nl
  • www.{BLOCKED}kherrstrom.com
  • www.{BLOCKED}aces-interieurs.net
  • www.{BLOCKED}eticaderma.com
  • www.{BLOCKED}el-albania.com
  • www.{BLOCKED}osystemsrl.net
  • www.{BLOCKED}bfoundation.gm
  • www.{BLOCKED}ancetoit.fr
  • www.{BLOCKED}911.com
  • www.{BLOCKED}dsbn.com
  • www.{BLOCKED}60.us
  • www.{BLOCKED}liditalia.it
  • www.{BLOCKED}s-for-kids.de
  • www.{BLOCKED}v.news
  • www.{BLOCKED}logis.com
  • www.{BLOCKED}enwolfales.com
  • www.{BLOCKED}upwine.fr
  • www.{BLOCKED}umansena.co.in
  • www.{BLOCKED}hpatal.com
  • www.{BLOCKED}roser.pt
  • www.{BLOCKED}merlandgolf.dk
  • www.{BLOCKED}ervi.com.br
  • www.{BLOCKED}gatecenter.org
  • www.{BLOCKED}century.com
  • www.{BLOCKED}peem.org
  • www.{BLOCKED}interiors.com
  • www.{BLOCKED}s.space
  • www.{BLOCKED}sz.com
  • www.{BLOCKED}bana.cat
  • www.{BLOCKED}orideas9.com
  • www.{BLOCKED}ationalmoversboston.com
  • www.{BLOCKED}ssconnect.com
  • www.{BLOCKED}aola.com
  • www.{BLOCKED}t.com
  • www.{BLOCKED}isunenfantterrible.com
  • www.{BLOCKED}ngshi.cn
  • www.{BLOCKED}bk.com
  • www.{BLOCKED}ledans.com
  • www.{BLOCKED}1.ir
  • www.{BLOCKED}kidnews.com
  • www.{BLOCKED}ezaagricola.com.br
  • www.{BLOCKED}shnagrp.com
  • www.{BLOCKED}toaskel.net
  • www.{BLOCKED}outtedelixir.com
  • www.{BLOCKED}ri.co.il
  • www.{BLOCKED}ertag.kiev.ua
  • www.{BLOCKED}thotel.it
  • www.{BLOCKED}ariable.club
  • www.{BLOCKED}kcoaching.com.au
  • www.{BLOCKED}nsindustries.org
  • www.{BLOCKED}nwood.co.uk
  • www.{BLOCKED}itsolutionsbd.com
  • www.{BLOCKED}napouyesh.com
  • www.{BLOCKED}artegrise.eu
  • www.{BLOCKED}eshsharma.live
  • www.{BLOCKED}nlis.pt
  • www.{BLOCKED}aeeventos.com.br
  • www.{BLOCKED}ketopic.ru
  • www.{BLOCKED}urley.com
  • www.{BLOCKED}i.com.sg
  • www.{BLOCKED}c.ma
  • www.{BLOCKED}eyprotein.com
  • www.{BLOCKED}horsepower.se
  • www.{BLOCKED}iatravel.in
  • www.{BLOCKED}leshairlounge.ca
  • www.{BLOCKED}d.cz
  • www.{BLOCKED}ah.com.my
  • www.{BLOCKED}infantilvalencia.com
  • www.{BLOCKED}i.co
  • www.{BLOCKED}us.co.th
  • www.{BLOCKED}kik.com
  • www.{BLOCKED}ingbits.com
  • www.{BLOCKED}oys.com.cn
  • www.{BLOCKED}frozen.com.hk
  • www.{BLOCKED}group.com.hk
  • www.{BLOCKED}sdavetorganizasyon.com
  • www.{BLOCKED}arpaslanmaz.com
  • www.{BLOCKED}icholasossai.com
  • www.{BLOCKED}pharmassist.com
  • www.{BLOCKED}turistului.com
  • www.{BLOCKED}int.online
  • www.{BLOCKED}opapi.com
  • www.{BLOCKED}barua.com
  • www.{BLOCKED}tfunnelblueprint.com
  • www.{BLOCKED}odbd.com
  • www.{BLOCKED}ire.com
  • www.{BLOCKED}mviet.com
  • www.{BLOCKED}iarepentigny.ca
  • www.{BLOCKED}g.com
  • www.{BLOCKED}profile.com
  • www.{BLOCKED}imports.com.br
  • www.{BLOCKED}wwaffle.xyz
  • www.{BLOCKED}rmatica.pt
  • www.{BLOCKED}vten.xyz
  • www.{BLOCKED}n.com
  • www.{BLOCKED}imos.com
  • www.{BLOCKED}ifbumipersada.com
  • www.{BLOCKED}a.com.br
  • www.{BLOCKED}troiscours.com
  • www.{BLOCKED}reasure.com
  • www.{BLOCKED}t.in
  • www.{BLOCKED}njews.com
  • www.{BLOCKED}ehandmade.com
  • www.{BLOCKED}archat.com
  • www.{BLOCKED}etorganizasyon.com
  • www.{BLOCKED}anmobilyadekorasyon.com
  • www.{BLOCKED}ischerd.com
  • www.{BLOCKED}eks.com
  • www.{BLOCKED}br.com
  • www.{BLOCKED}ri.com
  • www.{BLOCKED}omputers.ro
  • www.{BLOCKED}imint.com
  • www.{BLOCKED}emasapex.mx
  • www.{BLOCKED}ma.cn
  • www.{BLOCKED}alconcepts-cm.com
  • www.{BLOCKED}rdigitalweb.com
  • www.{BLOCKED}ol.com
  • www.{BLOCKED}enda.com
  • www.{BLOCKED}rkin.com
  • www.{BLOCKED}co.ir
  • www.{BLOCKED}urfmats.com
  • www.{BLOCKED}ellars.com
  • www.{BLOCKED}hewa.com
  • www.{BLOCKED}ungalowstay.in
  • www.{BLOCKED}isoft.hn
  • www.{BLOCKED}ube.com
  • www.{BLOCKED}ual.com
  • www.{BLOCKED}phonecenter.com
  • www.{BLOCKED}scomfortable.com
  • www.{BLOCKED}stevenrice.com
  • www.{BLOCKED}daptables.com
  • www.{BLOCKED}tlanticseafoodcompany.com
  • www.{BLOCKED}oveassembly.com
  • www.{BLOCKED}arco.com
  • www.{BLOCKED}ra.com.br
  • www.{BLOCKED}viacao.com.br
  • www.{BLOCKED}aja.com
  • www.{BLOCKED}laybasket.fr
  • www.{BLOCKED}nto.com
  • www.{BLOCKED}iaexpeditionsperu.com
  • www.{BLOCKED}in2014.com
  • www.{BLOCKED}arcisi.com
  • www.{BLOCKED}ect.fr
  • www.{BLOCKED}thfully.com
  • www.{BLOCKED}b.org
  • www.{BLOCKED}t.travel
  • www.{BLOCKED}icasantiago.com.br
  • www.{BLOCKED}seo.com
  • www.{BLOCKED}avie.fr
  • www.{BLOCKED}ilm.ga
  • www.{BLOCKED}wear.com
  • www.{BLOCKED}m.cn
  • www.{BLOCKED}weil.de
  • www.{BLOCKED}resspractice.cf
  • www.{BLOCKED}derabad.com
  • www.{BLOCKED}armdnsalonlar-fjb55aa34dpkdo.com
  • www.{BLOCKED}ass.com
  • www.{BLOCKED}esign.com
  • www.{BLOCKED}dapalhanoimoveis.com.br
  • www.{BLOCKED}nakliye.com
  • www.{BLOCKED}e.com
  • www.{BLOCKED}anle.com
  • {BLOCKED}ivietnam.com
  • {BLOCKED}h.net
  • {BLOCKED}ity.com
  • {BLOCKED}sbb5ad1beecki5h.xn--p1ai
  • {BLOCKED}sbbax1aamaagfpjbdc3dm.xn--p1ai
  • {BLOCKED}sbcfeovaaet2bacdygacidsedek.xn--p1acf
  • {BLOCKED}anbmdrdpayqtg1d7h.xn--p1ai
  • {BLOCKED}dsn2ag7e.xn--p1ai
  • {BLOCKED}vc1e.xn--p1acf
  • {BLOCKED}.ltd
  • {BLOCKED}ocnam.com
  • {BLOCKED}ngguoji.com
  • {BLOCKED}creativeco.com
  • {BLOCKED}sdrive.com
  • {BLOCKED}piwater.com
  • {BLOCKED}dy.com.br
  • {BLOCKED}-group.com
  • {BLOCKED}.com
  • {BLOCKED}a.co.uk
  • {BLOCKED}ader.com
  • {BLOCKED}phage_pedik.com
  • {BLOCKED}m.ovh
  • Where string1 is equal to the following:
    • wp-content
    • static
    • content
    • includes
    • data
    • uploads
    • news
  • Where string2 is equal to the following:
    • images
    • pictures
    • image
    • graphic
    • assets
    • pics
    • imgs
    • tmp
  • Where string3 is equal to the combination of the following:
    • im
    • de
    • ka
    • ke
    • am
    • es
    • so
    • fu
    • se
    • da
    • he
    • ru
    • me
    • mo
    • th
    • zu
  • Where string4 is equal to the following:
    • jpg
    • png
    • gif
    • bmp

  マルウェアは、実行後、自身を削除します。

  ランサムウェアの不正活動

  マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

  • desktop.ini
  • autorun.inf
  • ntuser.dat
  • iconcache.db
  • bootsect.bak
  • boot.ini
  • ntuser.dat.log
  • Thumbs.db
  • KRAB-DECRYPT.html
  • KRAB-DECRYPT.txt
  • CRAB-DECRYPT.txt
  • ntldr
  • NTDETECT.COM
  • Bootfont.bin

  マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。

  • ProgramData
  • IETldCache
  • Boot
  • Program Files
  • Tor Browser
  • All Users
  • Local Settings
  • Windows
  • %Windows%
  • %AppDataLocal%
  • %Program Files%\Common Files
  • %Program Files%

  (註：%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000、XP、Server 2003の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local" です。. %Program Files%フォルダは、デフォルトのプログラムファイルフォルダです。Windows 2000、Server 2003、XP（32-bit）,Vista（32-bit）、7（32-bit）、8（32-bit）の場合、通常 "C:\Program Files"です。また、Windows XP（64-bit）、Vista（64-bit）、7（64-bit）、8（64-bit）の場合、通常 "C:\Program Files（x86）" です。)

  マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

  • .KRAB

  マルウェアが作成する以下のファイルは、脅迫状です。

  • {Encrypted Directory}\KRAB-DECRYPT.txt