Ransom.Win32.GANDCRAB.THOIBOAK
別名:
Trojan-Ransom.Win32.GandCrypt.exy (Kaspersky) , Troj/GandCrab-Z (Sophos AV) , Trojan:Win32/Occamy.C (Microsoft)
プラットフォーム:
Windows
危険度:
ダメージ度:
感染力:
感染確認数:
システムへの影響:
情報漏えい:
マルウェアタイプ:
身代金要求型不正プログラム(ランサムウェア)
破壊活動の有無:
なし
暗号化:
はい
感染報告の有無 :
はい
概要
感染経路 インターネットからのダウンロード, 他のマルウェアからの作成
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
マルウェアは、特定のWebサイトにアクセスし、情報を送受信します。 マルウェアは、実行後、自身を削除します。
詳細
ファイルサイズ 172032 bytes
タイプ EXE
メモリ常駐 なし
発見日 2018年9月14日
ペイロード URLまたはIPアドレスに接続, メッセージボックスの表示, プロセスの強制終了, 情報収集
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。
- Global\{Random Hex}.lock
他のシステム変更
マルウェアは、以下のレジストリ値を追加します。
HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
private = {Key}
HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
public = {Key}
プロセスの終了
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- msftesql.exe
- sqlagent.exe
- sqlbrowser.exe
- sqlwriter.exe
- oracle.exe
- ocssd.exe
- dbsnmp.exe
- synctime.exe
- agntsvc.exeisqlplussvc.exe
- xfssvccon.exe
- sqlservr.exe
- mydesktopservice.exe
- ocautoupds.exe
- agntsvc.exeagntsvc.exe
- agntsvc.exeencsvc.exe
- firefoxconfig.exe
- tbirdconfig.exe
- mydesktopqos.exe
- ocomm.exe
- mysqld.exe
- mysqld-nt.exe
- mysqld-opt.exe
- dbeng50.exe
- sqbcoreservice.exe
- excel.exe
- infopath.exe
- msaccess.exe
- mspub.exe
- onenote.exe
- outlook.exe
- powerpnt.exe
- steam.exe
- sqlservr.exe
- thebat.exe
- thebat64.exe
- thunderbird.exe
- visio.exe
- winword.exe
情報漏えい
マルウェアは、以下の情報を収集します。
- Username
- Computer Name
- Network
- System Language
- Machine Keyboard Layout
- OS Version and Platform
- AV products installed
- Processor
- IP Address
- Network and Local Drives information
- Ransom ID
- GandCrab Internal Info:
- id
- sub_id
- version
- action
その他
マルウェアは、以下のWebサイトにアクセスし、情報を送受信します。
- http://{URL}/{string1}/{string2}/{string3}.{string4}
- Where URL is equal to the following:
- {BLOCKED}rno.com
- {BLOCKED}.{BLOCKED}.1.219
- {BLOCKED}.{BLOCKED}.113.170
- {BLOCKED}.{BLOCKED}.17.237
- {BLOCKED}.{BLOCKED}.96.238
- {BLOCKED}.{BLOCKED}.99.104
- {BLOCKED}.{BLOCKED}.17.9
- {BLOCKED}.{BLOCKED}.99.165
- {BLOCKED}questions.ru
- {BLOCKED}.{BLOCKED}.17.155
- {BLOCKED}.{BLOCKED}.187.178
- {BLOCKED}ngbrazil.com
- {BLOCKED}.{BLOCKED}.60.222
- {BLOCKED}flats.com
- {BLOCKED}.{BLOCKED}.241.0
- {BLOCKED}n.cn
- {BLOCKED}ndicraft.com
- {BLOCKED}ocarro.com.br
- {BLOCKED}t.fr
- {BLOCKED}ultibrasil.com.br
- {BLOCKED}.io
- {BLOCKED}tessa.com
- {BLOCKED}veis.imb.br
- {BLOCKED}ampustaksi.com.tr
- {BLOCKED}sna.com.ua
- {BLOCKED}.com
- {BLOCKED}kpick.com
- {BLOCKED}selamatankerja.co
- {BLOCKED}intakeaway.com
- {BLOCKED}ayrimenkul.com
- {BLOCKED}analuxe.lviv.ua
- {BLOCKED}m.be
- {BLOCKED}afas.org
- {BLOCKED}rdin.com
- {BLOCKED}tsouverts.org
- {BLOCKED}nas.kiev.ua
- {BLOCKED}ontractors.com.au
- {BLOCKED}.mx
- {BLOCKED}oft.in
- {BLOCKED}urk.club
- {BLOCKED}agroupbd.com
- {BLOCKED}stay.com
- {BLOCKED}inhduong.com
- {BLOCKED}me.ru
- {BLOCKED}uilder.com
- {BLOCKED}arscooter.com
- {BLOCKED}aevents.com
- {BLOCKED}latpars.ir
- {BLOCKED}ries-acl-37.fr
- {BLOCKED}iya.com
- {BLOCKED}feder.com
- {BLOCKED}intpl.com
- {BLOCKED}.com
- {BLOCKED}mpany.ru
- {BLOCKED}tore.com
- {BLOCKED}rdupain.it
- {BLOCKED}isbuildcon.com
- {BLOCKED}roupllc.com
- {BLOCKED}edding.ru
- {BLOCKED}ate.com.ua
- {BLOCKED}night.cz
- {BLOCKED}rdstone.com
- {BLOCKED}vestforum.com
- {BLOCKED}pieds.be
- {BLOCKED}ooomdevserver.com
- {BLOCKED}itabela.com
- {BLOCKED}oducciones.com.gt
- {BLOCKED}resa.com
- {BLOCKED}ickphotography.es
- {BLOCKED}ackpt.com
- {BLOCKED}.top
- {BLOCKED}carpet.com
- {BLOCKED}hos.com
- {BLOCKED}adental.com.au
- {BLOCKED}stest9.uk
- {BLOCKED}ud.com
- {BLOCKED}kids.com.ua
- {BLOCKED}beyenal.com
- {BLOCKED}gsanhuyphat68.com
- {BLOCKED}hukuk.com
- {BLOCKED}ch.com
- {BLOCKED}c.org
- {BLOCKED}t.co.kr
- {BLOCKED}herstech.com
- {BLOCKED}bride.net
- {BLOCKED}lk.ca
- {BLOCKED}obabyphotographyseattle.com
- {BLOCKED}.com.ve
- {BLOCKED}com-berlin.de
- {BLOCKED}folks.com
- {BLOCKED}tyempire.com
- {BLOCKED}me-fishing-croatia.hr
- {BLOCKED}blue.com
- {BLOCKED}schell.com
- {BLOCKED}dlife.in
- blog.{BLOCKED}t.com
- blog.{BLOCKED}od.mx
- blog.{BLOCKED}e.com
- blog.{BLOCKED}angfagao.com
- blog.{BLOCKED}aiwan.com
- {BLOCKED}lm.eu
- {BLOCKED}eed.club
- {BLOCKED}ngrosebd.com
- {BLOCKED}llhdb.com
- {BLOCKED}que.com
- {BLOCKED}owradio.com
- {BLOCKED}odelbastarr.com
- {BLOCKED}gbmoredjsteve.com
- boucherie.{BLOCKED}hefrais.com
- {BLOCKED}t-pascal.fr
- {BLOCKED}r.com.ua
- {BLOCKED}enceiling.com.hk
- {BLOCKED}p.co.id
- {BLOCKED}oiles.com
- {BLOCKED}oft.com
- {BLOCKED}htrinh.net
- {BLOCKED}hcondotel.site
- {BLOCKED}palcity.top
- {BLOCKED}united.com
- {BLOCKED}on7tanphu.com
- {BLOCKED}evanlines.com
- {BLOCKED}ck.ncplinc.net
- {BLOCKED}flirtings.com
- {BLOCKED}etnam.com
- {BLOCKED}.fr
- {BLOCKED}x.com
- {BLOCKED}.net
- {BLOCKED}swadefinance.co.uk
- charm.andreea.{BLOCKED}droni.ro
- {BLOCKED}show.com
- {BLOCKED}ana.ru
- {BLOCKED}ung.info
- {BLOCKED}itoshow.com
- {BLOCKED}ia-ciudadana.es
- {BLOCKED}k.com
- citrus.{BLOCKED}v.ua
- {BLOCKED}osetselfstorage.com
- {BLOCKED}ripcustomercare.com
- {BLOCKED}adentaldelgado.es
- {BLOCKED}ueesthetiquepasteur.com
- cms.{BLOCKED}achundkulturstiftung.de
- {BLOCKED}hservicos.com.br
- {BLOCKED}yetsanthaomeo.com
- {BLOCKED}rketing.agency
- {BLOCKED}t.com
- {BLOCKED}.no
- {BLOCKED}encesdiary.com
- {BLOCKED}ssodesignam.com.br
- {BLOCKED}tsbank.cc
- {BLOCKED}i.ga
- {BLOCKED}rv.pixelsco.com
- {BLOCKED}.cn
- {BLOCKED}marketplace.eu
- {BLOCKED}adelsureste.com
- {BLOCKED}ceans-td.com
- {BLOCKED}lhilldesign.com
- {BLOCKED}g.ase.ro
- {BLOCKED}r.ro
- {BLOCKED}t.eu
- {BLOCKED}roms.cba.pl
- {BLOCKED}egas.com
- {BLOCKED}ent.com
- {BLOCKED}-services.com
- {BLOCKED}stsystems.com
- {BLOCKED}carpentry.training
- {BLOCKED}g.party
- {BLOCKED}chamber.org
- {BLOCKED}guridad.com
- deneme2.{BLOCKED}ber.net
- {BLOCKED}ays.ru
- {BLOCKED}ptivevideoproductions.com
- {BLOCKED}dawnschool.com
- dev.{BLOCKED}ywilshiremedical.com
- {BLOCKED}.com.br
- {BLOCKED}rmatique.ca
- {BLOCKED}orgasmo.cl
- {BLOCKED}lharf.com
- {BLOCKED}.com
- {BLOCKED}emena.com
- {BLOCKED}tusa.com
- {BLOCKED}petshop.life
- {BLOCKED}s.com.br
- {BLOCKED}anquoc.com
- {BLOCKED}gigimuda.com
- {BLOCKED}edia.com
- drummelo.{BLOCKED}ista.org
- dsc.{BLOCKED}almea.info
- {BLOCKED}hings.com
- {BLOCKED}raditions.nl
- {BLOCKED}a.com.br
- {BLOCKED}iketler.com
- {BLOCKED}turf.org
- {BLOCKED}ergy.co.nz
- {BLOCKED}te.com
- {BLOCKED}t.nu
- {BLOCKED}-vent.ru
- {BLOCKED}ea.biz
- {BLOCKED}aplanmark.com.br
- {BLOCKED}a.com
- {BLOCKED}e.biz
- {BLOCKED}asar.com
- {BLOCKED}ictrainproductions.com
- {BLOCKED}obox.org
- {BLOCKED}o-beckers.de
- {BLOCKED}opastuh.ru
- {BLOCKED}ck.com
- {BLOCKED}hope.org
- {BLOCKED}lagosta.cat
- {BLOCKED}-utama.com
- {BLOCKED}r.es
- {BLOCKED}bostad.se
- {BLOCKED}ondezigns.com
- {BLOCKED}diovisual.com
- {BLOCKED}pisy.cba.pl
- {BLOCKED}rrstrom.com
- {BLOCKED}grup.com.tr
- {BLOCKED}arpati.com
- {BLOCKED}-girls.services
- {BLOCKED}scompany.com
- {BLOCKED}ial-campinggear.com
- {BLOCKED}ecimientos.sintinovoy.sevapp20.com
- {BLOCKED}x.org
- {BLOCKED}alip.com
- {BLOCKED}.com
- {BLOCKED}stemsrl.net
- {BLOCKED}nclinic.com
- {BLOCKED}hingsale.com
- {BLOCKED}to.ru
- {BLOCKED}h.lu
- {BLOCKED}ctor.mobi
- {BLOCKED}h.org.tr
- {BLOCKED}.online
- {BLOCKED}adesenacpe.edu.br
- {BLOCKED}e.com
- {BLOCKED}.foco.cl
- {BLOCKED}kiprzemek.cba.pl
- {BLOCKED}renterprising.com
- {BLOCKED}enty.com
- {BLOCKED}idadpma.com
- {BLOCKED}feveda.com.ve
- {BLOCKED}ight.ru
- {BLOCKED}jodi.com
- {BLOCKED}asepromotions.co.za
- {BLOCKED}ms.mx
- {BLOCKED}lumbria.it
- {BLOCKED}.mobi
- {BLOCKED}ily.org
- {BLOCKED}etal.net
- {BLOCKED}y.cba.pl
- {BLOCKED}s-china.com
- {BLOCKED}crepelle.com
- {BLOCKED}ncemarketingtraining.com
- {BLOCKED}iritgroup.altervista.org
- {BLOCKED}trition.com.tr
- {BLOCKED}tszott.cba.pl
- {BLOCKED}corp.es
- {BLOCKED}onetransportation.com
- {BLOCKED}n.com
- {BLOCKED}ermocaldeiras.com.br
- {BLOCKED}iptraction.com
- {BLOCKED}donationtoday.com
- {BLOCKED}rkeynow.com
- {BLOCKED}j.adv.br
- {BLOCKED}lconstructions.in
- {BLOCKED}cafiorino1.altervista.org
- {BLOCKED}anes.altervista.org
- {BLOCKED}ster.ml
- {BLOCKED}les-noisetiers.fr
- {BLOCKED}y.com
- {BLOCKED}ball24h.com
- {BLOCKED}anau.com
- {BLOCKED}y.org.in
- {BLOCKED}d.website
- {BLOCKED}tore.com
- {BLOCKED}dinn.us
- {BLOCKED}rajasthan.allappshere.in
- {BLOCKED}iddleeastgate.com
- {BLOCKED}radecorp.com
- {BLOCKED}world-md.ru
- {BLOCKED}n.studio
- {BLOCKED}dcheesereviews.com
- {BLOCKED}erfetto.com.br
- {BLOCKED}com.cf
- {BLOCKED}li.fi
- {BLOCKED}o.ir
- {BLOCKED}oulsonfire.com
- {BLOCKED}s.vn
- {BLOCKED}onito.com
- {BLOCKED}.com
- {BLOCKED}obalholding.com
- {BLOCKED}inhkientaocuocdoi.com
- {BLOCKED}ftbay.ru
- {BLOCKED}interiordecorators.com
- {BLOCKED}esign.com
- {BLOCKED}lopezr.com
- {BLOCKED}heatpumps.nz
- {BLOCKED}ang.com
- {BLOCKED}tal.com
- {BLOCKED}etaksi.net
- {BLOCKED}ulness.com.ua
- {BLOCKED}andrestaurantgroup.com
- {BLOCKED}ongroup.com
- {BLOCKED}hoidsorted.com
- {BLOCKED}khoemanhtunhien.com
- {BLOCKED}untrycamo.com
- {BLOCKED}ignonline.com
- {BLOCKED}ngjiang.com
- {BLOCKED}tury.com
- {BLOCKED}isha.com
- {BLOCKED}ravel2018.com
- {BLOCKED}app.com
- {BLOCKED}tocatchacold.com
- {BLOCKED}d.gov.co
- {BLOCKED}e.fr
- {BLOCKED}radio.com
- {BLOCKED}gham.com
- {BLOCKED}gillusion.com
- {BLOCKED}art.fr
- {BLOCKED}ams.ir
- {BLOCKED}nostours.com
- {BLOCKED}.com
- {BLOCKED}eex.com
- {BLOCKED}u.com
- {BLOCKED}a-quest.com.ua
- {BLOCKED}ec.com.mx
- {BLOCKED}ushipyard.com
- {BLOCKED}group.com
- {BLOCKED}atica.uss.cl
- {BLOCKED}ut-journalisme.fr
- {BLOCKED}network.com.ng
- {BLOCKED}lower.ee
- {BLOCKED}ors-by-catherine.com
- {BLOCKED}ab.com.sg
- {BLOCKED}ener.org
- {BLOCKED}e.com.vn
- {BLOCKED}booth.com.au
- {BLOCKED}t.com
- {BLOCKED}er.net
- {BLOCKED}aat.com.tr
- {BLOCKED}ul212tesisat.com
- {BLOCKED}lier.com.au
- {BLOCKED}.com.br
- {BLOCKED}e-opalac.cba.pl
- {BLOCKED}kongtrul.org.tw
- {BLOCKED}tel.com
- {BLOCKED}g-ug.ru
- {BLOCKED}aphics.com
- {BLOCKED}kinasi.com
- {BLOCKED}ore.com
- {BLOCKED}adeplata23.com
- jupiter.csit.{BLOCKED}t.edu.au
- {BLOCKED}dans.com
- {BLOCKED}anna.no
- {BLOCKED}orp.link
- {BLOCKED}n.net
- {BLOCKED}on-restauracja.cba.pl
- {BLOCKED}aria-crm.pl
- {BLOCKED}treet.com
- {BLOCKED}anatco.com
- {BLOCKED}ou.be
- {BLOCKED}marketing.com
- {BLOCKED}i.com
- {BLOCKED}-fenster.ch
- {BLOCKED}clark.com
- {BLOCKED}darexpress.com
- {BLOCKED}rash.ir
- {BLOCKED}.com
- {BLOCKED}on.org
- {BLOCKED}rtvn.com
- {BLOCKED}nh345.com
- {BLOCKED}wood.store
- {BLOCKED}tgiao.com
- {BLOCKED}akdee.com
- {BLOCKED}laza.com
- {BLOCKED}kingcare.com
- {BLOCKED}leng.com
- {BLOCKED}an.cba.pl
- {BLOCKED}tplus.ru
- {BLOCKED}ypolyana123.ru
- {BLOCKED}d.ru
- {BLOCKED}n.com
- {BLOCKED}lar.kz
- {BLOCKED}m.com
- {BLOCKED}cizade.com.tr
- {BLOCKED}.com.au
- {BLOCKED}t.org
- {BLOCKED}gtrans.com
- {BLOCKED}rkscalifornia.org
- {BLOCKED}oyang.com
- {BLOCKED}rma.com
- ldm.{BLOCKED}rocknews.org
- lealengenharia.{BLOCKED}agemdesit
- {BLOCKED}uit.fr
- {BLOCKED}ley.com
- {BLOCKED}.polri.go.id
- {BLOCKED}inesdedemain.com
- {BLOCKED}f.dk
- lgg.{BLOCKED}v.br
- life.{BLOCKED}.com
- lloyd.www.{BLOCKED}ve-platform.net
- {BLOCKED}ents.com
- {BLOCKED}ckimnguyenphat.com.vn
- {BLOCKED}rb-rezept.com
- {BLOCKED}haiduong.com
- {BLOCKED}ocellitancredi.com
- {BLOCKED}s.co.uk
- {BLOCKED}s.pt
- {BLOCKED}entreprise.dk
- {BLOCKED}inoadvogados.com.br
- {BLOCKED}a.it
- {BLOCKED}actrice-web.com
- {BLOCKED}iler.com
- {BLOCKED}isleri.com
- {BLOCKED}.cba.pl
- {BLOCKED}nnelly.com
- {BLOCKED}pert.com
- {BLOCKED}p.pro
- {BLOCKED}enirvana.com
- {BLOCKED}ap.com
- {BLOCKED}ionacif.com
- {BLOCKED}d.com
- {BLOCKED}d.cba.pl
- {BLOCKED}kson.com
- {BLOCKED}a.com
- {BLOCKED}b.com
- {BLOCKED}aching.fr
- {BLOCKED}up.co.uk
- {BLOCKED}.com.ua
- {BLOCKED}dim.org
- {BLOCKED}c.ma
- {BLOCKED}nc.com
- {BLOCKED}.ir
- {BLOCKED}eb.com
- {BLOCKED}ao7.com
- {BLOCKED}iaparacoaches.com.br
- {BLOCKED}ur.com
- {BLOCKED}nd.me
- {BLOCKED}resultado.com
- {BLOCKED}bg.com
- {BLOCKED}tllc.com
- {BLOCKED}kapner.com
- {BLOCKED}.hu
- {BLOCKED}a.kg
- {BLOCKED}r.com
- {BLOCKED}typhotoworkshops.com
- {BLOCKED}z.com
- {BLOCKED}erjack.com
- {BLOCKED}ens.com
- {BLOCKED}tracting.ca
- {BLOCKED}t.com.kw
- {BLOCKED}ai.pl
- {BLOCKED}z.com
- {BLOCKED}geulis.com
- {BLOCKED}olita.es
- {BLOCKED}ng.cn
- {BLOCKED}360.pl
- {BLOCKED}.com
- {BLOCKED}ertainment.com
- {BLOCKED}tudio.com.my
- {BLOCKED}est.com
- {BLOCKED}i24.ru
- {BLOCKED}dea.com
- {BLOCKED}azr.com
- {BLOCKED}distributor.com
- {BLOCKED}esurgerythailand.com
- {BLOCKED}rsonal.com.ua
- {BLOCKED}iedesperchesboukhatem.fr
- {BLOCKED}ealty.com
- {BLOCKED}carelandscape.com
- {BLOCKED}nenda.com
- nazareimoveis.{BLOCKED}emporario.com.br
- {BLOCKED}s.info
- {BLOCKED}luavm.com
- {BLOCKED}da.ru
- {BLOCKED}.dk
- {BLOCKED}nstructioncorp.com
- {BLOCKED}r.com
- {BLOCKED}.cn
- {BLOCKED}earth.com
- {BLOCKED}nyc.com
- {BLOCKED}tinasat.com.br
- {BLOCKED}cordo.com
- {BLOCKED}trolina.com
- {BLOCKED}i-danasnje.info
- {BLOCKED}group.com
- nurfian.{BLOCKED}um.com
- {BLOCKED}lmastah.com
- {BLOCKED}ervice.ru
- {BLOCKED}inen.com
- {BLOCKED}tockfilms.com
- {BLOCKED}nsult.com
- {BLOCKED}school.com.br
- {BLOCKED}etih.com
- {BLOCKED}.ro
- {BLOCKED}businesskhabar.com
- {BLOCKED}itshop.com
- {BLOCKED}eerd.nl
- {BLOCKED}costruzioneabruzzo.piattaforma.eu
- {BLOCKED}da.info
- optikchrtek.{BLOCKED}oud.cz
- {BLOCKED}l.co.il
- {BLOCKED}m.com
- {BLOCKED}ontics.ir
- {BLOCKED}event.com.ua
- {BLOCKED}mafoto.com
- {BLOCKED}esofe.com
- {BLOCKED}viez.com
- {BLOCKED}oodgood.com
- {BLOCKED}nkeren.xyz
- {BLOCKED}dia.se
- {BLOCKED}ndshandyman.com
- {BLOCKED}go.com
- {BLOCKED}caligrafosevilla.es
- {BLOCKED}fund.org
- {BLOCKED}photo.ru
- {BLOCKED}thaoland.com
- {BLOCKED}apparel.no
- {BLOCKED}lancus.pl
- {BLOCKED}deck.com
- {BLOCKED}r.com
- {BLOCKED}urghbbq.com
- {BLOCKED}onsel.com
- {BLOCKED}ormacontralaprivatizaciondelcyii.org
- {BLOCKED}csamongus.com
- poly.{BLOCKED}polyblow.com.br
- {BLOCKED}ow.com.br
- {BLOCKED}.angryventures.com
- {BLOCKED}da74.ru
- {BLOCKED}cetalentos.com.br
- {BLOCKED}tseitai.com
- {BLOCKED}rkservicesinc.com
- {BLOCKED}adedeflandre.com
- {BLOCKED}esdeflex.com.br
- {BLOCKED}to.ru
- {BLOCKED}p.vn
- questraworld.{BLOCKED}video.com
- {BLOCKED}glish.com
- {BLOCKED}rssupply.us
- {BLOCKED}n.cba.pl
- {BLOCKED}.com
- {BLOCKED}co.ir
- {BLOCKED}tivemg.com
- {BLOCKED}en.com
- {BLOCKED}.com.ua
- {BLOCKED}ovin.ir
- {BLOCKED}o.com.br
- {BLOCKED}rica.com.mx
- {BLOCKED}ravel.com
- {BLOCKED}h.fr
- {BLOCKED}b.com.pl
- {BLOCKED}o.com
- {BLOCKED}s.top
- {BLOCKED}l.world
- {BLOCKED}allenentertainment.com
- {BLOCKED}ios.com
- {BLOCKED}ampsnorth.robomateplus.com
- {BLOCKED}ev.com
- {BLOCKED}ide.es
- {BLOCKED}ct3272.org
- {BLOCKED}e.com.mx
- {BLOCKED}al.by
- {BLOCKED}ankaravekil.com
- {BLOCKED}s.cl
- {BLOCKED}dan.es
- {BLOCKED}nali.com
- {BLOCKED}netcctv.com
- {BLOCKED}edu.com
- {BLOCKED}ans.com
- {BLOCKED}adi.com
- {BLOCKED}lloff-italy.web5s.com
- {BLOCKED}u.vn
- {BLOCKED}eriatrics.org
- {BLOCKED}casinoterpercaya.com
- {BLOCKED}app.be
- {BLOCKED}ierparis75.ovh
- {BLOCKED}illars.org.uk
- {BLOCKED}ningzone.com
- {BLOCKED}am.com
- {BLOCKED}gflames.com
- {BLOCKED}k.com
- {BLOCKED}k.com
- shop.{BLOCKED}istest.ir
- {BLOCKED}restschools.com
- {BLOCKED}um.com.ua
- {BLOCKED}ibilisim.com
- {BLOCKED}iindonesia.co.id
- {BLOCKED}ia.vn
- {BLOCKED}rde.com
- sites.{BLOCKED}blueskydigital.com.au
- {BLOCKED}matabunda.com
- {BLOCKED}d.cba.pl
- {BLOCKED}chnik.de
- {BLOCKED}ealer.fr
- {BLOCKED}e-gruttepier.nl
- {BLOCKED}dset.com
- {BLOCKED}-jkt.sch.id
- {BLOCKED}oli.org
- {BLOCKED}reation.com
- {BLOCKED}kagd.com
- social.{BLOCKED}opv.pp.ua
- {BLOCKED}ine.kiev.ua
- {BLOCKED}.org
- {BLOCKED}nko.dp.ua
- {BLOCKED}osing.ir
- {BLOCKED}rgym.nl
- {BLOCKED}dmanzi.com
- {BLOCKED}ton.com
- {BLOCKED}s.dk
- {BLOCKED}los.ru
- {BLOCKED}ohio.pbd-dev.com
- {BLOCKED}omputer.com.br
- {BLOCKED}artingnow.com
- {BLOCKED}ofminthill.com
- {BLOCKED}orlddirect.co.uk
- {BLOCKED}rkameratene.no
- {BLOCKED}erin-duisburg.net
- {BLOCKED}delcarratore.it
- {BLOCKED}viedrama.online
- {BLOCKED}n.com
- {BLOCKED}sa.com
- {BLOCKED}sbestphotography.com
- {BLOCKED}ne-city-ciputra.net
- {BLOCKED}hirty.pl
- {BLOCKED}k.com
- {BLOCKED}.ga
- {BLOCKED}ermei.xyz
- {BLOCKED}ro.ru
- {BLOCKED}spectehnika.ru
- {BLOCKED}a.today
- {BLOCKED}esona.com
- {BLOCKED}ardiologist.com
- {BLOCKED}de.info
- {BLOCKED}erview.com.vn
- test.{BLOCKED}ia.se
- test.{BLOCKED}-experten.be
- test.{BLOCKED}.pl
- test.{BLOCKED}cevherat.com
- test.{BLOCKED}theveeview.com
- test.{BLOCKED}webing.io
- testing.{BLOCKED}tallawang.com
- {BLOCKED}y-work.ru
- {BLOCKED}exports.com
- {BLOCKED}larsisters.ca
- {BLOCKED}iwebvn.com
- {BLOCKED}spire.co.uk
- {BLOCKED}tatrockwells.com
- {BLOCKED}velnext.com
- {BLOCKED}ikalavathi.info
- {BLOCKED}nabis.com
- {BLOCKED}phamgia.com
- {BLOCKED}townbooks.com
- {BLOCKED}duc.info
- {BLOCKED}hinipassofundo.com.br
- {BLOCKED}mores.com.br
- {BLOCKED}lenka.ru
- {BLOCKED}t-hobby.com
- {BLOCKED}.ru
- {BLOCKED}.es
- {BLOCKED}inegames.pro
- {BLOCKED}odazha.ru
- {BLOCKED}nbygger.se
- {BLOCKED}eship.top
- {BLOCKED}low.world
- {BLOCKED}ds.ir
- {BLOCKED}tanewsende.com
- {BLOCKED}hoh.com
- {BLOCKED}es.in
- {BLOCKED}uisman.com
- {BLOCKED}v.ru
- {BLOCKED}s.ir
- {BLOCKED}.org.ua
- {BLOCKED}site.aithent.com
- {BLOCKED}undation.es
- {BLOCKED}ndacion.es
- {BLOCKED}ndacion.eu
- {BLOCKED}ormervn.com
- {BLOCKED}mani.net
- {BLOCKED}t.se
- {BLOCKED}-int.karibuni.be
- {BLOCKED}dgoals.com
- {BLOCKED}college.com.au
- {BLOCKED}media.cf
- {BLOCKED}ctg.com
- {BLOCKED}motors.in
- {BLOCKED}.com.br
- {BLOCKED}13.hospedagemdesites.ws
- {BLOCKED}ply.com
- {BLOCKED}ey.com
- {BLOCKED}.ru
- {BLOCKED}vereventvideo.com
- {BLOCKED}esign.ru
- {BLOCKED}zdelamorena.com
- {BLOCKED}losbenimar.es
- {BLOCKED}ro.com
- {BLOCKED}afilho.com.br
- {BLOCKED}urs-tut.ru
- {BLOCKED}x.us
- {BLOCKED}evanguard.co.uk
- {BLOCKED}escangio.viethomes.land
- {BLOCKED}decor.net
- {BLOCKED}xi.net
- {BLOCKED}lisseta.com
- {BLOCKED}usebangladesh.com
- {BLOCKED}ainvest.com.br
- {BLOCKED}s.com.vn
- {BLOCKED}c.com
- {BLOCKED}urse.com
- {BLOCKED}ouropinions.net
- {BLOCKED}r.kz
- {BLOCKED}irek.com
- {BLOCKED}withmakeup.co.uk
- {BLOCKED}aftcustom.com
- {BLOCKED}keting.cinfoway.in
- {BLOCKED}ox.com
- {BLOCKED}chts-pyramide.tk
- {BLOCKED}allery.ru
- {BLOCKED}sslifescience.com
- {BLOCKED}trealty.com
- {BLOCKED}power-music.cba.pl
- {BLOCKED}t.tk
- {BLOCKED}arroy.fr
- {BLOCKED}thangz.com
- {BLOCKED}edy.ru
- {BLOCKED}y.com
- {BLOCKED}mpoptions.com
- {BLOCKED}amifier.com
- wp.{BLOCKED}s.men
- wp.{BLOCKED}t.fr
- {BLOCKED}emi.com
- {BLOCKED}k.com
- www.{BLOCKED}1.sr
- www.{BLOCKED}rasil.com
- www.{BLOCKED}c.com
- www.{BLOCKED}a.co.uk
- www.{BLOCKED}a.tn
- www.{BLOCKED}huoc.com.vn
- www.{BLOCKED}rentacars.com
- www.{BLOCKED}tmanipisak.com
- www.{BLOCKED}eupdate.ir
- www.{BLOCKED}ives-zoliennes.fr
- www.{BLOCKED}ngarayan.com
- www.{BLOCKED}nkundig.at
- www.{BLOCKED}pointpl.com
- www.{BLOCKED}d.cz
- www.{BLOCKED}sigortaaydin.com
- www.{BLOCKED}t.co.kr
- www.{BLOCKED}lerimpex.com
- www.{BLOCKED}wiseacademy.com
- www.{BLOCKED}adbandimperatives.org
- www.{BLOCKED}cure.fr
- www.{BLOCKED}av.hu
- www.{BLOCKED}touch.uk.com
- www.{BLOCKED}mare.it
- www.{BLOCKED}alaptop.com
- www.{BLOCKED}xs.biz
- www.{BLOCKED}ire.com
- www.{BLOCKED}deayrs.com
- www.{BLOCKED}obindumcltd.com
- www.{BLOCKED}havetoshine.com
- www.{BLOCKED}rsskn.com
- www.{BLOCKED}inapetrou.co.uk
- www.{BLOCKED}dent.com
- www.{BLOCKED}ransport.fr
- www.{BLOCKED}guardthemovie.com
- www.{BLOCKED}y.com.br
- www.{BLOCKED}tiasystems.com
- www.{BLOCKED}shotevents.com
- www.{BLOCKED}lpyme.biz
- www.{BLOCKED}rsants.com
- www.{BLOCKED}shinn.com
- www.{BLOCKED}lecharro.com
- www.{BLOCKED}radodai.com
- www.{BLOCKED}servicesgroup.com
- www.{BLOCKED}lsistemas.com.br
- www.{BLOCKED}uri.edu.in
- www.{BLOCKED}chool.vn
- www.{BLOCKED}i.nl
- www.{BLOCKED}kherrstrom.com
- www.{BLOCKED}aces-interieurs.net
- www.{BLOCKED}eticaderma.com
- www.{BLOCKED}el-albania.com
- www.{BLOCKED}osystemsrl.net
- www.{BLOCKED}bfoundation.gm
- www.{BLOCKED}ancetoit.fr
- www.{BLOCKED}911.com
- www.{BLOCKED}dsbn.com
- www.{BLOCKED}60.us
- www.{BLOCKED}liditalia.it
- www.{BLOCKED}s-for-kids.de
- www.{BLOCKED}v.news
- www.{BLOCKED}logis.com
- www.{BLOCKED}enwolfales.com
- www.{BLOCKED}upwine.fr
- www.{BLOCKED}umansena.co.in
- www.{BLOCKED}hpatal.com
- www.{BLOCKED}roser.pt
- www.{BLOCKED}merlandgolf.dk
- www.{BLOCKED}ervi.com.br
- www.{BLOCKED}gatecenter.org
- www.{BLOCKED}century.com
- www.{BLOCKED}peem.org
- www.{BLOCKED}interiors.com
- www.{BLOCKED}s.space
- www.{BLOCKED}sz.com
- www.{BLOCKED}bana.cat
- www.{BLOCKED}orideas9.com
- www.{BLOCKED}ationalmoversboston.com
- www.{BLOCKED}ssconnect.com
- www.{BLOCKED}aola.com
- www.{BLOCKED}t.com
- www.{BLOCKED}isunenfantterrible.com
- www.{BLOCKED}ngshi.cn
- www.{BLOCKED}bk.com
- www.{BLOCKED}ledans.com
- www.{BLOCKED}1.ir
- www.{BLOCKED}kidnews.com
- www.{BLOCKED}ezaagricola.com.br
- www.{BLOCKED}shnagrp.com
- www.{BLOCKED}toaskel.net
- www.{BLOCKED}outtedelixir.com
- www.{BLOCKED}ri.co.il
- www.{BLOCKED}ertag.kiev.ua
- www.{BLOCKED}thotel.it
- www.{BLOCKED}ariable.club
- www.{BLOCKED}kcoaching.com.au
- www.{BLOCKED}nsindustries.org
- www.{BLOCKED}nwood.co.uk
- www.{BLOCKED}itsolutionsbd.com
- www.{BLOCKED}napouyesh.com
- www.{BLOCKED}artegrise.eu
- www.{BLOCKED}eshsharma.live
- www.{BLOCKED}nlis.pt
- www.{BLOCKED}aeeventos.com.br
- www.{BLOCKED}ketopic.ru
- www.{BLOCKED}urley.com
- www.{BLOCKED}i.com.sg
- www.{BLOCKED}c.ma
- www.{BLOCKED}eyprotein.com
- www.{BLOCKED}horsepower.se
- www.{BLOCKED}iatravel.in
- www.{BLOCKED}leshairlounge.ca
- www.{BLOCKED}d.cz
- www.{BLOCKED}ah.com.my
- www.{BLOCKED}infantilvalencia.com
- www.{BLOCKED}i.co
- www.{BLOCKED}us.co.th
- www.{BLOCKED}kik.com
- www.{BLOCKED}ingbits.com
- www.{BLOCKED}oys.com.cn
- www.{BLOCKED}frozen.com.hk
- www.{BLOCKED}group.com.hk
- www.{BLOCKED}sdavetorganizasyon.com
- www.{BLOCKED}arpaslanmaz.com
- www.{BLOCKED}icholasossai.com
- www.{BLOCKED}pharmassist.com
- www.{BLOCKED}turistului.com
- www.{BLOCKED}int.online
- www.{BLOCKED}opapi.com
- www.{BLOCKED}barua.com
- www.{BLOCKED}tfunnelblueprint.com
- www.{BLOCKED}odbd.com
- www.{BLOCKED}ire.com
- www.{BLOCKED}mviet.com
- www.{BLOCKED}iarepentigny.ca
- www.{BLOCKED}g.com
- www.{BLOCKED}profile.com
- www.{BLOCKED}imports.com.br
- www.{BLOCKED}wwaffle.xyz
- www.{BLOCKED}rmatica.pt
- www.{BLOCKED}vten.xyz
- www.{BLOCKED}n.com
- www.{BLOCKED}imos.com
- www.{BLOCKED}ifbumipersada.com
- www.{BLOCKED}a.com.br
- www.{BLOCKED}troiscours.com
- www.{BLOCKED}reasure.com
- www.{BLOCKED}t.in
- www.{BLOCKED}njews.com
- www.{BLOCKED}ehandmade.com
- www.{BLOCKED}archat.com
- www.{BLOCKED}etorganizasyon.com
- www.{BLOCKED}anmobilyadekorasyon.com
- www.{BLOCKED}ischerd.com
- www.{BLOCKED}eks.com
- www.{BLOCKED}br.com
- www.{BLOCKED}ri.com
- www.{BLOCKED}omputers.ro
- www.{BLOCKED}imint.com
- www.{BLOCKED}emasapex.mx
- www.{BLOCKED}ma.cn
- www.{BLOCKED}alconcepts-cm.com
- www.{BLOCKED}rdigitalweb.com
- www.{BLOCKED}ol.com
- www.{BLOCKED}enda.com
- www.{BLOCKED}rkin.com
- www.{BLOCKED}co.ir
- www.{BLOCKED}urfmats.com
- www.{BLOCKED}ellars.com
- www.{BLOCKED}hewa.com
- www.{BLOCKED}ungalowstay.in
- www.{BLOCKED}isoft.hn
- www.{BLOCKED}ube.com
- www.{BLOCKED}ual.com
- www.{BLOCKED}phonecenter.com
- www.{BLOCKED}scomfortable.com
- www.{BLOCKED}stevenrice.com
- www.{BLOCKED}daptables.com
- www.{BLOCKED}tlanticseafoodcompany.com
- www.{BLOCKED}oveassembly.com
- www.{BLOCKED}arco.com
- www.{BLOCKED}ra.com.br
- www.{BLOCKED}viacao.com.br
- www.{BLOCKED}aja.com
- www.{BLOCKED}laybasket.fr
- www.{BLOCKED}nto.com
- www.{BLOCKED}iaexpeditionsperu.com
- www.{BLOCKED}in2014.com
- www.{BLOCKED}arcisi.com
- www.{BLOCKED}ect.fr
- www.{BLOCKED}thfully.com
- www.{BLOCKED}b.org
- www.{BLOCKED}t.travel
- www.{BLOCKED}icasantiago.com.br
- www.{BLOCKED}seo.com
- www.{BLOCKED}avie.fr
- www.{BLOCKED}ilm.ga
- www.{BLOCKED}wear.com
- www.{BLOCKED}m.cn
- www.{BLOCKED}weil.de
- www.{BLOCKED}resspractice.cf
- www.{BLOCKED}derabad.com
- www.{BLOCKED}armdnsalonlar-fjb55aa34dpkdo.com
- www.{BLOCKED}ass.com
- www.{BLOCKED}esign.com
- www.{BLOCKED}dapalhanoimoveis.com.br
- www.{BLOCKED}nakliye.com
- www.{BLOCKED}e.com
- www.{BLOCKED}anle.com
- {BLOCKED}ivietnam.com
- {BLOCKED}h.net
- {BLOCKED}ity.com
- {BLOCKED}sbb5ad1beecki5h.xn--p1ai
- {BLOCKED}sbbax1aamaagfpjbdc3dm.xn--p1ai
- {BLOCKED}sbcfeovaaet2bacdygacidsedek.xn--p1acf
- {BLOCKED}anbmdrdpayqtg1d7h.xn--p1ai
- {BLOCKED}dsn2ag7e.xn--p1ai
- {BLOCKED}vc1e.xn--p1acf
- {BLOCKED}.ltd
- {BLOCKED}ocnam.com
- {BLOCKED}ngguoji.com
- {BLOCKED}creativeco.com
- {BLOCKED}sdrive.com
- {BLOCKED}piwater.com
- {BLOCKED}dy.com.br
- {BLOCKED}-group.com
- {BLOCKED}.com
- {BLOCKED}a.co.uk
- {BLOCKED}ader.com
- {BLOCKED}phage_pedik.com
- {BLOCKED}m.ovh
- Where string1 is equal to the following:
- wp-content
- static
- content
- includes
- data
- uploads
- news
- Where string2 is equal to the following:
- images
- pictures
- image
- graphic
- assets
- pics
- imgs
- tmp
- Where string3 is equal to the combination of the following:
- im
- de
- ka
- ke
- am
- es
- so
- fu
- se
- da
- he
- ru
- me
- mo
- th
- zu
- Where string4 is equal to the following:
- jpg
- png
- gif
- bmp
マルウェアは、実行後、自身を削除します。
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- desktop.ini
- autorun.inf
- ntuser.dat
- iconcache.db
- bootsect.bak
- boot.ini
- ntuser.dat.log
- Thumbs.db
- KRAB-DECRYPT.html
- KRAB-DECRYPT.txt
- CRAB-DECRYPT.txt
- ntldr
- NTDETECT.COM
- Bootfont.bin
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- ProgramData
- IETldCache
- Boot
- Program Files
- Tor Browser
- All Users
- Local Settings
- Windows
- %Windows%
- %AppDataLocal%
- %Program Files%\Common Files
- %Program Files%
(註:%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000、XP、Server 2003の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8の場合、通常 "C:\Users\<ユーザ名>\AppData\Local" です。. %Program Files%フォルダは、デフォルトのプログラムファイルフォルダです。Windows 2000、Server 2003、XP(32-bit),Vista(32-bit)、7(32-bit)、8(32-bit)の場合、通常 "C:\Program Files"です。また、Windows XP(64-bit)、Vista(64-bit)、7(64-bit)、8(64-bit)の場合、通常 "C:\Program Files(x86)" です。)
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .KRAB
マルウェアが作成する以下のファイルは、脅迫状です。
- {Encrypted Directory}\KRAB-DECRYPT.txt
対応方法
対応検索エンジン: 9.850
初回 VSAPI パターンバージョン 14.552.04
初回 VSAPI パターンリリース日 2018年10月8日
VSAPI OPR パターンバージョン 14.553.00
VSAPI OPR パターンリリース日 2018年10月9日
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 3
Windowsをセーフモードで再起動します。
[ 詳細 ]
手順 4
このレジストリ値を削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\SOFTWARE\keys_data\data
- private = {Key}
- private = {Key}
- In HKEY_CURRENT_USER\SOFTWARE\keys_data\data
- public = {Key}
- public = {Key}
手順 5
以下のファイルを検索し削除します。
[ 詳細 ]
コンポーネントファイルが隠しファイル属性の場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。 - {Encrypted Folder}\KRAB-DECRYPT.txt
手順 6
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「Ransom.Win32.GANDCRAB.THOIBOAK」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください