RANSOM_GANDCRAB.THOIBEAH

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

他のシステム変更

マルウェアは、インストールの過程で、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\ex_data\
data

HKEY_CURRENT_USER\Software\keys_data\
data

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

• http://www.{BLOCKED}impex.com:443
• http://www.{BLOCKED}egrise.eu/data/assets/keesimmeru.gif
• http://www.{BLOCKED}g.com/content/assets/imes.jpg
• http://{BLOCKED}photo.ru/includes/tmp/esso.jpg
• http://{BLOCKED}mpany.ru/wp-content/images/seruhede.jpg
• http://www.{BLOCKED}undation.gm/wp-content/graphic/esmo.png
• http://www.{BLOCKED}tfunnelblueprint.com/news/tmp/rukeamsoim.bmp
• http://www.{BLOCKED}ear.com/news/pics/kaamkahede.png
• http://{BLOCKED}da74.ru/content/tmp/sokaim.bmp
• http://{BLOCKED}t.net/includes/images/daru.jpg
• http://{BLOCKED}obabyphotographyseattle.com/includes/assets/eskethmoes.png
• http://{BLOCKED}m.be/content/images/imrumo.gif
• http://{BLOCKED}owradio.com:443
• http://{BLOCKED}p.com:443
• http://{BLOCKED}t.fr/static/imgs/dedamomo.gif
• http://{BLOCKED}emi.com/wp-content/imgs/dedazu.gif
• http://www.{BLOCKED}v.hu/news/imgs/deke.jpg
• http://www.{BLOCKED}d.cz/wp-content/assets/esso.jpg
• http://{BLOCKED}n.cn/data/image/soka.jpg
• http://{BLOCKED}d.website/news/pics/kezu.bmp
• http://{BLOCKED}inen.com/uploads/graphic/seimzuzu.jpg
• http://{BLOCKED}mores.com.br/wp-content/pictures/esde.png
• http://{BLOCKED}ckexpert.su/
• http://{BLOCKED}n.dk/uploads/graphic/sedasefuke.gif
• http://{BLOCKED}a.co.uk/wp-content/images/kedehemo.jpg
• http://www.{BLOCKED}s.co.th/uploads/images/imeszumoes.bmp
• http://{BLOCKED}tplus.ru/uploads/assets/zues.bmp
• http://{BLOCKED}s.vn/data/assets/zuhemeamhe.png
• http://{BLOCKED}isleri.com:443
• http://www.{BLOCKED}viacao.com.br/news/image/somofuso.jpg
• http://www.{BLOCKED}t.in/uploads/graphic/medeseru.png
• http://www.{BLOCKED}edelixir.com/uploads/pics/rume.png
• http://www.{BLOCKED}grp.com:443
• http://{BLOCKED}me-fishing-croatia.hr:443
• http://{BLOCKED}ionacif.com/wp-content/tmp/fuzuimka.png
• http://www.{BLOCKED}ssconnect.com/content/graphic/thfudekeso.jpg
• http://{BLOCKED}edding.ru/uploads/pics/fudafuam.bmp
• http://{BLOCKED}t.theveeview.com/data/assets/kaeshe.bmp
• http://{BLOCKED}rica.com.mx/static/pictures/darudemehe.png
• http://{BLOCKED}l.com.ve:443
• http://{BLOCKED}s.com.vn/news/images/amhe.jpg
• http://{BLOCKED}lm.eu/data/graphic/zusorukaes.jpg
• http://{BLOCKED}egas.com:443
• http://{BLOCKED}l.by:443
• http://www.{BLOCKED}landgolf.dk:443
• http://{BLOCKED}ravel2018.com/content/graphic/zuimrumezu.jpg
• http://{BLOCKED}lancus.pl/content/imgs/kedemeim.gif
• http://{BLOCKED}motors.in:443
• http://{BLOCKED}ypolyana123.ru/includes/pictures/zude.gif
• http://{BLOCKED}oli.org/wp-content/image/demekesemo.gif
• http://{BLOCKED}eed.club/data/assets/kazumo.bmp
• http://{BLOCKED}h.lu/content/pictures/rufuam.gif
• http://{BLOCKED}v.com.br:443
• http://{BLOCKED}dinn.us/content/tmp/kathme.jpg
• http://{BLOCKED}2.ru/news/images/seim.bmp
• http://{BLOCKED}ibilisim.com/static/images/demehe.png
• http://{BLOCKED}k.com/uploads/imgs/kefumethesru.jpg
• http://{BLOCKED}s.co.uk/content/pics/dekeke.jpg
• http://{BLOCKED}obalholding.com/data/image/zuamdezuka.bmp
• http://{BLOCKED}orgasmo.cl/wp-content/pics/zusome.jpg
• http://www.{BLOCKED}ine.fr/static/pictures/deimheseka.gif
• http://{BLOCKED}ens.com:443
• http://www.{BLOCKED}iasystems.com/data/pictures/soheka.jpg
• http://{BLOCKED}palcity.top/content/pics/kasofues.jpg
• http://{BLOCKED}iddleeastgate.com/data/assets/imdeheam.jpg
• http://{BLOCKED}adsn2ag7e.xn--p1ai/wp-content/imgs/ames.jpg
• http://www.{BLOCKED}a.com.br/includes/assets/daamso.bmp
• http://{BLOCKED}vc1e.xn--p1acf/content/assets/moeszu.bmp
• http://www.{BLOCKED}inapetrou.co.uk/static/pictures/demoruhe.jpg
• http://www.{BLOCKED}od.co.uk/includes/pictures/kath.png
• http://www.{BLOCKED}thfully.com/static/imgs/soheru.jpg
• http://{BLOCKED}des/tmp/rumokaamfu.gif
• http://{BLOCKED}lharf.com/data/graphic/hehefuzu.bmp
• http://www.{BLOCKED}ventos.com.br/content/pics/zuesimzu.gif
• http://www.{BLOCKED}deayrs.com:443
• http://{BLOCKED}art.fr/uploads/images/sosoimru.png
• http://www.{BLOCKED}gortaaydin.com/includes/graphic/kehe.bmp
• http://{BLOCKED}y.com/uploads/image/mefude.png
• http://{BLOCKED}m.com:443
• http://{BLOCKED}hirty.pl/content/pictures/sehedathmo.gif
• http://{BLOCKED}eerd.nl/data/tmp/ththam.bmp
• http://{BLOCKED}orp.link:443
• http://{BLOCKED}kongtrul.org.tw:443
• http://{BLOCKED}hos.com:443
• http://{BLOCKED}co.ir/wp-content/tmp/zuzukadazuda.jpg
• http://{BLOCKED}ervice.ru/data/tmp/esmekedada.png
• http://{BLOCKED}ts.com/includes/images/zuseimmese.bmp
• http://www.{BLOCKED}ag.kiev.ua/data/graphic/dedakeda.jpg
• http://{BLOCKED}com.cf/static/imgs/momeru.gif
• http://www.{BLOCKED}a.cat/content/pictures/furu.png
• http://{BLOCKED}les-noisetiers.fr/wp-content/assets/daeszu.jpg
• http://www.{BLOCKED}1.ir/content/graphic/eske.bmp
• http://{BLOCKED}d.com/content/tmp/deimka.png
• http://{BLOCKED}ener.org/static/graphic/thhees.bmp
• http://{BLOCKED}r.ga/news/pictures/hehesoda.jpg
• http://{BLOCKED}rgym.nl/data/assets/mothda.bmp
• http://{BLOCKED}ms.mx/content/graphic/mefumekezu.png
• http://www.{BLOCKED}hinn.com:443
• http://{BLOCKED}b.com.pl/wp-content/pictures/zuke.png
• http://{BLOCKED}nclinic.com:443
• http://www.{BLOCKED}skel.net:443
• http://{BLOCKED}t.nu/wp-content/images/sefuamhemeam.gif
• http://www.{BLOCKED}mviet.com/news/tmp/zurukazu.bmp
• http://www.{BLOCKED}dent.com:443
• http://www.{BLOCKED}tel.it/uploads/imgs/heesthsozu.bmp
• http://www.{BLOCKED}eriors.com:443
• http://{BLOCKED}o.com.au/wp-content/pictures/kakekaso.gif
• http://{BLOCKED}tec.com.mx:443
• http://www.{BLOCKED}rmdnsalonlar-fjb55aa34dpkdo.com:443
• http://{BLOCKED}leng.com:443
• http://{BLOCKED}yetsanthaomeo.com/static/assets/dathth.jpg
• http://{BLOCKED}withmakeup.co.uk/uploads/pictures/kaesamdamo.png
• http://www.{BLOCKED}k.com/includes/assets/amhe.jpg
• http://{BLOCKED}olita.es/static/tmp/mesomodaru.gif
• http://{BLOCKED}guridad.com:443
• http://{BLOCKED}group.com/includes/imgs/mefutham.jpg
• http://www.{BLOCKED}t.travel/wp-content/tmp/hememoseam.bmp
• http://{BLOCKED}tudio.com.my/news/imgs/kemoes.bmp
• http://www.{BLOCKED}etoit.fr/wp-content/graphic/zudemo.jpg
• http://{BLOCKED}um.com.ua/content/images/thhehese.jpg
• http://www.{BLOCKED}s-for-kids.de:443
• http://www.{BLOCKED}ire.com/static/assets/esimes.gif
• http://{BLOCKED}resa.com/static/pics/keheamam.gif
• http://{BLOCKED}escangio.viethomes.land/news/pictures/rukede.bmp
• http://{BLOCKED}ongroup.com/uploads/pics/mosefudafu.png
• http://{BLOCKED}odazha.ru/content/image/kade.bmp
• http://{BLOCKED}n.net/data/image/fuzufu.jpg
• http://www.{BLOCKED}a.com.br/news/assets/ameses.jpg
• http://www.{BLOCKED}roiscours.com:443
• http://{BLOCKED}afilho.com.br:443
• http://{BLOCKED}r.kz:443
• http://{BLOCKED}caligrafosevilla.es/uploads/tmp/momosoimzu.gif
• http://{BLOCKED}mani.net/content/image/amke.gif
• http://www.{BLOCKED}e.fr:443
• http://www.{BLOCKED}i.com/static/assets/hekakasoes.png
• http://www.{BLOCKED}n.com:443
• http://{BLOCKED}hrtek.yourcloud.cz/content/graphic/mome.gif
• http://www.{BLOCKED}o.ir/data/images/amzuda.gif
• http://www.{BLOCKED}transport.fr:443
• http://{BLOCKED}ndshandyman.com/includes/image/ruam.gif
• http://{BLOCKED}inegames.pro/uploads/images/mezufukememo.bmp
• http://www.{BLOCKED}orideas9.com/data/imgs/semoamhe.bmp
• http://www.{BLOCKED}echarro.com/wp-content/image/rukemozu.bmp
• http://www.{BLOCKED}ews.com:443
• http://{BLOCKED}selamatankerja.co/includes/assets/kamoam.bmp
• http://{BLOCKED}b.com:443
• http://www.{BLOCKED}i.co/content/imgs/kefuimdaruim.gif
• http://www.{BLOCKED}sants.com/news/imgs/esmeheso.gif
• http://{BLOCKED}rkservicesinc.com/wp-content/images/kaso.bmp
• http://{BLOCKED}nabis.com/wp-content/tmp/zudahe.jpg
• http://{BLOCKED}ntropetrolina.com/news/pictures/dasoda.bmp
• http://{BLOCKED}folks.com/data/images/seruse.bmp
• http://www.{BLOCKED}havetoshine.com/wp-content/image/esderude.gif
• http://www.{BLOCKED}icholasossai.com/news/imgs/hekeimdefuru.png
• http://www.{BLOCKED}puters.ro/content/pics/heruke.gif
• http://{BLOCKED}rde.com/data/tmp/sokemeimim.gif
• http://www.{BLOCKED}s.com/wp-content/assets/kethde.gif
• http://www.{BLOCKED}eyprotein.com/wp-content/pics/mesoim.bmp
• http://www.{BLOCKED}igitalweb.com:443
• http://www.{BLOCKED}1.sr/uploads/pictures/thruse.png
• http://{BLOCKED}raditions.nl/news/tmp/ammehees.gif
• http://{BLOCKED}ud.com/news/tmp/hezudafu.png
• http://{BLOCKED}ikalavathi.info/news/pictures/zuthseme.gif
• http://{BLOCKED}viez.com/includes/graphic/thsezudeim.png
• http://{BLOCKED}nsult.com/static/pictures/momeme.gif
• http://{BLOCKED}aching.fr/static/graphic/zuruimesme.gif
• http://{BLOCKED}ight.ru/uploads/image/zusodaes.gif
• http://{BLOCKED}tore.com/data/pictures/dehethes.gif
• http://www.{BLOCKED}omfortable.com:443
• http://www.{BLOCKED}hotevents.com/content/imgs/hesoso.gif
• http://{BLOCKED}s.kiev.ua/content/tmp/thkeseesmoim.bmp
• http://www.{BLOCKED}eacademy.com:443
• http://{BLOCKED}casinoterpercaya.com/?s=content+assets+damomo+png
• http://{BLOCKED}ply.com/uploads/tmp/kathmomo.png
• http://{BLOCKED}on7tanphu.com:443
• http://{BLOCKED}ball24h.com/wp-content/graphic/imimsoth.jpg
• http://{BLOCKED}kapner.com/data/pictures/thdezu.jpg
• http://{BLOCKED}v.ro/news/imgs/deesesesth.jpg
• http://www.{BLOCKED}a.co.uk:443
• http://{BLOCKED}ctg.com/wp-content/images/esdethes.bmp
• http://{BLOCKED}e.com.vn:443
• http://{BLOCKED}omputer.com.br/includes/assets/mothkeme.jpg
• http://{BLOCKED}analuxe.lviv.ua:443
• http://{BLOCKED}dim.org/news/image/thim.gif
• http://www.{BLOCKED}nto.com:443
• http://www.{BLOCKED}barua.com:443
• http://{BLOCKED}en.com/uploads/graphic/keam.gif
• http://{BLOCKED}ton.com/includes/graphic/mofume.jpg
• http://www.{BLOCKED}cherd.com/static/tmp/zuimmofuke.bmp
• http://{BLOCKED}rno.com/static/pics/ruam.png
• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.222/includes/graphic/thdafuso.gif
• http://{BLOCKED}.{BLOCKED}.99.165/news/image/kekeam.bmp
• http://{BLOCKED}ayrimenkul.com/news/image/daseamso.png
• http://{BLOCKED}.{BLOCKED}.1.219/uploads/imgs/zudesoke.jpg
• http://{BLOCKED}ndicraft.com/includes/imgs/deheam.jpg/
• http://{BLOCKED}oft.in/wp-content/tmp/kademomekede.bmp
• http://{BLOCKED}.{BLOCKED}.96.238/data/images/amimsofu.gif
• http://{BLOCKED}latpars.ir/content/imgs/hemo.bmp
• http://{BLOCKED}.{BLOCKED}.17.9/uploads/images/damomo.bmp
• http://{BLOCKED}kids.com.ua/static/assets/setheskemo.jpg
• http://{BLOCKED}rdstone.com/wp-content/imgs/kekefu.gif
• http://{BLOCKED}night.cz/includes/assets/herudamo.png
• http://{BLOCKED}intakeaway.com/includes/imgs/esamamzuth.gif
• http://{BLOCKED}2010usa.com/images/curried.php
• http://{BLOCKED}urk.club/includes/tmp/mofusome.png
• http://{BLOCKED}s.top/static/imgs/dade.png
• http://{BLOCKED}rie.lemarchefrais.com/content/image/rukaeska.gif
• http://{BLOCKED}carpet.com/uploads/assets/semeam.bmp
• http://{BLOCKED}agroupbd.com/static/graphic/seruse.bmp
• http://{BLOCKED}g.{BLOCKED}t.com/news/image/hezuso.png
• http://{BLOCKED}inhduong.com/includes/tmp/ammoimes.bmp
• http://{BLOCKED}que.com:443
• http://{BLOCKED}n.com/uploads/images/hekezuru.png
• http://{BLOCKED}d.com/uploads/images/zuimheka.png
• http://{BLOCKED}oiles.com:443
• http://{BLOCKED}ooomdevserver.com/wp-content/images/mede.bmp
• http://{BLOCKED}llhdb.com/wp-content/image/esheam.jpg
• http://{BLOCKED}p.fr:443
• http://charm.andreea.{BLOCKED}droni.ro/static/images/amamde.jpg
• http://{BLOCKED}isbuildcon.com:443
• http://blog.{BLOCKED}e.com/news/tmp/amke.bmp
• http://{BLOCKED}show.com/static/tmp/fuhezu.jpg
• http://blog.{BLOCKED}aiwan.com/content/image/somodehe.jpg
• http://{BLOCKED}oft.com:443
• http://{BLOCKED}ngrosebd.com/uploads/tmp/dadedame.png
• http://{BLOCKED}tyempire.com:443
• http://{BLOCKED}ocarro.com.br/uploads/images/sesohekeda.bmp
• http://{BLOCKED}flirtings.com/wp-content/pictures/zudesoth.gif
• http://blog.{BLOCKED}od.mx/data/imgs/modake.jpg
• http://{BLOCKED}evanlines.com/wp-content/assets/heme.png
• http://{BLOCKED}a.no/

ランサムウェアの不正活動

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

• .{Random 5 Characters}

マルウェアが作成する以下のファイルは、脅迫状です。

• {Encrypted Directory}\{Appended File Extension}-DECRYPT.html