Ransom.MSIL.REDENERGY.THJAOBD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %User Temp%\tmp{random}.tmp.bat → terminate itself and delete sample

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega los procesos siguientes:

• %System%\cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
• %System%\cmd.exe /C wbadmin delete catalog -quiet
• takeown /f \"%System%\smartscreen.exe\" /a
• icacls \"%System%\smartscreen.exe\" /reset → takes ownership of the application and resets the Access Control Lists
• taskkill /im smartscreen.exe /f → terminates the application
• icacls \"%System%\smartscreen.exe\" /inheritance:r /remove * S - 1 - 5 - 32 - 544 * S - 1 - 5 - 11 * S - 1 - 5 - 32 - 545 * S - 1 - 5 - 18 → removes permission from the specified security identifier to access smartscreen.exe
• %User Temp%\SystemPropertiesProtection.exe

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Termina su ejecución cuando encuentra los siguientes procesos en la memoria del sistema afectado:

• csfalconservice
• csfalconcontainer
• processhacker
• netstat
• netmon
• tcpview
• wireshark
• filemon
• regmon
• cain
• eguiproxy
• devenv
• ekrn
• rsenginesvc
• fcdblog
• fcappdb
• fortisettings
• fortiesnac
• fortitray
• fsguistarter
• fshoster32

Robo de información

Recopila los siguientes datos:

• Username
• System Locale
• List of Antivirus Products
• List of MAC Address
• Hostname

Otros detalles

Hace lo siguiente:

• It sets the attributes of itself to SYSTEM and HIDDEN.
• It terminates itself if the time zone is the following:
  • RU - Russia
  • KZ - Kazakhstan
  • BY - Belarus
  • AM - Armenia
  • AZ - Azerbaijan
  • KG - Kyrgyzstan
  • MD - Moldova
  • TJ - Tajikistan
  • TM - Turkmenitan
  • UZ - Uzbekistan
• It terminates itself if the language of the affected machine is the following:
  • Ukrainian
  • Belarusian
  • Azerbaijani
  • Armenian
  • Georgian
  • Uzbek
  • Russian
  • Kazakh
• It terminates itself if the following network monitoring tools were found in the system:
  • HTTPDebuggerBrowser.dll
  • FiddlerCore4.dll
  • RestSharp.dll
  • Titanium.Web.Proxy.dll
• It checks for the presence of a debugger
• It checks if the sample is running in a 64-bit environment.
• It deletes the original file after encryption.
• It terminates itself if the following prefix of MAC addresses were found in the system:
  • 000C29 - VMWare Inc.
  • 001C14 - Cisco Systems
  • 005056 - VMWare Inc.
  • 000569 - Intel
  • 080027 - VMWare, Inc
  • 000001 - Xerox Corporation
• It terminates itself if the following GUID is found in the system:
  • 4040CF00-1B3E-486A-B407-FA14C56B6FC0
• It restarts the system after file encryption.
• It terminates itself if the following registry entry was found in the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
    {data} = C:\ANYRUN