Search
Keyword: os2first
{BLOCKED}cture.com/q/blur_background.png On first login attempt, it will forcibly display a wrong password error. On the second login attempt, the webpage will be redirected to the domain of the inputted
the following parameters: -psex →Performs lateral movement via admin shares -gspd →Performs group policy modification for lateral movement -pass{value} →Uses the first 32 characters of the value as a
Other Details This Ransomware does the following: It displays the following message box that user needs to interact with first for the ransomware to continue: It accepts the following parameters: -path
"KING.XLS" in the Excel startup path: If it exists, It copies a sheet named "KING" from "KING.XLS" and paste it as the first sheet in the destination Excel workbook. It sets the copied sheet to hidden. It
named "laroux" from "PERSONAL.XLS" and paste it as the first sheet in the currently active Excel workbook. It sets the copied sheet to hidden. It assigns a macro from "PERSONAL.XLS" in the currently
"Majoduck_SK_1" from "OFFICE_.XLS" and paste it as the first sheet in the destination Excel workbook. It sets the copied sheet to hidden. It assigns a macro from "OFFICE_.XLS" in the destination Excel workbook for
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Arrival Details This
-pass {value} Uses the first 32 characters of the value as key to decrypt the main routine. Required to execute properly. And performs only one from the following parameters: -safe → Reboots in safeboot
malware, ICEDID and QAKBOT, were both observed being delivered via malicious PDF attachments
in spam emails. ICEDID, also known as Bokbot, is a banking trojan first
discovered in 2017 and is known to steal
SecurityHealthService It has the capability to print the ransom note in infected machines It accepts the following parameters: -pass {value} Uses the first 32 characters of the value as key to decrypt the main routine.
"KING.XLS" in the Excel startup path: If it exists, It copies a sheet named "KING" from "KING.XLS" and paste it as the first sheet in the destination Excel workbook. It sets the copied sheet to hidden. It
" and paste it as the first sheet in the destination Excel workbook. It sets the copied sheet to hidden. It assigns a macro from "KING.XLS" in the destination Excel workbook for persistence If it doesn't
-bm {yes|no} → Encrypt big files first (Default: yes) Ransomware Routine This Ransomware avoids encrypting files found in the following folders: /bin /boot /dev /etc /initrd /lib /lib64 /libx32 /opt
than 524,288 bytes If it is less than 524,288 bytes, it will encrypt the whole file. If it is greater than 524,288 bytes, it will use intermittent encryption - First 131,072 bytes, another 131,072 bytes
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It drops files as ransom note. It avoids encrypting
following: It first scans for the following antivirus related processes: 360tray.exe 360sd.exe It shows the following message box when any of the said processes is found running: Which translates to: It will
encrypt the whole file. If it is greater than 524,288 bytes, it will use intermittent encryption - First 131,072 bytes, another 131,072 bytes from the middle of the file, and the last 131,072 bytes It
workbooks when they are opened. If the first sheet is not named "Kangatang", it copies a sheet named "Kangatang" containing the malicious script to the beginning of the active workbook to ensure infection and
https://{BLOCKED}earbit.com/c-a-c.jp http://www.{BLOCKED}3.org/2000/svg However, as of this writing, the first URL listed is inaccessible. It does not exploit any vulnerability. Trojan:HTML/Phish.MAB!MTB
\SOFTWARE\{Malware File Name} (Default) = {true or false} - {Date of first execution on the system} Propagation This Worm drops the following copy(ies) of itself in all removable drives: {Drive Letter}:\