Ransom.MSIL.WAREBAD.THLOFBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %User Temp%\{8 random alphanumeric}.{3 random alphanumeric}.ps1 → ransomware configuration
• %User Temp%\{8 random alphanumeric}.{3 random alphanumeric}.psm1 → ransomware configuration

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Crea las carpetas siguientes:

• C:\{current system date and time}

Robo de información

Acepta los siguientes parámetros:

• -wait → delays execution
• -extract {filepath}
• -end
• -debug

Recopila los siguientes datos:

• Number of Processors

Otros detalles

Hace lo siguiente:

• It logs its activities through a console.
  
• It deletes itself after encryption.
• It creates a fake self-signed certificate and saved in the %User Temp% directory.
• It displays a pop-up warning with indication of file encryption.
  
• It works up the CPU by creating multiple threads to trigger ransomware infection CPU warning.