Ransom.Win32.WHITERABBIT.YPEDG

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Malware Directory}\{Filename from argument} → If '-l' was used.

Agrega los procesos siguientes:

• cmd /c choice /t 9 /d y & attrib -h {Malware File Path}\{Malware File Name} & copy %systemroot%\regedit.exe {Malware File Path}\{Malware File Name} /y & del {Malware File Path}\{Malware File Name}
• powershell.exe -NoExit -Command -

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\{GUID}

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• msexchange*
• msex-change*
• vss
• sql
• svc$
• memtas
• mepocs
• sophos
• veeam
• backup
• gxvss
• gxblr
• gxfwd
• gxcvd
• gxcimgr
• defwatch
• ccevtmgr
• ccsetm
• grsavroam
• rtvscan
• qbfcservice
• qbidpservice
• intuit.quickbooks.fcs
• qbcfmonitorservice
• yoobackup
• yooit
• zhudongfangyu
• stc _ raw _ agent
• vsnapvss
• veeamtransportsvc
• veeamdeploymentservice
• veeamnfssvc
• pdvfsservice
• backupexecvssprovider
• backupexeca-gentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• acrsch2svc
• acronisagent
• casad2dwebsvc
• caarcupdatesvc
• vmwp
• back
• xchange
• ackup
• acronis
• enterprise
• acrsch
• antivirus
• bedbg
• dcagent
• epsecurity
• epupdate
• eraser
• esgshkernel
• fa_scheduler
• iisadmin
• imap4
• mbam
• endpoint
• afee
• mcshield
• task
• mfemms
• mfevtp
• mms
• msdts
• exchange
• ntrt
• pdvf
• pop3
• report
• resvc
• sacsvr
• savadmin
• sams
• sdrsvc
• sepmaster
• monitor
• smcinst
• smcservice
• smtp
• snac
• swi_
• ccsf
• truekey
• tmlisten
• ui0detect
• w3swrsvc
• netmsmq
• ekrn
• ehttpsrv
• vss
• sql
• svc$
• memtas
• mepocs
• sophos
• veeam
• backup
• gxvss
• gxblr
• gxfwd
• gxcvd
• gxcimgr
• defwatch
• ccevtmgr
• ccsetmgr
• savroam
• rtvscan
• qbfcservice
• qbidpservice
• intuit.quickbooks.fcs
• qbcfmonitorservice
• yoobackup
• yooit
• zhudongfangyu
• sophos
• stc_raw_agent
• vsnapvss
• veeamtransportsvc
• veeamdeploymentservice
• veeamnfssvc
• veeam
• pdvfsservice
• backupexecvssprovider
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecmanagementservice
• backupexecrpcservice
• acrsch2svc
• acronisagent
• casad2dwebsvc
• caarcupdatesvc

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• mysql*
• *sqlserver*
• sql*
• msdtc
• vmcompute
• vmms
• vmwp
• vmsp
• outlook
• oracle
• ocssd
• dbsnmp
• synctime
• agntsvc
• isqlplussvc
• xfssvccon
• mydesktopservice
• ocautoupds
• encsvc
• firefox
• tbirdconfig
• mydesktopqos
• ocomm
• dbeng50
• sqbcoreser-vice
• excel
• infopath
• msaccess
• mspub
• onenote
• powerpnt
• steam
• thebat
• thunderbird
• visio
• winword
• wordpad
• notepad
• virtual
• vmcomp
• veeam
• backup
• xchange
• dbeng
• sofos
• calc
• ekrn
• zoolz
• firefoxconfig
• mydesktop
• sqbcoreservice
• word
• tmlisten
• pccntmon
• cntaosmgr
• ntrtscan
• mbamtray
• eshasrv
• avp
• klnagent
• wbengine
• kavf
• mfefire

Otros detalles

Hace lo siguiente:

• It requires to be executed with the password/passphrase in order to proceed with its malicious routine:
  • Brooklyn8473
• It will encrypt files found in the following set of drives in the affected system:
  • Fixed Drives
  • Removable Drives
  • Network Drives and Resources