Author: John Donnie Celestre   
 

Ransom:Win32/Redeye (MICROSOFT); W32/Generic!tr (FORTINET)

 PLATFORM:

Windows

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL::
 DISTRIBUTION POTENTIAL::
 REPORTED INFECTION:
 INFORMATION EXPOSURE:
Low
Medium
High
Critical

  • Threat Type:
    Ransomware

  • Destructiveness:
    No

  • Encrypted:
    Yes

  • In the wild::
    Yes

  OVERVIEW

INFECTION CHANNEL: Eliminado por otro tipo de malware

Infiltra un archivo AUTORUN.INF para que ejecute automáticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

  TECHNICAL DETAILS

File size: 11,099,136 bytes
File type: EXE
Memory resident: Yes
INITIAL SAMPLES RECEIVED DATE: 07 de июня de 2018
PAYLOAD: Encrypts files, , Connects to URLs/IPs, Terminates processes

Instalación

Infiltra los archivos siguientes:

  • %System Root%\Save1.txt
  • %System Root%\autorun.inf
  • %System Root%\Windows\Nope.txt
  • %System Root%\Windows\Detect.txt
  • %System Root%\Windows\AfterMBR.txt
  • %System Root%\redeyebmp.bmp -> used as wallpaper

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

)

Crea las siguientes copias de sí mismo en el sistema afectado:

  • %User Temp%\{malware name}.exe

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000, XP y Server 2003 suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp).

)

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = %User Temp%\{malware name}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = %User Temp%\{malware name}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = %User Temp%\{malware name}.exe

Otras modificaciones del sistema

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CURRENT_USER\Control Panel\Desktop
WallPaper = %System Root%\redeyebmp.bmp

HKEY_CURRENT_USER\Software\ShortCutInfection
Mr.Wolf = True

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
WindowsDefenderMAJ = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Script Host\Settings
Enabled = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
USBSTOR = 4

(Note: The default value data of the said registry entry is 3.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender
ServiceKeepAlive = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
ServiceKeepAlive = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
ForceUpdateFromMU = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
ForceUpdateFromMU = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Signature Updates
UpdateOnStartUp = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft
DisableCMD = 2

HKEY_CURRENT_USER\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
Restrict_Run = 1

HKEY_CURRENT_USER\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
SecurityHealthService = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WdNisSvc = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
WinDefend = 3

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoControlPanel = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDrives = 4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDrives = 4

Infección de archivo

Evita infectar archivos que no usan iconos específicos.

  • desktop.ini

Propagación

Este malware infiltra las siguientes copias de sí mismo en todas las unidades físicas y extraíbles:

  • {Logical Drives}:\windows.exe

Infiltra un archivo AUTORUN.INF para que ejecute automáticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

  • SbieCtrl
  • ProcessHacker
  • procexp64
  • msconfig
  • taskmgr
  • chrome
  • firefox
  • regedit
  • opera
  • UserAccountControlSettings
  • yandex
  • microsoftedge
  • microsoftedgecp
  • iexplore

  SOLUTION

Minimum scan engine: 9.850
First VSAPI Pattern File: 14.300.06
First VSAPI Pattern Release Date: 07 de июня de 2018
VSAPI OPR PATTERN-VERSION: 14.301.00
VSAPI OPR PATTERN DATE: 08 de июня de 2018
Did this description help? Tell us how we did.