Trojan.PS1.DEADLOCK.YXFGV

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Prozesse hinzu:

• powershell.exe -Verb RunAs -ArgumentList ('exec bypass -file "{malware fullpath}" -elevated' -f (%myinvocation.MyCommand.Definition))

Andere Details

Es macht Folgendes:

• It deletes itself after its malicious routine.
• It checks if it has administrator privileges.
• It removes the shadow copy of the system by deleting the following WMI object:
  • Win32_ShadowCopy
• It disables all the running services in the system except the following:
  • UdkUserSvc*
  • DevicesFlowUserSvc*
  • AarSvc*
  • WpnUserService*
  • CDPUserSvc*
  • cbdhsvc*
  • UserDataSvc*
  • PimIndexMaintenanceSvc*
  • UnistoreSvc*
  • vmicguestinterface
  • vmicheartbeat
  • vmickvpexchange
  • vmicrdv
  • vmicshutdown
  • vmictimesync
  • vmicvss
  • LicenseService
  • MSSEARCH
  • smphost
  • SrmReports
  • SrmSvc
  • ddpvssvc
  • msiserver
  • KtmRm
  • DeviceInstall
  • Onesyncsvc*
  • WsusService
  • NgcSvc
  • ClipSVC
  • ALG
  • FileSyncHelper
  • LxpSvc
  • dmwappushservice
  • PeerDistSvc
  • Eaphost
  • WlanSvc
  • WwanSvc
  • dot3svc
  • server
  • workstation
  • WinDefend
  • WSRM
  • WINS
  • silsvc
  • WaaSMedicSvc
  • NgcCtnrSvc
  • RmSvc
  • Adws
  • adfssrv
  • Aelookupsvc
  • Anydesk
  • Apphostsvc
  • Appinfo
  • Appmgmt
  • Appxsvc
  • Bfe
  • Bits
  • Brokerinfrastructure
  • Browser
  • Bthavctpsvc
  • camsvc
  • Cdpsvc
  • Certpropsvc
  • CscService
  • Certsvc
  • SmbWitness
  • Clussvc
  • Comsysapp
  • Coremessagingregistrar
  • Cryptsvc
  • MMCSS
  • Dbxsvc
  • dbupdate
  • dbupdatem
  • Dcomlaunch
  • Deviceassociationservice
  • Dfs
  • NfsClnt
  • NfsService
  • Dfsr
  • Dhcp
  • Dhcpserver
  • Diagtrack
  • TabletInputService
  • DispBrokerDesktopSvc
  • Dns
  • Dnscache
  • Dnsproxy
  • Dosvc
  • Dps
  • Dsmsvc
  • DusmSvc
  • Dssvc
  • Efs
  • Eventlog
  • NtLmSsp
  • Eventsystem
  • Fdphost
  • Fdrespub
  • Fontcache*
  • Gpsvc
  • Hidserv
  • Hvhost
  • Ias
  • Ikeext
  • Iphlpsvc
  • Ismserv
  • Kdc
  • Kdssvc
  • Keyiso
  • Kpssvc
  • Lanmanserver
  • Lanmanworkstation
  • Lfsvc
  • Licensemanager
  • Lmhosts
  • Lsm
  • LSM
  • Mpssvc
  • Msdtc
  • WinTarget
  • Msiscsi
  • Msmq
  • Ncbservice
  • Netlogon
  • Netman
  • Netprofm
  • Netsetupsvc
  • WZCSVC
  • Nlasvc
  • Nla
  • SharedAccess
  • Nsi
  • Ntds
  • Ntfrs
  • UPlugPlay
  • Plugplay
  • Policyagent
  • Power
  • Profsvc
  • Psexesvc
  • Ramgmtsvc
  • Rasauto
  • Rasman
  • Remoteaccess
  • Remoteregistry
  • Rpceptmapper
  • Rpchttplbs
  • Rpcss
  • Samss
  • Scdeviceenum
  • Schedule
  • Seclogon
  • Securityhealthservice
  • Sens
  • Sessionenv
  • Shellhwdetection
  • Ssdpsrv
  • Sstpsvc
  • Staterepository
  • SgrmBroker
  • Stisvc
  • Storsvc
  • Swprv
  • Sysmain
  • ProtectedStorage
  • Systemeventsbroker
  • RDMS
  • rpcapd
  • Tapisrv
  • Termservice
  • Tssdis
  • TScPubRPC
  • TermServLicensing
  • Themes
  • Tiledatamodelsvc
  • Timebroker
  • Timebrokersvc
  • Tokenbroker
  • Trkwks
  • Trustedinstaller
  • Tsgateway
  • Ualsvc
  • uhssvc
  • Umrdpservice
  • Upnphost
  • Usermanager
  • Uxsms
  • OneDrive Updater Service
  • lltdsvc
  • Vaultsvc
  • Vds
  • vmicvmsession
  • Vmcompute
  • Vmms
  • nvspwmi
  • vhdsvc
  • Vss
  • W32time
  • Was
  • Wcmsvc
  • wcncsvc
  • wscsvc
  • Wdiservicehost
  • Webclient
  • Winhttpautoproxysvc
  • Winmgmt
  • Winrm
  • Wlidsvc
  • Wmiapsrv
  • Wpdbusenum
  • Wpnservice
  • Wsearch
  • dmserver
  • Wuauserv
• It deletes all network shares except the following:
  • SYSVOL
  • NETLOGON
• It deletes the following shared folders:
  • print
  • prnproc