Ransom.Win32.DOPPELPAYMER.TGACAP

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Löscht sich nach der Ausführung selbst.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %Application Data%\{Random Name} - dropped copy of itself
• When run with administrator privileges:
  • %Application Data%\{Random}\{Dll Name from %System% directory}.dll - used to hijack processhacker via DLL side-loading and communicate with main malware process to terminate processes/services
  • %Application Data%\{Random}\{Random Name 1} - detected as PUA.Win32.ProcHack.C
  • %Application Data%\{Random}\{Random Name 2} - detected as PUA.Win32.ProcHack.B.component
  • %System%\GroupPolicy\gpt.ini
• When ran without administrator privileges:
  • %Application Data%\{Random Name}\{Random Name}.exe - dropped copy of itself

Fügt die folgenden Prozesse hinzu:

• %Application Data%\{Random Name} {argument to execute} {Malware Filename}
• When ran with administrative privileges:
  • %System%\bcedit.exe /set {default} safeboot minimal
  • %System%\bcedit.exe /set default recoveryenabled no
  • %System%\vssadmin.exe Delete Shadows /All /Quiet - delete shadow copy
  • %Application Data%\{Random}\{Random Name 2} {argument} 1337039846
• When ran without administrative privileges:
  • %System%\icacls.exe "C:\*" /grant:r Everyone:F /t /c /q - grant permission to access C directory

(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random} = %Application Data%\{Random Name}\{Random Name}.exe

Andere Systemänderungen

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
LegalNoticeCaption = Your network was hacked. Your ID: {ID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
LegalNoticeText = Your network was hacked. Your ID: {ID} DO NOT RESET OR SHUTDOWN your PC or server...DO NOT RENAME/ MOVE/ DELETE the encrypted and readme files Info:http://{BLOCKED}.onion/order/001f639d-ddcd-50a6-9b48-8ed9b1ec7448 {BLOCKED}port@protonmail.com....Ifyou decide not to cooperate your sensitive data will be shared to public at http://{BLOCKED}.onion ..and all the rest will remain unreachable to you

Adware-Routine

Löscht sich nach der Ausführung selbst.

Andere Details

Es macht Folgendes:

• When ran with administrator privileges, it will do the following:
  • Adds the following service:
    Service Name: KProcessHacker3
    Image Path: %Application Data%\{Random}\{Random Name 2}
  • It tries to look for services running in the machine and tries to disable some of them. Below are some of the services it tries to disable:
    • SDRSVC
    • sstpsvc
    • StorSVC
    • swprv
    • wbengine
    • ui0detect
  • Based on the services it tries to look for in the machine, it will try to take ownership of this service using the following command:
    • %System%\takeown.exe /F %System%\{file name}.exe
    • %System%\icacls.exe %System%\{file name}.exe /reset
    • It will then rename the original file name to {file name}.exe-0, and replace the original file with its copy.
  • It will then restart the machine in safe mode and prevent the user from logging in
    
  • It renames the following file when found in the machine:
    • %Windows%\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe renamed to %Windows%\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe_
• When ran without administrator privileges, it will do the following:
  • It will only install its autorun registry when ran without administrative privileges
• It requires to be executed with the following argument in order to proceed with its malicious routine:
  • zTWqycy0yqmFLUBlyMF2859f
• It uses the following information to generate random characters for the file name it will drop:
  • Computer Name
• It enumerates registry keys to gather system information
• It will encrypt files found in the following set of drives in the affected system:
  • Network Drives
  • Fixed Drives
  • Removable Drives
• It uses the following set of commands to gather the network drives connected to the system and connect to the following network drives to encrypt it's files:
  • %System%\net.exe view igmp.mcast.net
  • %System%\arp.exe -a
  • %System%\nslookup.exe {IP address}
• It changes the passwords of all the users in the affected system