Ransom.Win32.EGREGOR.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %Program Data%\dtb.dat → Contains machine generated RSA public key and encrypted RSA key.
• {Encrypted Directory}\{CRC32 of Netbios Domain Name}.lnk → Deleted afterwards

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\{Volume Serial Number + CRC32 Hash of Computer name}

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• Services that contain the string:
  • sql
  • database
• If --killRDP is enabled:
  • TermService
  • Teamviewer

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• dumpcap.exe
• encsvc.exe
• excel.exe
• firefoxconfig.exe
• infopath.exe
• ipython.exe
• isqlplussvc.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld-nt.exe
• mysqld-opt.exe
• mysqld.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• procexp.exe
• procexp64.exe
• procmon.exe
• procmon64.exe
• python.exe
• QBW32.exe
• QBW64.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• wpython.exe
• xfssvccon.exe

Robo de información

Recopila los siguientes datos:

• Computer Name
• User Name
• NetBios Domain Name
• Operating System Version
• Drive Information (Drive Type and Available Disk Space)
• Antivirus Product Installed
• Volume Serial Number

Otros detalles

Hace lo siguiente:

• It requires the argument -pass2police in order for it to continue with its ransomware routine
• It is capable of accepting the following arguments:
  • --nop → Exit the malware without performing its routines
  • --greetings="{string}" → Set greetings in ransom note.
  • --append="{string}" → Set extension to append on encrypted files.
  • --path="{Folder Path}" → Specify path to only encrypt.
  • --norename → Does not append extension to encrypted files
  • --nonet → Do not encrypt network drives
  • --full → Encrypt both local and network drives
  • --target="{string}" → Target file extension to encrypt. (Will avoid files with other extension but will still encrypt files without extension)
  • --killrdp → Terminates Specified Services. Disable RDP
  • --samba → Created LNK files will not have "DELETE_ON_CLOSE" attribute
  • --multiproc → Avoid creating Mutex (to allow multiple instance of malware)
  • --fast="{size in MB}" → Specify file size limit for encryption in MB.
  • --nomimikatz
• It checks for the computer's language and terminates itself if any the following language is detected:
  • Armenian
  • Azerbaijani
  • Azeri
  • Belarusian
  • Georgian
  • Kazakh
  • Kyrgyz
  • Romanian
  • Russian
  • Tajik
  • Tatar
  • Turkmen
  • Ukrainian
  • Uzbek
• It is capable of encrypting local and network drives.
• It deletes shadow copies.
• Due to the nature of how it drops its ransom notes, it is capable of printing physical copies of its ransom note through printers it has found in the network.