RANSOM_GANDCRAB.SMJS3

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、特定のWebサイトにアクセスし、情報を送受信します。 マルウェアは、実行後、自身を削除します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

• Global\{Random Hex}.lock

他のシステム変更

マルウェアは、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
private = {Key}

HKEY_CURRENT_USER\SOFTWARE\keys_data\
data
public = {Key}

プロセスの終了

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exeisqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exeagntsvc.exe
• agntsvc.exeencsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• sqlservr.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe

情報漏えい

マルウェアは、以下の情報を収集します。

• Username
• Computer Name
• Network
• System Language
• Machine Keyboard Layout
• OS Version and Platform
• AV products installed
• Processor
• IP Address
• Network and Local Drives information
• Ransom ID
• GandCrab Internal Info:
  • id
  • sub_id
  • version
  • action

その他

マルウェアは、以下のWebサイトにアクセスし、情報を送受信します。

• http://{URL}/{string1}/{string2}/{string3}.{string4}
• Where URL is equal to the following:
  • {BLOCKED}rno.com
  • {BLOCKED}.{BLOCKED}.1.219
  • {BLOCKED}.{BLOCKED}.113.170
  • {BLOCKED}.{BLOCKED}.17.237
  • {BLOCKED}.{BLOCKED}.96.238
  • {BLOCKED}.{BLOCKED}.99.104
  • {BLOCKED}.{BLOCKED}.17.9
  • {BLOCKED}.{BLOCKED}.99.165
  • {BLOCKED}stions.ru
  • {BLOCKED}.{BLOCKED}.17.155
  • {BLOCKED}.{BLOCKED}.187.178
  • {BLOCKED}ngbrazil.com
  • {BLOCKED}.{BLOCKED}.60.222
  • {BLOCKED}ts.com
  • {BLOCKED}.{BLOCKED}.241.0
  • {BLOCKED}n.cn
  • {BLOCKED}ndicraft.com
  • {BLOCKED}ocarro.com.br
  • {BLOCKED}t.fr
  • {BLOCKED}ltibrasil.com.br
  • {BLOCKED}z.io
  • {BLOCKED}tessa.com
  • {BLOCKED}veis.imb.br
  • {BLOCKED}ampustaksi.com.tr
  • {BLOCKED}sna.com.ua
  • {BLOCKED}d.com
  • {BLOCKED}kpick.com
  • {BLOCKED}selamatankerja.co
  • {BLOCKED}uddintakeaway.com
  • {BLOCKED}irgayrimenkul.com
  • {BLOCKED}rovanaluxe.lviv.ua
  • {BLOCKED}m.be
  • {BLOCKED}afas.org
  • {BLOCKED}rdin.com
  • {BLOCKED}tsouverts.org
  • {BLOCKED}nas.kiev.ua
  • {BLOCKED}ndcontractors.com.au
  • {BLOCKED}co.mx
  • {BLOCKED}rosoft.in
  • {BLOCKED}roturk.club
  • {BLOCKED}waragroupbd.com
  • {BLOCKED}ingstay.com
  • {BLOCKED}atbinhduong.com
  • {BLOCKED}rtime.ru
  • {BLOCKED}robuilder.com
  • {BLOCKED}astarscooter.com
  • {BLOCKED}ntxaevents.com
  • {BLOCKED}edalatpars.ir
  • {BLOCKED}ureries-acl-37.fr
  • {BLOCKED}araiya.com
  • {BLOCKED}leyfeder.com
  • {BLOCKED}apointpl.com
  • {BLOCKED}bkk.com
  • {BLOCKED}-company.ru
  • {BLOCKED}yastore.com
  • {BLOCKED}lierdupain.it
  • {BLOCKED}antisbuildcon.com
  • {BLOCKED}asgroupllc.com
  • {BLOCKED}umwedding.ru
  • {BLOCKED}ostate.com.ua
  • {BLOCKED}umnnight.cz
  • {BLOCKED}ngardstone.com
  • {BLOCKED}-investforum.com
  • {BLOCKED}edepieds.be
  • {BLOCKED}bloooomdevserver.com
  • {BLOCKED}intitabela.com
  • {BLOCKED}lproducciones.com.gt
  • {BLOCKED}iceresa.com
  • {BLOCKED}yclickphotography.es
  • {BLOCKED}k2backpt.com
  • {BLOCKED}mos.top
  • {BLOCKED}anacarpet.com
  • {BLOCKED}bochos.com
  • {BLOCKED}ossadental.com.au
  • {BLOCKED}questest9.uk
  • {BLOCKED}vybud.com
  • {BLOCKED}ketkids.com.ua
  • {BLOCKED}kinbeyenal.com
  • {BLOCKED}dongsanhuyphat68.com
  • {BLOCKED}darhukuk.com
  • {BLOCKED}match.com
  • {BLOCKED}chc.org
  • {BLOCKED}t.co.kr
  • {BLOCKED}eacherstech.com
  • {BLOCKED}utybride.net
  • {BLOCKED}etalk.ca
  • {BLOCKED}lytobabyphotographyseattle.com
  • {BLOCKED}hel.com.ve
  • {BLOCKED}tercom-berlin.de
  • {BLOCKED}ratfolks.com
  • {BLOCKED}eautyempire.com
  • {BLOCKED}-game-fishing-croatia.hr
  • {BLOCKED}uisblue.com
  • {BLOCKED}hopschell.com
  • {BLOCKED}ssedlife.in
  • {BLOCKED}g.betzest.com
  • {BLOCKED}g.damngood.mx
  • {BLOCKED}g.raztype.com
  • {BLOCKED}g.ruichuangfagao.com
  • {BLOCKED}g.swingtaiwan.com
  • {BLOCKED}ghalm.eu
  • {BLOCKED}kefeed.club
  • {BLOCKED}omingrosebd.com
  • {BLOCKED}ebellhdb.com
  • {BLOCKED}frique.com
  • {BLOCKED}tshowradio.com
  • {BLOCKED}kamodelbastarr.com
  • {BLOCKED}kingbmoredjsteve.com
  • {BLOCKED}cherie.lemarchefrais.com
  • {BLOCKED}rget-pascal.fr
  • {BLOCKED}ner.com.ua
  • {BLOCKED}ghtenceiling.com.hk
  • {BLOCKED}.co.id
  • {BLOCKED}retoiles.com
  • {BLOCKED}l4soft.com
  • {BLOCKED}hanhtrinh.net
  • {BLOCKED}ranhcondotel.site
  • {BLOCKED}hoopalcity.top
  • {BLOCKED}opyunited.com
  • {BLOCKED}illon7tanphu.com
  • {BLOCKED}lylevanlines.com
  • {BLOCKED}hback.ncplinc.net
  • {BLOCKED}ualflirtings.com
  • {BLOCKED}vvietnam.com
  • {BLOCKED}clp.fr
  • {BLOCKED}icix.com
  • {BLOCKED}ent.net
  • {BLOCKED}rleswadefinance.co.uk
  • {BLOCKED}rm.andreea.alexandroni.ro
  • {BLOCKED}trashow.com
  • {BLOCKED}yxana.ru
  • {BLOCKED}nhung.info
  • {BLOCKED}rritoshow.com
  • {BLOCKED}ncia-ciudadana.es
  • {BLOCKED}etek.com
  • {BLOCKED}rus.kiev.ua
  • {BLOCKED}yclosetselfstorage.com
  • {BLOCKED}artripcustomercare.com
  • {BLOCKED}nicadentaldelgado.es
  • {BLOCKED}niqueesthetiquepasteur.com
  • {BLOCKED}.ghs-schachundkulturstiftung.de
  • {BLOCKED}techservicos.com.br
  • {BLOCKED}nguyetsanthaomeo.com
  • {BLOCKED}amarketing.agency
  • {BLOCKED}ifet.com
  • {BLOCKED}exa.no
  • {BLOCKED}ferencesdiary.com
  • {BLOCKED}gressodesignam.com.br
  • {BLOCKED}tentsbank.cc
  • {BLOCKED}thoi.ga
  • {BLOCKED}eserv.pixelsco.com
  • {BLOCKED}sbj.cn
  • {BLOCKED}ditmarketplace.eu
  • {BLOCKED}nicadelsureste.com
  • {BLOCKED}ssoceans-td.com
  • {BLOCKED}stalhilldesign.com
  • {BLOCKED}ig.ase.ro
  • {BLOCKED}l-r.ro
  • {BLOCKED}tnet.eu
  • {BLOCKED}tomroms.cba.pl
  • {BLOCKED}levegas.com
  • {BLOCKED}ialent.com
  • {BLOCKED}udi-services.com
  • {BLOCKED}alystsystems.com
  • {BLOCKED}zlecarpentry.training
  • {BLOCKED}ting.party
  • {BLOCKED}albchamber.org
  • {BLOCKED}aseguridad.com
  • {BLOCKED}eme2.bokshaber.net
  • {BLOCKED}bydays.ru
  • {BLOCKED}criptivevideoproductions.com
  • {BLOCKED}ertdawnschool.com
  • {BLOCKED}.beverlywilshiremedical.com
  • {BLOCKED}dev.com.br
  • {BLOCKED}nformatique.ca
  • {BLOCKED}delorgasmo.cl
  • {BLOCKED}italharf.com
  • {BLOCKED}-cp.com
  • {BLOCKED}prsemena.com
  • {BLOCKED}cartusa.com
  • {BLOCKED}catpetshop.life
  • {BLOCKED}labs.com.br
  • {BLOCKED}otoanquoc.com
  • {BLOCKED}tergigimuda.com
  • {BLOCKED}usmedia.com
  • {BLOCKED}mmelo.altervista.org
  • {BLOCKED}.integralmea.info
  • {BLOCKED}cethings.com
  • {BLOCKED}chtraditions.nl
  • {BLOCKED}sa.com.br
  • {BLOCKED}oetiketler.com
  • {BLOCKED}rimea.biz
  • {BLOCKED}rzepisy.cba.pl
  • {BLOCKED}lesturf.org
  • {BLOCKED}yenergy.co.nz
  • {BLOCKED}olute.com
  • {BLOCKED}rt.nu
  • {BLOCKED}dom-vent.ru
  • {BLOCKED}toraplanmark.com.br
  • {BLOCKED}leka.com
  • {BLOCKED}cile.biz
  • {BLOCKED}lihasar.com
  • {BLOCKED}ctrictrainproductions.com
  • {BLOCKED}ctrobox.org
  • {BLOCKED}ktro-beckers.de
  • {BLOCKED}ktropastuh.ru
  • {BLOCKED}click.com
  • {BLOCKED}lyshope.org
  • {BLOCKED}lallagosta.cat
  • {BLOCKED}rgy-utama.com
  • {BLOCKED}star.es
  • {BLOCKED}irobostad.se
  • {BLOCKED}iziondezigns.com
  • {BLOCKED}oaudiovisual.com
  • {BLOCKED}kherrstrom.com
  • {BLOCKED}urkgrup.com.tr
  • {BLOCKED}ncharpati.com
  • {BLOCKED}ort-girls.services
  • {BLOCKED}inascompany.com
  • {BLOCKED}ential-campinggear.com
  • {BLOCKED}ablecimientos.sintinovoy.sevapp20.com
  • {BLOCKED}rx.org
  • {BLOCKED}enkalip.com
  • {BLOCKED}os8.com
  • {BLOCKED}osystemsrl.net
  • {BLOCKED}skinclinic.com
  • {BLOCKED}rythingsale.com
  • {BLOCKED}photo.ru
  • {BLOCKED}tech.lu
  • {BLOCKED}-doctor.mobi
  • {BLOCKED}.org.tr
  • {BLOCKED}eok.online
  • {BLOCKED}uldadesenacpe.edu.br
  • {BLOCKED}aate.com
  • {BLOCKED}aos.foco.cl
  • {BLOCKED}ynskiprzemek.cba.pl
  • {BLOCKED}therenterprising.com
  • {BLOCKED}ltwenty.com
  • {BLOCKED}tilidadpma.com
  • {BLOCKED}eda.com.ve
  • {BLOCKED}amlight.ru
  • {BLOCKED}estjodi.com
  • {BLOCKED}stbasepromotions.co.za
  • {BLOCKED}forms.mx
  • {BLOCKED}cgilumbria.it
  • {BLOCKED}ws.mobi
  • {BLOCKED}family.org
  • {BLOCKED}mametal.net
  • {BLOCKED}opsy.cba.pl
  • {BLOCKED}ncis-china.com
  • {BLOCKED}nckcrepelle.com
  • {BLOCKED}elancemarketingtraining.com
  • {BLOCKED}espiritgroup.altervista.org
  • {BLOCKED}ynutrition.com.tr
  • {BLOCKED}inetszott.cba.pl
  • {BLOCKED}axycorp.es
  • {BLOCKED}axyonetransportation.com
  • {BLOCKED}cann.com
  • {BLOCKED}othermocaldeiras.com.br
  • {BLOCKED}agriptraction.com
  • {BLOCKED}cardonationtoday.com
  • {BLOCKED}sharkeynow.com
  • {BLOCKED}.adv.br
  • {BLOCKED}rkulconstructions.in
  • {BLOCKED}nlucafiorino1.altervista.org
  • {BLOCKED}rgianes.altervista.org
  • {BLOCKED}tmaster.ml
  • {BLOCKED}es-les-noisetiers.fr
  • {BLOCKED}troy.com
  • {BLOCKED}ootball24h.com
  • {BLOCKED}eelanau.com
  • {BLOCKED}oney.org.in
  • {BLOCKED}dapd.website
  • {BLOCKED}4tstore.com
  • {BLOCKED}ftedinn.us
  • {BLOCKED}minrajasthan.allappshere.in
  • {BLOCKED}atmiddleeastgate.com
  • {BLOCKED}en-world-md.ru
  • {BLOCKED}entradecorp.com
  • {BLOCKED}mlin.studio
  • {BLOCKED}lledcheesereviews.com
  • {BLOCKED}poperfetto.com.br
  • {BLOCKED}elecom.cf
  • {BLOCKED}khali.fi
  • {BLOCKED}o.ir
  • {BLOCKED}sysoulsonfire.com
  • {BLOCKED}.vn
  • {BLOCKED}labonito.com
  • {BLOCKED}rcb.com
  • {BLOCKED}aglobalholding.com
  • {BLOCKED}htrinhkientaocuocdoi.com
  • {BLOCKED}dsoftbay.ru
  • {BLOCKED}iominteriordecorators.com
  • {BLOCKED}judesign.com
  • {BLOCKED}oldlopezr.com
  • {BLOCKED}risheatpumps.nz
  • {BLOCKED}ryfang.com
  • {BLOCKED}hpatal.com
  • {BLOCKED}tanetaksi.net
  • {BLOCKED}rtfulness.com.ua
  • {BLOCKED}rtlandrestaurantgroup.com
  • {BLOCKED}rtsongroup.com
  • {BLOCKED}orrhoidsorted.com
  • {BLOCKED}uvekhoemanhtunhien.com
  • {BLOCKED}lcountrycamo.com
  • {BLOCKED}designonline.com
  • {BLOCKED}emingjiang.com
  • {BLOCKED}century.com
  • {BLOCKED}eodisha.com
  • {BLOCKED}eltravel2018.com
  • {BLOCKED}rliapp.com
  • {BLOCKED}nottocatchacold.com
  • {BLOCKED}.gov.co
  • {BLOCKED}ae.fr
  • {BLOCKED}oadradio.com
  • {BLOCKED}zaigham.com
  • {BLOCKED}bergillusion.com
  • {BLOCKED}lamart.fr
  • {BLOCKED}ograms.ir
  • {BLOCKED}stinostours.com
  • {BLOCKED}sz.com
  • {BLOCKED}zineex.com
  • {BLOCKED}iu.com
  • {BLOCKED}eria-quest.com.ua
  • {BLOCKED}ortec.com.mx
  • {BLOCKED}bolushipyard.com
  • {BLOCKED}scogroup.com
  • {BLOCKED}ormatica.uss.cl
  • {BLOCKED}titut-journalisme.fr
  • {BLOCKED}ercnetwork.com.ng
  • {BLOCKED}erflower.ee
  • {BLOCKED}eriors-by-catherine.com
  • {BLOCKED}erlab.com.sg
  • {BLOCKED}ervener.org
  • {BLOCKED}e.com.vn
  • {BLOCKED}otobooth.com.au
  • {BLOCKED}ntbt.com
  • {BLOCKED}erver.net
  • {BLOCKED}insaat.com.tr
  • {BLOCKED}anbul212tesisat.com
  • {BLOCKED}upplier.com.au
  • {BLOCKED}ran.com.br
  • {BLOCKED}-sie-opalac.cba.pl
  • {BLOCKED}gonkongtrul.org.tw
  • {BLOCKED}ndotel.com
  • {BLOCKED}ping-ug.ru
  • {BLOCKED}-graphics.com
  • {BLOCKED}etlitelmakinasi.com
  • {BLOCKED}shmore.com
  • {BLOCKED}eriadeplata23.com
  • {BLOCKED}iter.csit.rmit.edu.au
  • {BLOCKED}iledans.com
  • {BLOCKED}fekanna.no
  • {BLOCKED}aocorp.link
  • {BLOCKED}emon.net
  • {BLOCKED}eleon-restauracja.cba.pl
  • {BLOCKED}celaria-crm.pl
  • {BLOCKED}atstreet.com
  • {BLOCKED}ehsanatco.com
  • {BLOCKED}annou.be
  • {BLOCKED}ceemarketing.com
  • {BLOCKED}ti.com
  • {BLOCKED}ler-fenster.ch
  • {BLOCKED}ryaclark.com
  • {BLOCKED}bardarexpress.com
  • {BLOCKED}dtarash.ir
  • {BLOCKED}bod.com
  • {BLOCKED}athon.org
  • {BLOCKED}sportvn.com
  • {BLOCKED}mdinh345.com
  • {BLOCKED}derwood.store
  • {BLOCKED}hmatgiao.com
  • {BLOCKED}tipakdee.com
  • {BLOCKED}ngplaza.com
  • {BLOCKED}nikkingcare.com
  • {BLOCKED}ngpleng.com
  • {BLOCKED}oznan.cba.pl
  • {BLOCKED}oritplus.ru
  • {BLOCKED}snaypolyana123.ru
  • {BLOCKED}stud.ru
  • {BLOCKED}yn.com
  • {BLOCKED}tsolar.kz
  • {BLOCKED}atom.com
  • {BLOCKED}efecizade.com.tr
  • {BLOCKED}nho.com.au
  • {BLOCKED}dapt.org
  • {BLOCKED}hongtrans.com
  • {BLOCKED}dmarkscalifornia.org
  • {BLOCKED}xiaoyang.com
  • {BLOCKED}pharma.com
  • {BLOCKED}.littlerocknews.org
  • {BLOCKED}lengenharia.hospedagemdesites.ws
  • {BLOCKED}ircuit.fr
  • {BLOCKED}wesley.com
  • {BLOCKED}dik.polri.go.id
  • {BLOCKED}racinesdedemain.com
  • {BLOCKED}.dk
  • {BLOCKED}.adv.br
  • {BLOCKED}e.demobb.com
  • {BLOCKED}yd.www.creative-platform.net
  • {BLOCKED}oevents.com
  • {BLOCKED}nuockimnguyenphat.com.vn
  • {BLOCKED}-carb-rezept.com
  • {BLOCKED}tsuhaiduong.com
  • {BLOCKED}ianocellitancredi.com
  • {BLOCKED}ides.co.uk
  • {BLOCKED}ward.com
  • {BLOCKED}redactrice-web.com
  • {BLOCKED}nlis.pt
  • {BLOCKED}bleentreprise.dk
  • {BLOCKED}celinoadvogados.com.br
  • {BLOCKED}cora.it
  • {BLOCKED}iamiler.com
  • {BLOCKED}ketisleri.com
  • {BLOCKED}met.cba.pl
  • {BLOCKED}ydonnelly.com
  • {BLOCKED}-expert.com
  • {BLOCKED}p.pro
  • {BLOCKED}sagenirvana.com
  • {BLOCKED}sclap.com
  • {BLOCKED}ricionacif.com
  • {BLOCKED}ibud.cba.pl
  • {BLOCKED}jackson.com
  • {BLOCKED}tusa.com
  • {BLOCKED}iweb.com
  • {BLOCKED}-coaching.fr
  • {BLOCKED}group.co.uk
  • {BLOCKED}tit.com.ua
  • {BLOCKED}livdim.org
  • {BLOCKED}itec.ma
  • {BLOCKED}exinc.com
  • {BLOCKED}lon.ir
  • {BLOCKED}loweb.com
  • {BLOCKED}gxiao7.com
  • {BLOCKED}toriaparacoaches.com.br
  • {BLOCKED}ittur.com
  • {BLOCKED}aland.me
  • {BLOCKED}odoresultado.com
  • {BLOCKED}enibg.com
  • {BLOCKED}tmgtllc.com
  • {BLOCKED}iamkapner.com
  • {BLOCKED}ivi.hu
  • {BLOCKED}ka.kg
  • {BLOCKED}oir.com
  • {BLOCKED}orcityphotoworkshops.com
  • {BLOCKED}nalyz.com
  • {BLOCKED}umberjack.com
  • {BLOCKED}greens.com
  • {BLOCKED}contracting.ca
  • {BLOCKED}.com.kw
  • {BLOCKED}ithai.pl
  • {BLOCKED}ituz.com
  • {BLOCKED}enageulis.com
  • {BLOCKED}dololita.es
  • {BLOCKED}ubing.cn
  • {BLOCKED}ic-360.pl
  • {BLOCKED}tay.com
  • {BLOCKED}entertainment.com
  • {BLOCKED}rtstudio.com.my
  • {BLOCKED}embest.com
  • {BLOCKED}troi24.ru
  • {BLOCKED}inidea.com
  • {BLOCKED}albazr.com
  • {BLOCKED}zamdistributor.com
  • {BLOCKED}aveesurgerythailand.com
  • {BLOCKED}hpersonal.com.ua
  • {BLOCKED}haliedesperchesboukhatem.fr
  • {BLOCKED}hyrealty.com
  • {BLOCKED}urecarelandscape.com
  • {BLOCKED}ahanenda.com
  • {BLOCKED}areimoveis.vistatemporario.com.br
  • {BLOCKED}jobs.info
  • {BLOCKED}iogluavm.com
  • {BLOCKED}-voda.ru
  • {BLOCKED}ten.dk
  • {BLOCKED}oconstructioncorp.com
  • {BLOCKED}hair.com
  • {BLOCKED}ior.cn
  • {BLOCKED}hs-earth.com
  • {BLOCKED}inenyc.com
  • {BLOCKED}destinasat.com.br
  • {BLOCKED}soacordo.com
  • {BLOCKED}ocentropetrolina.com
  • {BLOCKED}osti-danasnje.info
  • {BLOCKED}uchgroup.com
  • {BLOCKED}fian.ukmforum.com
  • {BLOCKED}ululmastah.com
  • {BLOCKED}d-service.ru
  • {BLOCKED}anlinen.com
  • {BLOCKED}anstockfilms.com
  • {BLOCKED}nconsult.com
  • {BLOCKED}ndaschool.com.br
  • {BLOCKED}hpoetih.com
  • {BLOCKED}dev.ro
  • {BLOCKED}inebusinesskhabar.com
  • {BLOCKED}ineitshop.com
  • {BLOCKED}taheerd.nl
  • {BLOCKED}nricostruzioneabruzzo.piattaforma.eu
  • {BLOCKED}nveda.info
  • {BLOCKED}ikchrtek.yourcloud.cz
  • {BLOCKED}l.co.il
  • {BLOCKED}lgem.com
  • {BLOCKED}hodontics.ir
  • {BLOCKED}ar-event.com.ua
  • {BLOCKED}oramafoto.com
  • {BLOCKED}disesofe.com
  • {BLOCKED}smoviez.com
  • {BLOCKED}lbloodgood.com
  • {BLOCKED}trenkeren.xyz
  • {BLOCKED}kmedia.se
  • {BLOCKED}rlandshandyman.com
  • {BLOCKED}efigo.com
  • {BLOCKED}itocaligrafosevilla.es
  • {BLOCKED}leyfund.org
  • {BLOCKED}ovaphoto.ru
  • {BLOCKED}ongthaoland.com
  • {BLOCKED}siqapparel.no
  • {BLOCKED}usglancus.pl
  • {BLOCKED}eondeck.com
  • {BLOCKED}pmgr.com
  • {BLOCKED}tsburghbbq.com
  • {BLOCKED}saponsel.com
  • {BLOCKED}taformacontralaprivatizaciondelcyii.org
  • {BLOCKED}iticsamongus.com
  • {BLOCKED}y.polyblow.com.br
  • {BLOCKED}yblow.com.br
  • {BLOCKED}tit.angryventures.com
  • {BLOCKED}panda74.ru
  • {BLOCKED}sencetalentos.com.br
  • {BLOCKED}sentseitai.com
  • {BLOCKED}-markservicesinc.com
  • {BLOCKED}menadedeflandre.com
  • {BLOCKED}tesesdeflex.com.br
  • {BLOCKED}photo.ru
  • {BLOCKED}roup.vn
  • {BLOCKED}straworld.signupvideo.com
  • {BLOCKED}ienglish.com
  • {BLOCKED}cherssupply.us
  • {BLOCKED}mfan.cba.pl
  • {BLOCKED}ben.com
  • {BLOCKED}anaco.ir
  • {BLOCKED}reativemg.com
  • {BLOCKED}token.com
  • {BLOCKED}mix.com.ua
  • {BLOCKED}ahnovin.ir
  • {BLOCKED}so.com.br
  • {BLOCKED}ectrica.com.mx
  • {BLOCKED}eltravel.com
  • {BLOCKED}h.fr
  • {BLOCKED}b.com.pl
  • {BLOCKED}tio.com
  • {BLOCKED}os.top
  • {BLOCKED}al.world
  • {BLOCKED}ertallenentertainment.com
  • {BLOCKED}filios.com
  • {BLOCKED}ochampsnorth.robomateplus.com
  • {BLOCKED}etdev.com
  • {BLOCKED}mpride.es
  • {BLOCKED}aract3272.org
  • {BLOCKED}e.com.mx
  • {BLOCKED}al.by
  • {BLOCKED}detankaravekil.com
  • {BLOCKED}eres.cl
  • {BLOCKED}aaldan.es
  • {BLOCKED}fronali.com
  • {BLOCKED}andnetcctv.com
  • {BLOCKED}ds-edu.com
  • {BLOCKED}ltrans.com
  • {BLOCKED}safadi.com
  • {BLOCKED}-kelloff-italy.web5s.com
  • {BLOCKED}xecu.vn
  • {BLOCKED}digeriatrics.org
  • {BLOCKED}betcasinoterpercaya.com
  • {BLOCKED}oolapp.be
  • {BLOCKED}rurierparis75.ovh
  • {BLOCKED}enpillars.org.uk
  • {BLOCKED}rainingzone.com
  • {BLOCKED}caram.com
  • {BLOCKED}kingflames.com
  • {BLOCKED}lvak.com
  • {BLOCKED}rouk.com
  • {BLOCKED}p.istest.ir
  • {BLOCKED}recrestschools.com
  • {BLOCKED}illum.com.ua
  • {BLOCKED}etribilisim.com
  • {BLOCKED}ergiindonesia.co.id
  • {BLOCKED}fonia.vn
  • {BLOCKED}uverde.com
  • {BLOCKED}es.blueskydigital.com.au
  • {BLOCKED}permatabunda.com
  • {BLOCKED}yd.cba.pl
  • {BLOCKED}-technik.de
  • {BLOCKED}lldealer.fr
  • {BLOCKED}tsje-gruttepier.nl
  • {BLOCKED}pandset.com
  • {BLOCKED}n43-jkt.sch.id
  • {BLOCKED}ardoli.org
  • {BLOCKED}akcreation.com
  • {BLOCKED}jankagd.com
  • {BLOCKED}ial.takeshopv.pp.ua
  • {BLOCKED}tshine.kiev.ua
  • {BLOCKED}tsj.org
  • {BLOCKED}olenko.dp.ua
  • {BLOCKED}ardosing.ir
  • {BLOCKED}diergym.nl
  • {BLOCKED}edadmanzi.com
  • {BLOCKED}newton.com
  • {BLOCKED}lbas.dk
  • {BLOCKED}ndilos.ru
  • {BLOCKED}rtsohio.pbd-dev.com
  • {BLOCKED}rtcomputer.com.br
  • {BLOCKED}rtkartingnow.com
  • {BLOCKED}vesofminthill.com
  • {BLOCKED}veworlddirect.co.uk
  • {BLOCKED}vnerkameratene.no
  • {BLOCKED}ipperin-duisburg.net
  • {BLOCKED}diodelcarratore.it
  • {BLOCKED}amoviedrama.online
  • {BLOCKED}awan.com
  • {BLOCKED}-casa.com
  • {BLOCKED}daysbestphotography.com
  • {BLOCKED}shine-city-ciputra.net
  • {BLOCKED}etthirty.pl
  • {BLOCKED}mmik.com
  • {BLOCKED}fhr.ga
  • {BLOCKED}ingermei.xyz
  • {BLOCKED}il-spectehnika.ru
  • {BLOCKED}iloro.ru
  • {BLOCKED}a.today
  • {BLOCKED}anpesona.com
  • {BLOCKED}pacardiologist.com
  • {BLOCKED}hkade.info
  • {BLOCKED}riverview.com.vn
  • {BLOCKED}t-my-work.ru
  • test.{BLOCKED}istia.se
  • test.{BLOCKED}igo-experten.be
  • test.{BLOCKED}ari.pl
  • test.{BLOCKED}emucevherat.com
  • test.{BLOCKED}veeview.com
  • test.{BLOCKED}ing.io
  • testing.{BLOCKED}ang.com
  • {BLOCKED}aceexports.com
  • {BLOCKED}cellarsisters.ca
  • {BLOCKED}gioiwebvn.com
  • {BLOCKED}pinspire.co.uk
  • {BLOCKED}postatrockwells.com
  • {BLOCKED}travelnext.com
  • {BLOCKED}llaikalavathi.info
  • {BLOCKED}cannabis.com
  • {BLOCKED}exephamgia.com
  • {BLOCKED}fintownbooks.com
  • {BLOCKED}tamduc.info
  • {BLOCKED}eschinipassofundo.com.br
  • {BLOCKED}marmores.com.br
  • {BLOCKED}erplenka.ru
  • {BLOCKED}ight-hobby.com
  • {BLOCKED}-22.ru
  • {BLOCKED}-prodazha.ru
  • {BLOCKED}avi.es
  • {BLOCKED}onlinegames.pro
  • {BLOCKED}stenbygger.se
  • {BLOCKED}ghods.ir
  • {BLOCKED}ineeship.top
  • {BLOCKED}vellow.world
  • {BLOCKED}bratanewsende.com
  • {BLOCKED}umphoh.com
  • {BLOCKED}homes.in
  • {BLOCKED}dyhuisman.com
  • {BLOCKED}eadv.ru
  • {BLOCKED}plus.ir
  • {BLOCKED}ko.org.ua
  • {BLOCKED}website.aithent.com
  • {BLOCKED}cfoundation.es
  • {BLOCKED}cfundacion.es
  • {BLOCKED}cfundacion.eu
  • {BLOCKED}raformervn.com
  • {BLOCKED}ezamani.net
  • {BLOCKED}pott.se
  • {BLOCKED}cef-int.karibuni.be
  • {BLOCKED}fiedgoals.com
  • {BLOCKED}quecollege.com.au
  • {BLOCKED}quemedia.cf
  • {BLOCKED}tedctg.com
  • {BLOCKED}atimotors.in
  • {BLOCKED}ate.com.br
  • {BLOCKED}ate13.hospedagemdesites.ws
  • {BLOCKED}-apply.com
  • {BLOCKED}unbey.com
  • {BLOCKED}rku.ru
  • {BLOCKED}couvereventvideo.com
  • {BLOCKED}nadesign.ru
  • {BLOCKED}quezdelamorena.com
  • {BLOCKED}iculosbenimar.es
  • {BLOCKED}expro.com
  • {BLOCKED}eirafilho.com.br
  • {BLOCKED}eokurs-tut.ru
  • {BLOCKED}tx.us
  • {BLOCKED}lagevanguard.co.uk
  • {BLOCKED}homescangio.viethomes.land
  • {BLOCKED}letdecor.net
  • {BLOCKED}youxi.net
  • {BLOCKED}tualisseta.com
  • {BLOCKED}ahousebangladesh.com
  • {BLOCKED}oriainvest.com.br
  • {BLOCKED}cons.com.vn
  • {BLOCKED}tec.com
  • {BLOCKED}wcourse.com
  • {BLOCKED}ceyouropinions.net
  • {BLOCKED}.kz
  • {BLOCKED}aldirek.com
  • {BLOCKED}eupwithmakeup.co.uk
  • {BLOCKED}lcraftcustom.com
  • {BLOCKED}marketing.cinfoway.in
  • {BLOCKED}unbox.com
  • {BLOCKED}hnachts-pyramide.tk
  • {BLOCKED}ssgallery.ru
  • {BLOCKED}lnesslifescience.com
  • {BLOCKED}ppetrealty.com
  • {BLOCKED}te-power-music.cba.pl
  • {BLOCKED}host.tk
  • {BLOCKED}lybarroy.fr
  • {BLOCKED}gznthangz.com
  • {BLOCKED}speedy.ru
  • {BLOCKED}fy.com
  • {BLOCKED}kcompoptions.com
  • {BLOCKED}ldgamifier.com
  • wp.{BLOCKED}ions.men
  • wp.{BLOCKED}test.fr
  • {BLOCKED}kademi.com
  • {BLOCKED}ytek.com
  • www.{BLOCKED}.sr
  • www.{BLOCKED}cbrasil.com
  • www.{BLOCKED}vec.com
  • www.{BLOCKED}nya.co.uk
  • www.{BLOCKED}na.tn
  • www.{BLOCKED}phuoc.com.vn
  • www.{BLOCKED}arentacars.com
  • www.{BLOCKED}rtmanipisak.com
  • www.{BLOCKED}leupdate.ir
  • www.{BLOCKED}hives-zoliennes.fr
  • www.{BLOCKED}angarayan.com
  • www.{BLOCKED}enkundig.at
  • www.{BLOCKED}apointpl.com
  • www.{BLOCKED}ed.cz
  • www.{BLOCKED}isigortaaydin.com
  • www.{BLOCKED}t.co.kr
  • www.{BLOCKED}lerimpex.com
  • www.{BLOCKED}wiseacademy.com
  • www.{BLOCKED}adbandimperatives.org
  • www.{BLOCKED}cure.fr
  • www.{BLOCKED}av.hu
  • www.{BLOCKED}ingtouch.uk.com
  • www.{BLOCKED}ademare.it
  • www.{BLOCKED}pakalaptop.com
  • www.{BLOCKED}trixs.biz
  • www.{BLOCKED}espire.com
  • www.{BLOCKED}nandeayrs.com
  • www.{BLOCKED}ndrobindumcltd.com
  • www.{BLOCKED}riehavetoshine.com
  • www.{BLOCKED}stersskn.com
  • www.{BLOCKED}istinapetrou.co.uk
  • www.{BLOCKED}rusdent.com
  • www.{BLOCKED}sstransport.fr
  • www.{BLOCKED}sedguardthemovie.com
  • www.{BLOCKED}rgy.com.br
  • www.{BLOCKED}nitiasystems.com
  • www.{BLOCKED}orshotevents.com
  • www.{BLOCKED}sulpyme.biz
  • www.{BLOCKED}versants.com
  • www.{BLOCKED}nishinn.com
  • www.{BLOCKED}illecharro.com
  • www.{BLOCKED}toradodai.com
  • www.{BLOCKED}orservicesgroup.com
  • www.{BLOCKED}salsistemas.com.br
  • www.{BLOCKED}dhuri.edu.in
  • www.{BLOCKED}ischool.vn
  • www.{BLOCKED}i.nl
  • www.{BLOCKED}kherrstrom.com
  • www.{BLOCKED}aces-interieurs.net
  • www.{BLOCKED}eticaderma.com
  • www.{BLOCKED}el-albania.com
  • www.{BLOCKED}osystemsrl.net
  • www.{BLOCKED}bfoundation.gm
  • www.{BLOCKED}ancetoit.fr
  • www.{BLOCKED}911.com
  • www.{BLOCKED}dsbn.com
  • www.{BLOCKED}60.us
  • www.{BLOCKED}telliditalia.it
  • www.{BLOCKED}ends-for-kids.de
  • www.{BLOCKED}v.news
  • www.{BLOCKED}logis.com
  • www.{BLOCKED}enwolfales.com
  • www.{BLOCKED}upwine.fr
  • www.{BLOCKED}umansena.co.in
  • www.{BLOCKED}hpatal.com
  • www.{BLOCKED}roser.pt
  • www.{BLOCKED}merlandgolf.dk
  • www.{BLOCKED}ervi.com.br
  • www.{BLOCKED}gatecenter.org
  • www.{BLOCKED}century.com
  • www.{BLOCKED}peem.org
  • www.{BLOCKED}interiors.com
  • www.{BLOCKED}s.space
  • www.{BLOCKED}sz.com
  • www.{BLOCKED}bana.cat
  • www.{BLOCKED}eriorideas9.com
  • www.{BLOCKED}ernationalmoversboston.com
  • www.{BLOCKED}crossconnect.com
  • www.{BLOCKED}notaola.com
  • www.{BLOCKED}at.com
  • www.{BLOCKED}uisunenfantterrible.com
  • www.{BLOCKED}ingshi.cn
  • www.{BLOCKED}obk.com
  • www.{BLOCKED}iledans.com
  • www.{BLOCKED}1.ir
  • www.{BLOCKED}kidnews.com
  • www.{BLOCKED}ezaagricola.com.br
  • www.{BLOCKED}shnagrp.com
  • www.{BLOCKED}toaskel.net
  • www.{BLOCKED}outtedelixir.com
  • www.{BLOCKED}ri.co.il
  • www.{BLOCKED}ertag.kiev.ua
  • www.{BLOCKED}thotel.it
  • www.{BLOCKED}ariable.club
  • www.{BLOCKED}kcoaching.com.au
  • www.{BLOCKED}nsindustries.org
  • www.{BLOCKED}nwood.co.uk
  • www.{BLOCKED}itsolutionsbd.com
  • www.{BLOCKED}napouyesh.com
  • www.{BLOCKED}artegrise.eu
  • www.{BLOCKED}eshsharma.live
  • www.{BLOCKED}nlis.pt
  • www.{BLOCKED}aeeventos.com.br
  • www.{BLOCKED}ketopic.ru
  • www.{BLOCKED}urley.com
  • www.{BLOCKED}.com.sg
  • www.{BLOCKED}itec.ma
  • www.{BLOCKED}awheyprotein.com
  • www.{BLOCKED}lbyhorsepower.se
  • www.{BLOCKED}anoiatravel.in
  • www.{BLOCKED}helleshairlounge.ca
  • www.{BLOCKED}id.cz
  • www.{BLOCKED}yah.com.my
  • www.{BLOCKED}ainfantilvalencia.com
  • www.{BLOCKED}ei.co
  • www.{BLOCKED}lus.co.th
  • www.{BLOCKED}ikik.com
  • www.{BLOCKED}tingbits.com
  • www.{BLOCKED}toys.com.cn
  • www.{BLOCKED}sinfrozen.com.hk
  • www.{BLOCKED}singroup.com.hk
  • www.{BLOCKED}anusdavetorganizasyon.com
  • www.{BLOCKED}aklarpaslanmaz.com
  • www.{BLOCKED}ainicholasossai.com
  • www.{BLOCKED}ordpharmassist.com
  • www.{BLOCKED}inaturistului.com
  • www.{BLOCKED}npoint.online
  • www.{BLOCKED}yacopapi.com
  • www.{BLOCKED}thabarua.com
  • www.{BLOCKED}fectfunnelblueprint.com
  • www.{BLOCKED}sfoodbd.com
  • www.{BLOCKED}egoire.com
  • www.{BLOCKED}mmemviet.com
  • www.{BLOCKED}zeriarepentigny.ca
  • www.{BLOCKED}eteg.com
  • www.{BLOCKED}hmyprofile.com
  • www.{BLOCKED}aelimports.com.br
  • www.{BLOCKED}nbowwaffle.xyz
  • www.{BLOCKED}nformatica.pt
  • www.{BLOCKED}gdevten.xyz
  • www.{BLOCKED}lsun.com
  • www.{BLOCKED}ubrimos.com
  • www.{BLOCKED}eptifbumipersada.com
  • www.{BLOCKED}sa.com.br
  • www.{BLOCKED}dtroiscours.com
  • www.{BLOCKED}treasure.com
  • www.{BLOCKED}nt.in
  • www.{BLOCKED}anjews.com
  • www.{BLOCKED}eehandmade.com
  • www.{BLOCKED}garchat.com
  • www.{BLOCKED}detorganizasyon.com
  • www.{BLOCKED}ranmobilyadekorasyon.com
  • www.{BLOCKED}tischerd.com
  • www.{BLOCKED}teks.com
  • www.{BLOCKED}ebr.com
  • www.{BLOCKED}iri.com
  • www.{BLOCKED}computers.ro
  • www.{BLOCKED}simint.com
  • www.{BLOCKED}temasapex.mx
  • www.{BLOCKED}ama.cn
  • www.{BLOCKED}ialconcepts-cm.com
  • www.{BLOCKED}ardigitalweb.com
  • www.{BLOCKED}mol.com
  • www.{BLOCKED}penda.com
  • www.{BLOCKED}orkin.com
  • www.{BLOCKED}-co.ir
  • www.{BLOCKED}turfmats.com
  • www.{BLOCKED}cellars.com
  • www.{BLOCKED}thewa.com
  • www.{BLOCKED}bungalowstay.in
  • www.{BLOCKED}nisoft.hn
  • www.{BLOCKED}qube.com
  • www.{BLOCKED}tual.com
  • www.{BLOCKED}iphonecenter.com
  • www.{BLOCKED}tscomfortable.com
  • www.{BLOCKED}tstevenrice.com
  • www.{BLOCKED}adaptables.com
  • www.{BLOCKED}atlanticseafoodcompany.com
  • www.{BLOCKED}loveassembly.com
  • www.{BLOCKED}parco.com
  • www.{BLOCKED}ura.com.br
  • www.{BLOCKED}lyaviacao.com.br
  • www.{BLOCKED}okuaja.com
  • www.{BLOCKED}rmelaybasket.fr
  • www.{BLOCKED}nsento.com
  • www.{BLOCKED}logiaexpeditionsperu.com
  • www.{BLOCKED}melin2014.com
  • www.{BLOCKED}ekrarcisi.com
  • www.{BLOCKED}roject.fr
  • www.{BLOCKED}toothfully.com
  • www.{BLOCKED}clb.org
  • www.{BLOCKED}vet.travel
  • www.{BLOCKED}onicasantiago.com.br
  • www.{BLOCKED}saseo.com
  • www.{BLOCKED}alavie.fr
  • www.{BLOCKED}rfilm.ga
  • www.{BLOCKED}h-wear.com
  • www.{BLOCKED}htm.cn
  • www.{BLOCKED}l-weil.de
  • www.{BLOCKED}dpresspractice.cf
  • www.{BLOCKED}hyderabad.com
  • www.{BLOCKED}-narmdnsalonlar-fjb55aa34dpkdo.com
  • www.{BLOCKED}glass.com
  • www.{BLOCKED}ydesign.com
  • www.{BLOCKED}andapalhanoimoveis.com.br
  • www.{BLOCKED}amnakliye.com
  • www.{BLOCKED}nee.com
  • www.{BLOCKED}inanle.com
  • {BLOCKED}ogioivietnam.com
  • {BLOCKED}d24h.net
  • {BLOCKED}rkcity.com
  • xn----{BLOCKED}d1beecki5h.xn--p1ai
  • xn----{BLOCKED}1aamaagfpjbdc3dm.xn--p1ai
  • xn----{BLOCKED}ovaaet2bacdygacidsedek.xn--p1acf
  • xn--{BLOCKED}bmdrdpayqtg1d7h.xn--p1ai
  • xn--{BLOCKED}n2ag7e.xn--p1ai
  • xn--{BLOCKED}1e.xn--p1acf
  • {BLOCKED}ess.ltd
  • {BLOCKED}nduocnam.com
  • {BLOCKED}chengguoji.com
  • {BLOCKED}lowcreativeco.com
  • {BLOCKED}letsdrive.com
  • {BLOCKED}thipiwater.com
  • {BLOCKED}abody.com.br
  • {BLOCKED}yat-group.com
  • {BLOCKED}uso.com
  • {BLOCKED}ba.co.uk
  • {BLOCKED}eader.com
  • {BLOCKED}ophage_pedik.com
  • {BLOCKED}m.ovh
• Where string1 is equal to the following:
  • wp-content
  • static
  • content
  • includes
  • data
  • uploads
  • news
• Where string2 is equal to the following:
  • images
  • pictures
  • image
  • graphic
  • assets
  • pics
  • imgs
  • tmp
• Where string3 is equal to the combination of the following:
  • im
  • de
  • ka
  • ke
  • am
  • es
  • so
  • fu
  • se
  • da
  • he
  • ru
  • me
  • mo
  • th
  • zu
• Where string4 is equal to the following:
  • jpg
  • png
  • gif
  • bmp

マルウェアは、実行後、自身を削除します。

ランサムウェアの不正活動

マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

• desktop.ini
• autorun.inf
• ntuser.dat
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• Thumbs.db
• KRAB-DECRYPT.html
• KRAB-DECRYPT.txt
• CRAB-DECRYPT.txt
• ntldr
• NTDETECT.COM
• Bootfont.bin

マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。

• ProgramData
• IETldCache
• Boot
• Program Files
• Tor Browser
• All Users
• Local Settings
• Windows
• %Windows*
• %AppDataLocal%
• %Program Files%\Common Files
• %Program Files%

(註：%AppDataLocal%フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data"、Windows Vista および 7 の場合、"C:\Users\＜ユーザ名＞\AppData\Local" です。. %Program Files%フォルダは、プログラムファイルのフォルダで、いずれのオペレーティングシステム(OS)でも通常、 "C:\Program Files"、64bitのOS上で32bitのアプリケーションを実行している場合、 "C:\Program Files (x86)" です。.)

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

• .KRAB

マルウェアが作成する以下のファイルは、脅迫状です。

• {Encrypted Folder}\KRAB-DECRYPT.txt
•