Ransom.MSIL.EGOGEN.THEABBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se conecta a determinados sitios Web para enviar y recibir información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• folders added by runyes.Crypter.bat:
  • %User Profile%\Documents\WindowsPowerShell\Modules\Cipher
• folders added by Server.exe:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Grabber
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Grabber\DRIVE-{Drive Letter} → replica of drives in the machine
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Discord
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Pidgin
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Uplay
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\{Wallet Name}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\FileZilla
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\ProtonVPN
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\OpenVPN
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\NordVPN
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Directories
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario} y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}).

Infiltra los archivos siguientes:

• %User Temp%\runyes.Crypter.bat
• %Application Data%\azz1.exe
• %User Startup%\Server.exe
• files dropped by azz1.exe:
  • %AppDataLocal%\discord.exe → copy of azz1.exe
  • %Application Data%\ID → contains the victim ID
  • %Application Data%\fondo_antiguo.jpg → copy of current background
  • %User Profile%\Pictures\image{random characters}.jpg → deleted after being set as wallpaper
• files dropped by runyes.Crypter.bat:
  • %Application Data%\Microsoft\Windows\Start Menu\Programs\Startup\runyes.Crypter.bat → copy of runyes.Crypter.bat
  • %User Profile%\Documents\WindowsPowerShell\Modules\Cipher → encryption module
  • %User Profile%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 → encryptor
  • %User Profile%\Documents\WindowsPowerShell\Modules\Cipher\Locker.ps1 → decryptor
    
• files dropped by Server.exe:
  • %AppDataLocal%\{Hash Value}\history.dat → contains keylogged data; modifies the file attributes to make the file hidden
  • %AppDataLocal%\{Hash Value}\msgid.dat → contains latest message ID

Agrega los procesos siguientes:

• %User Temp%\runyes.Crypter.bat
• %Application Data%\azz1.exe
• %User Startup%\Server.exe
• processes added by azz1.exe:
  • "%System%\NOTEPAD.EXE" %Application Data%\Read Me First!.txt
  • cmd.exe /c @echo off & echo github: https://{BLOCKED}b.com/temon_69 & start https://{BLOCKED}b.com/temon_69
• processes added by runyes.Crypter.bat:
  • powershell -executionpolicy bypass -win hidden -noexit -file cry.ps1
  • cmd /c powershell -executionpolicy bypass -win hidden -noexit -file cry.ps1
• processes added by Server.exe
  • cmd.exe /C chcp 65001 && netsh wlan show profile | findstr All → to retrieve the wireless network profiles
  • cmd.exe /C chcp 65001 && netsh wlan show profile name=\""{Profile}"\"key=clear | findstr Key" → to retrieve the clear-text Wi-Fi password for a specific wireless network profile
  • cmd.exe /C chcp 65001 && netsh wlan show networks mode=bssid → to retrieve the available wireless networks and their BSSIDs

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• WFHnecQdAgmlpRmuT → mutex name of the sample
• vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c= → mutex name of Server.exe

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
discord = %AppDataLocal%\discord.exe

Otras modificaciones del sistema

Cambia el fondo de escritorio mediante la modificación de las siguientes entradas de registro:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Profile%\Pictures\image{random characters}.jpg

Este malware establece la imagen siguiente como fondo de escritorio del sistema:

• %User Profile%\Pictures\image{random characters}.jpg
  

Robo de información

Recopila los siguientes datos:

• Browsers:
  • Credit Card Data
  • Login Data
  • Cookies
  • Browsing History
  • Download History
  • Autofill Data
  • Bookmarks
• FileZilla:
  • Host
  • Port
  • Username
  • Password
• VPN:
  • User Configuration
• Discord:
  • Token
• Pidgin:
  • Protocol
  • Login
  • Password
• Telegram:
  • Folders with folder name 16 characters long
  • Files with size less than or equal to 5120 bytes
  • Files with file name ending in s and 17 characters long
  • Files with file name starting with "usertag", "settings", or "key_data"
• Steam:
  • Application Name
  • GameID
  • Installed(Yes or No)
  • Running (Yes or No)
  • Updating (Yes or No)
  • Steam Authorization File
  • Autologin Data
• Uplay:
  • Files in the folder %AppDataLocal%\Ubisoft Game Launcher
• Minecraft:
  • Profiles
  • Servers
  • Screenshots
  • Modifications
  • Versions
• Directories Structure
• Running Processes:
  • Process Name
  • Process ID
  • Process Path
• Open Windows:
  • Process Name
  • Window Title
  • Process ID
  • Process Path
• Screenshot
• Webcam Capture
• Saved Wireless Networks:
  • Profile
  • Passwords
• Available Wireless Networks
• Product ID
• System Information:
  • Current Date and Time
  • System Version
  • User Name
  • Computer Name
  • Language
  • Installed Anti Virus Products
  • CPU Processor
  • GPU Name
  • RAM Amount
  • Processor ID
  • Battery Information
  • Screen Size
  • Default Gateway
  • Internal IP
  • External IP
  • Location
  • Log Files
  • Keystrokes
• Gathers information from:
  • Browsers:
  • Microsoft Edge
  • Gecko Based Browsers:
  • Firefox
  • Waterfox
  • K-Meleon
  • Thunderbird
  • IceDragon
  • Cyberfox
  • BlackHawk
  • Pale Moon
  • Chromium Based:
  • Chromium
  • Google Chrome
  • Opera Software
  • ChromePlus
  • Iridium
  • 7Star
  • CentBrowser
  • Chedot
  • Vivaldi
  • Kometa
  • Elements Browser
  • Epic Privacy Browser
  • Uran
  • Sleipnir5
  • Citrio
  • Coowon
  • liebao
  • QIP Surf
  • Orbitum
  • Comodo Dragon
  • Amigo
  • Torch
  • Yandex Browser
  • 360Browser
  • Maxthon3
  • K-Melon
  • Sputnik
  • Nichrome
  • CocCoc Browser
  • Chromodo
  • Atom
  • Brave-Browser
  • FTP Clients:
  • FileZilla
  • VPN:
  • ProtonVPN
  • NordVPN
  • OpenVPN
  • Messaging Applications:
  • Discord
  • Pidgin
  • Telegram
  • Gaming:
  • Steam
  • Uplay
  • Minecraft
  • Cryptocurrency Wallets:
  • Zcash
  • Armory
  • bytecoin
  • Jaxx
  • Exodus
  • Ethereum
  • Electrum
  • AtomicWallet
  • Guards
  • Coinomi
  • Litecoin
  • Dash
  • Bitcoin

Información sustraída

Este malware guarda la información robada en el archivo siguiente:

• Edge and Chromium Based Browsers:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\CreditCards.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Passwords.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Cookies.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\History.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Downloads.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\AutoFill.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Bookmarks.txt
• Gecko Based Browsers:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Bookmarks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Cookies.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\History.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\login.json → copy of the login.json file
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\key3.db → copy of the key3.db file
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\key4.db → copy of the key4.db file
• Discord:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Discord\tokens.txt
• Pidgin:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Pidgin\accounts.txt>/li>
• Telegram:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Folders in %Application Data%\Telegram\tdata with folder name 16 characters long}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with size less than or equal to 5120 bytes}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with file name ending in s and 17 characters long}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with file name starting with "usertag", "settings", or "key_data"}
• Steam:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\Apps.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\{Files in the Steam install path with "ssfn" in its file name}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\SteamInfo.txt
• Uplay:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Uplay\{Files in %AppDataLocal%\Ubisoft Game Launcher}
• Minecraft:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\launcher_profiles.json
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\servers.dat
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\screenshots\{Screenshot Images}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\mods.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\versions.txt
• Cryptocurrency Wallets:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Zcash
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Armory
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\bytecoin
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Jaxx\com.liberty.jax\IndexedDB\file__0.indexeddb.leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Exodus\exodus.wallet
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Ethereum\keystore
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Electrum\wallets
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\atomic\Local Storage\leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Guarda\Local Storage\leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Coinomi\Coinomi\wallets
• FileZilla:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\FileZilla\Hosts.txt
• ProtonVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\ProtonVPN\{Subdirectories of %AppDataLocal%\ProtonVPN containing the string "Proton.exe" in its name}\user.config
• OpenVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\OpenVPN\profiles\{Files in %Application Data%\OpenVPN Connect\profiles with the extension .ovpn}
• NordVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\NordVPN\{Subdirectories of %AppDataLocal%\NordVPN containing the string "NordVpn.exe" in its name}\accounts.txt
• Directory Tree:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Directories\{Directory Name}.txt
• System Information:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Process.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Windows.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\WorldWind.jpg
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Webcam.jpg
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\SavedNetworks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\ScanningNetworks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\ProductKey.txt

(Nota: %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Roaming.).

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

• https://{BLOCKED}b.com/temon_69
• https://a{BLOCKED}gram.org
• https://a{BLOCKED}gram.org/bot{Telegram Token}/getUpdates → to retrieve incoming updates Update ID
• https://a{BLOCKED}gram.org/bot{Telegram Token}/getUpdates?offset={Update ID} → to update Telegram bot
• https://a{BLOCKED}ram.org/bot{Telegram Token}/getFile?file_id={File ID} → to download a file
• https://{BLOCKED}n.com/raw/7B75u64B → to retrieve the Telegram token
• https://a{BLOCKED}gram.org/bot{Telegram Token}/sendMessage?chat_id={Telegram Chat ID}&text={Stolen System Information} → to send stolen system information
• https://a{BLOCKED}gram.org/bot{Telegram Token}/sendDocument?chat_id={Telegram Chat ID} → to send documents containing stolen information
• https://a{BLOCKED}gram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 → to send documents containing stolen information

Hace lo siguiente:

• Server.exe terminates itself if the any of the following conditions are satisfied:
  • If the manufacturer is "microsoft corporation" and the model contains the following strings:
  • VIRTUAL
  • vmware
  • VirtualBox
  • If the following sandbox related modules is loaded in the affected system:
  • SbieDll.dll
  • If the total size of the drive containing the system directory is <= 61 GB.
  • If the OS contains the string "xp".
• It creates a copy of the file it steals.
• It sends the stolen information via Telegram bot.
• It deletes the file after uploading.
• If the file to be sent is a directory, it creates a zip file and then deletes the original directory.