- Distribution Method : Unknown
- MD5 : 0fbf82ee90cc0ad35477cc902b0ba83e
- Major Detection Name : Trojan.Ransom.Stop (ALYac), Trojan.Win32.Chapak.bsuf (Kaspersky)
- Encrypted File Pattern : .tfudet
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin1.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\updatewin2.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\3.exe
- C:\Users\%UserName%\AppData\Local\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe
- C:\Users\%UserName%\AppData\Local\Temp\MpCmdRun.log
- C:\Users\%UserName%\AppData\Local\script.ps1
- C:\Windows\System32\drivers\etc\hosts
- C:\Windows\System32\Tasks\Time Trigger Task
- Payment Instruction File : _openme.txt
- Major Characteristics :
- Offline Encryption
- Create a fake "Windows Update" message
- Modifies Windows Host file (C:\Windows\System32\drivers\etc\hosts) to block security web sites.
- Disable and Blocks Task Manager (DisableTaskmgr)
- Disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true, "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all)
- Reruns by adding "Time Trigger Task" in Task Scheduler to run "%LocalAppData%\<Random>-<Random>-<Random>-<Random>-<Random>\<Random>.tmp.exe --Task" for every 5 minutes.
List