Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Mail attachment file
 
  • MD5 : 3a80cf0f878859b42372e4b7bef45298
 
  • Encrypted File Pattern : <Random Filename>.cryptolocker
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\Local\Temp\msdos1.9.exe
     - C:\Users\%UserName%\AppData\Roaming\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\!files-recovery.txt
     - C:\Users\%UserName%\AppData\Roaming\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\temp01.exe
     - C:\Windows\System32\Tasks\SvcSafeData
 
  • Payment Instruction File : !files-recovery.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Disable and Blocks Command Prompt (cmd.exe) and Task Manager (Taskmgr.exe)
     - Block processes execution (dbsnmp.exe, firefoxconfig.exe, msftesql.exe, mydesktopservice.exe, oracle.exe, sqlagent.exe etc.)
     - Delete multi services (MSSQLFDLauncher, SQLBrowser, vmicguestinterface, vmickvpexchange, vmicrdv, vmicshutdown etc.)
     - Delete backup files (*.bac, *.bak, *.bkf, *.dsk, *.set, *.VHD, *.wbcat, *.win, Backup*.*)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP, wmic SHADOWCOPY DELETE, vssadmin.exe resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded)
     - Adds SvcSafeData to scheduler to execute "%AppData%\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\temp01.exe" every minute.
     - Changes desktop background (%AppData%\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\kakdela.bmp)

List

위로