- Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
- MD5 : bfbb56ff322ee66f0ec2d360ca5d5750
- Major Detection Name : a variant of Win64/Filecoder.FONIX.A (ESET), Ransom.Win64.FONIX.SMTH (Trend Micro)
- Encrypted File Pattern : .Email=[unlocker@cock.li]ID=[<Random>].FONIX / .Email=[unlocker@cock.li]ID=[<Random>].XINOF
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Help.txt
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\How To Decrypt Files.hta
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe
- C:\ProgramData\Cpriv.key
- C:\ProgramData\Cpub.key
- C:\ProgramData\Help.txt
- C:\ProgramData\How To Decrypt Files.hta
- C:\ProgramData\SystemID
- C:\ProgramData\WindowsUpdate.hta
- C:\ProgramData\XINOF.exe
- C:\ProgramData\XINOFALERT.png
- C:\ProgramData\XINOFBG.jpg
- C:\ProgramData\XINOFLOGO.png
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe
- C:\Windows\System32\Tasks\exp
- C:\Windows\System32\Tasks\fonix
- C:\Windows\System32\Tasks\fonix10
- C:\Windows\System32\Tasks\fonix11
- Payment Instruction File : Help.txt / How To Decrypt Files.hta
- Major Characteristics :
- Offline Encryption
- Generate a fake Windows Updates message when encrypting files (cmd.exe /c "C:\ProgramData\WindowsUpdate.hta")
- Change a disk name (XINOF)
- Disable and Blocks Task Manager (DisableTaskMgr)
- Disable Windows Defender (DisableAntiSpyware)
- Delete a safe mode boot registry value (reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F, reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F)
- Block processes execution (dbsrv*, Microsoft.Exchange*, MSExchange*, pvx*, sql*, veeam* etc.)
- Adds fonix, fonix10 and fonix11 to scheduler to execute a ransomware file at user login
- Disable system restore (vssadmin Delete Shadows /All /Quiet, wmic shadowcopy delete, bcdedit /set {default} boostatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet)
- Deletes event log (AMSI/Debug, Analytic, Application, ForwardedEvents, HardwareEvents, Internet Explorer etc.)
- Changes desktop background (C:\ProgramData\XINOFBG.jpg)
List