Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : eaebaa9026e4f0d9c62bf3c23bac7b51
 
  • Major Detection Name : DeepScan:Generic.Ransom.JSWORM.C28E5264 (BitDefender), Ransom.JSWorm (Malwarebytes)
 
  • Encrypted File Pattern : .[ID-<Random>][doctorSune@protonmail.com].TRUMP
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\svchost.exe
     - C:\ProgramData\key.TRUMP
     - C:\ProgramData\user_data.TRUMP
     - C:\Windows\System32\Tasks\TRUMP
 
  • Payment Instruction File : TRUMP-DECRYPT.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Adds TRUMP to scheduler to execute "C:\ProgramData\Microsoft\svchost.exe" at user login.
     - Block processes execution (bes10*, black*, IBM*, mysql*, sql, store.exe etc.)
     - Stop services execution (mr2kserv, MSExchangeADTopology, MSSQLServerADHelper100, ReportServer$ISARS, SQLAgent$ISARS, WinDefend etc.)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures)
     - Deletes event log

List

위로