Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : ef29ab165367218ee493ef9d946caf11
- Major Detection Name : A variant of Win32/Filecoder.JSWorm.A (ESET), Ransom.Win32.JSWORM.SM (Trend Micro)
- Encrypted File Pattern : .[ID-<Random>][doctorSune@protonmail.com].JURASIK
- Malicious File Creation Location : C:\ProgramData\Microsoft\build_MUI.exe
- Payment Instruction File : JURASIK-DECRYPT.txt
- Major Characteristics :
- Offline Encryption
- Block processes execution (bes10*, black*, IBM*, mysql*, postg, sage*, sql, sql*, store.exe, vee*)
- Stop services execution (mr2kserv, MSSQLServerADHelper100, ReportServer$ISARS, ShadowProtectSvc, SQLAgent$ISARS, WinDefend etc.)
- Disables Event Log (stop eventlog /y, sc config eventlog start=disabled)
- Deletes event log ("C:\Windows\System32\cmd.exe" /c FOR /F "delims = " %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I"), "C :\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl " % 1")