- Distribution Method : Unknown
- MD5 : 313bc92dce801c2ec316c57ea74dd92a
- Major Detection Name : Trojan:MSIL/Dllinject!MSR (Microsoft), Ransom.MSIL.CHINESECOFFEE.THBBABB (Trend Micro)
- Encrypted File Pattern : <Original Filename>.coffee.<4-Digit Random>.<Original Extension>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Roaming\{GUID}-Bible.dat
- C:\Users\%UserName%\AppData\Roaming\{GUID}-TimeStamp.txt
- C:\Users\%UserName%\AppData\Roaming\Myou.dll
- C:\Users\%UserName%\AppData\Roaming\status.log
- C:\Users\%UserName%\AppData\Roaming\updater.exe
- Payment Instruction File : 请阅读我.RSA.txt
- Major Characteristics :
- A digitally signed (Guangzhou Shirui Electronics Co., Ltd.) file (Updater.exe) has been exploited.
- Block processes execution (firebird*, MSSQL*, MySQL*, Oracle*, Redis*, SQLSERVERAGENT etc.)
List