- Distribution Method : Automatic infection using exploit by visiting website
- MD5 : d1d7ccf01451b8fec0db3ba229f64f42
- Major Detection Name : Trojan/Win32.Magniber.R215260 (AhnLab V3), Trojan-Ransom.Win32.Crypmod.yta (Kaspersky)
- Encrypted File Pattern : .sbulzxt
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\READ_FOR_DECRYPT.txt
- C:\Users\%UserName%\AppData\Local\sbulzxt.exe
- C:\Users\%UserName%\Desktop\<Random>.exe
- C:\Windows\System32\Tasks\sbulzxt
- C:\Windows\System32\Tasks\<Random>
- C:\Windows\System32\Tasks\<Random>1
- Payment Instrucition File : READ_FOR_DECRYPT.txt
- Major Characteristics :
- Offline Encryption
- Only run on Korean operating system
- Change the default values of the registry entry "HKEY_CLASSES_ROOT\mscfile\shell\open\command" and disable system restore (wmic shadowcopy delete) using Event Viewer (eventvwr.exe)
- Auto execute ransomware (pcalua.exe -a %LocalAppData%\sbulzxt.exe -c <Random>) and payment instrucition file (%LocalAppData%\READ_FOR_DECRYPT.txt) every 15 minutes by adding Task Scheduler entries
- Auto connect MY DECRYPTOR site (cmd.exe /c start iexplore http://<URL>) every a hour by adding Task Scheduler entries
List