Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 65eb43ffb8abc7d488d5d6a24f2f0818
- Major Detection Name : DeepScan:Generic.Ransom.JSWORM.BB69C864 (BitDefender), Trojan-Ransom.Win32.JSWorm.cd (Kaspersky)
- Encrypted File Pattern : .[ID-<Number>][doctorSune@protonmail.com].UNNAMED
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\build_MUI.exe
- C:\ProgramData\Microsoft\svchost.exe
- C:\ProgramData\key.JSWORM
- C:\ProgramData\user_data.JSWORM
- C:\Windows\System32\Tasks\UNNAMED
- Payment Instruction File : UNNAMED-DECRYPT.txt
- Major Characteristics :
- Offline Encryption
- Block processes execution (bes10*, black*, IBM*, mysql*, postg, sage*, sql, sql*, store.exe, vee*)
- Stop services execution (mr2kserv, MSExchangeADTopology, MSSQL$ISARS, ReportServer$ISARS, SQLAgent$ISARS, SQLWriter etc.)
- Disables Event Log (net1 stop eventlog /y, sc config eventlog start=disabled)
- Deletes event log (cmd.exe /c FOR /F "delims = " %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I"), cmd.exe /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl " % 1")
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures)
- Adds UNNAMED to scheduler to execute "C:\ProgramData\Microsoft\build_MUI.exe" at user login.