映像
様々なランサムウェアに対応するAppCheckの事前防御、自動復旧およびリアルタイムバックアップ機能を映像でご確認いただけます。
- Distribution Method : Unknown
- MD5 : 0e0b9f6050496c876ff199e8583d7b87
- Major Detection Name : Downloader/Win.Agent.C5219811 (AhnLab V3), Trojan-Downloader.Win32.Alien.pbg (Kaspersky)
- Encrypted File Pattern : .FARGO2
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Avvertire.xls
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Come.exe.pif
- C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\qqDqlmoWMvo.dll
- Payment Instruction File : FILE RECOVERY.txt
- Major Characteristics :
- Mallox Ransomware series
- Encrypt the file using the AutoIt v3 Script legitimate file "C:\Users\%UserName%\AppData\Local\Temp\IXP000.TMP\Come.exe.pif"
- Encrypt files with specific file extensions (.dbf, .dmp, .hdd, .ibd, .lck, .mdb, .nvram, .oraenv, .rar, .sql, .vdi, .vhd, .vhdx, .vmdk, .vmem, .vmsd, .vmsn, .vmss, .vmx, .zip) and then encrypt other files.
- Block processes execution (fdhost.exe, fdlauncher.exe, mysql.exe, oracle.exe, ReportingServecesService.exe, sqlservr.exe etc.)
- Stop multi services (MSSQLFDLauncher, MSSQLServerOLAPService, ReportServer)
- Delete multi services (B1Workflow, backup*, MsDtsServer100, MSSQL$SOPHOS, SAP Business One RSP Agent Service, SBOClientAgent etc.)
- Disable system restore (bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no, vssadmin.exe delete shadows /all /quiet)