Ransom.Win64.CYCLOPS.A

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

????????,????????

???????

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

??

???????:

• %Application Data%\{21 Random Capital Letters}\{21 Random Capital Letters} ? Encrypted shellcode from a PNG file
• %User Temp%\{8 Random Alpha Numeric Characters} ? Encrypted shellcode
• %User Temp%\rgb9rast.exe ? Legitimate 7-zip Standalone Console Application
• {Malware File Path}\KNIGHT_LOG.txt

(??: %Application Data% ?????? Application Data ???,???? C:\Windows\Profiles\{user name}\Application Data (Windows 98 ? ME)?C:\WINNT\Profiles\{user name}\Application Data (Windows NT)?C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)?XP ? Server 2003(32-bit)) ? C:\Users\{user name}\AppData\Roaming (Windows Vista?7?8?8.1?2008(64-bit)?2012(64-bit) ? 10(64-bit))?. %User Temp% ?????? Temp ???????? C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)?XP ? Server 2003(32-bit))?C:\Users\{user name}\AppData\Local\Temp (Windows Vista?7?8?8.1?2008(64-bit)?2012(64-bit) ? 10(64-bit)?)

???????:

• %Windows%\SysWOW64\cmd.exe ? Malicious codes are injected in this process
• %User Temp%\rgb9rast.exe ? Malicious codes are hollowed in this process
• cmd.exe /c %System%\WMIC.exe shadow copy where "ID='{ID}'" delete ? Deletes shadow copies

(??: %Windows% ? Windows ???,???? C:\WINDOWS ? C:\WINNT?. %User Temp% ?????? Temp ???????? C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)?XP ? Server 2003(32-bit))?C:\Users\{user name}\AppData\Local\Temp (Windows Vista?7?8?8.1?2008(64-bit)?2012(64-bit) ? 10(64-bit)?. %System% ? Windows ? system ???,???? C:\Windows\System (Windows 98 ? ME)?C:\WINNT\System32 (Windows NT ? 2000) ? C:\WINDOWS\system32 (Windows 2000(32-bit)?XP?Server 2003(32-bit)?Vista?7?8?8.1?2008(64-bit),2012(64bit) ? 10(64-bit))?)

????????:

• %Application Data%\{21 Random Capital Letters}

(??: %Application Data% ?????? Application Data ???,???? C:\Windows\Profiles\{user name}\Application Data (Windows 98 ? ME)?C:\WINNT\Profiles\{user name}\Application Data (Windows NT)?C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)?XP ? Server 2003(32-bit)) ? C:\Users\{user name}\AppData\Roaming (Windows Vista?7?8?8.1?2008(64-bit)?2012(64-bit) ? 10(64-bit))?)

?????????,????????????:

• knight_0_0_1

????

????????????????????:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefox.exe
• isqlplussvc.exe
• msaccess.exe
• mspub.exe
• mydesktopservice.com
• mydesktopservice.exe
• notepad.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sql.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

????

???????:

• OS Version
• Native System Info
• Computer Name
• User Name
• Host name

??????

????????,???????:

• https://{BLOCKED}i.org
• https://i.{BLOCKED}b.co/Gp95Qcw/2286401330.png

?????????:

• It is capable of encrypting network drives.
• It empties the recycle bin.
• It deletes shadow copies using wmic.exe.
• The main encryptor is capable of accepting the following parameters:
  • -h {host.txt} ? Contains the server names or the DNS/NETBIOS of the remote server
  • -p {path.txt} ? Contains the targeted directories to encrypt
  • -m {local} ? Only encrypt local drives
  • -m {net} ? Only encrypt network drives
  • -log enabled ? Creates a text file for logging
• When encrypting network drives, it will check if the IP address starts with the following to ensure that it is encrypting local and non-internet systems:
  • 10.
  • 169.
  • 172.
  • 192.168.
• It adds the following processes to its white list to avoid termination:
  • explorer.exe
  • vmcompute.exe
  • vmms.exe
  • svchost.exe
  • teamviewer.exe