![]() ![]() It specifically targets files with the following extensions: The malware employs the AES algorithm to encrypt files and adds the suffix to the encrypted files. The file drops a copy of itself and Cipher.psm1 and then executes the following command to begin encryption:Ĭmd /c powershell -executionpolicy bypass -win hidden -noexit -file cry.ps1 The ransomware activities are carried out by and azz1.exe, while Server.exe is responsible for collecting information for stealing. %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Server.exe.The main file drops and executes the following files: When decrypted, the marker can be matched at the end of the encrypted file. Through further examination, we saw the function checking for the marker inside the encrypted file. This marker serves as an indicator to determine whether a file has been encrypted. We observed the malware using the LockFile function which encrypts files by renaming them and adding a marker. The malware renames the encrypted files using Base64. "taskmgr", "sqlagent", "winword", "sqlbrowser", "sqlservr", "sqlwriter", "oracle", "ocssd", "dbsnmp", "synctime", "mydesktopqos", "agntsvc.exeisqlplussvc", "xfssvccon", "mydesktopservice", "ocautoupds", "agntsvc.exeagntsvc", "agntsvc.exeencsvc", "firefoxconfig", "tbirdconfig", "ocomm", "mysqld", "sql", "mysqld-nt", "mysqld-opt", "dbeng50", "sqbcoreservice" The malware also terminates the following processes: The following are the extensions that the Big Head ransomware encrypts: The malware avoids the directories that contain the following substrings:īy excluding these directories from its malicious activities, the malware reduces the likelihood of being detected by security solutions installed in the system and increases its chances of remaining undetected and operational for a longer duration. These binaries are encrypted, rendering their contents inaccessible without the appropriate decryption mechanism. It also displays a fake Windows update to deceive the victim into thinking that the malicious activity is a legitimate process. ![]() ![]() Xarch.exe drops a file named BXIuSsB.exe, a piece of ransomware that encrypts files and encodes file names to Base64.Archive.exe drops a file named teleratserver.exe, a Telegram bot responsible for establishing communication with the threat actor’s chatbot ID.This is a piece of ransomware that checks for the extension “.r3d” before encrypting and appending the “.poop” extension. 1.exe drops a copy of itself for propagation.Īdditionally, we noted the presence of three resources that contained data resembling executable files with the “*.exe” extension: The format that the malware adheres to in terms of its behavior upon installation is as follows: ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |