Similar to the previous version, it is delivered as a fake letter from the State Fiscal Service of Ukraine.
The PE header is not recognized due to the following alteration in the MS-DOS stub:
New version:
Previous version:
File identification on VirusTotal:
The cryptolocker adds its reference to the autorun key in the Windows System Registry to start on system boot up:
[SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]The encrypted files get '.no_more_ransom' extension.
"Client Server Runtime Subsystem"="C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe"
Network IoCs
by-isabel.nl
whatismyipaddress.com
Yara rule
rule ShadeCryptolocker_nomoreransom
{
meta:
author = "NioGuard Security Lab"
info = "Detecting the Shade (Troldesh) cryptolocker process"
reference = "http://nioguard.com/"
strings:
$a1 = "Client Server Runtime Subsystem"
$a2 = "a4ad4ip2xzclh6fd.onion"
$a3 = "reg.php"
$a4 = "prog.php"
$a5 = "err.php"
$a6 = "cmd.php"
$a7 = "sys.php"
$a8 = "shd.php"
$a9 = ".no_more_ransom"
condition:
all of ($a*)
}
No comments:
Post a Comment