Ransom.Win64.RAWLD.THAAFBE
Trojan.WinGo.Agent (IKARUS)
Windows
Threat Type:
Ransomware
Destructiveness:
No
Encrypted:
No
In the wild::
Yes
OVERVIEW
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Se ejecuta y, a continuaci¨®n, se elimina.
TECHNICAL DETAILS
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
±õ²Ô²õ³Ù²¹±ô²¹³¦¾±¨®²Ô
Infiltra los archivos siguientes:
- %Temp%\Ra_Lock.exe
- {Malware Path}\.Ra_Lock ¡ú lock file used as a marker before encrypting the system
(Nota: %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).
)Agrega los procesos siguientes:
- Clears and terminates event logs:
- powershell -Command "Get-WmiObject -Class win32_service -Filter \"name = 'eventlog'\" | select -exp ProcessId"
- cmd -Command "/c start taskkill /f /pid {Event Log PID}
- cmd -Command "/c start wevtutil cl Application"
- cmd -Command "/c start wevtutil cl system"
- cmd -Command "/c start wevtutil cl security"
- cmd -Command "/c start wevtutil cl setup"
- Deletes shadow copies and other system backups:
- cmd -Command "/c start vssadmin delete shadows /all /quiet"
- cmd -Command "/c start wmic shadowcopy delete /nointeractive"
- cmd -Command "/c start wmic SHADOWCOPY /nointeractive"
- cmd -Command "/c start wbadmin delete catalog -quiet"
- cmd -Command "/c start wbadmin DELETE SYSTEMSTATEBACKUP"
- Disables recovery mode and safe mode after boot:
- cmd -Command "/c start bcdedit /set {default} bootstatuspolicy ignoreallfailures"
- cmd -Command "/c start bcdedit /set {default} recoveryenabled no"
- cmd -Command "/c start bcdedit /set {default} recoveryenabled No"
- cmd -Command "/c bcdedit /deletevalue {default} safeboot"
- Deletes traces of itself and reboots the system after 10 seconds:
- cmd -Command "/c del C:\Windows\Temp\Team_update.exe && cmd /c del C:\Windows\Temp\.Ra_Lock"
- cmd -Command "/c start shutdown -r -f -t 10"
- cmd /C timeout /T 3 & del {Malware Path}\{Malware Filename}
Se ejecuta y, a continuaci¨®n, se elimina.
Finalizaci¨®n del proceso
Finaliza los servicios siguientes si los detecta en el sistema afectado:
- AcronisAgent
- AcrSch2Svc
- BackExecRPCService
- backup
- BackupExecAgentAccelerator
- BackupExecAgentBrowser
- BackupExecDiveciMediaService
- BackupExecJobEngine
- BackupExecManagementService
- BackupExecRPCService
- BackupExecVSSProvider
- bedbg
- CAARCUpdateSvc
- CASAD2DWebSvc
- ccEvtMgr
- ccSetMgr
- Culserver
- dbeng8
- DefWatch
- GxBlr
- GxCIMgr
- GxCVD
- GxFWD
- GxVss
- Intuit.QuickBooks.FCS
- memtas
- mepocs
- MpsSvc
- MsDtsServer150
- MSExchange
- msftesql-Exchange
- msmdsrv
- MSSQL
- MSSQLFDLauncher
- MSSQLLaunchpad
- MSSQLSERVER
- MSSQLServerOLAPService
- PDVFSService
- QBCFMonitorService
- QBFCService
- QBIDPService
- RTVscan
- SavRoam
- sophos
- sql
- sqladhlp
- SQLADHLP
- sqlagent
- SQLAgent
- SQLAgent$SHAREPOINT
- SQLBrowser
- SQLPBDMS
- SQLPBENGINE
- SQLSERVERAGENT
- SQLServerDistributedReplayClient
- SQLServerDistributedReplayController
- SQLTELEMETRY
- SQLWriter
- SSASTELEMETRY
- SSISScaleOutMaster150
- SSISScaleOutWorker150
- SSISTELEMETRY150
- stc_raw_agent
- svc$
- tomcat6
- veeam
- VeeamDeploymentService
- VeeamNFSSvc
- VeeamTransportSvc
- vmware-converter
- vmware-usbarbitator64
- VSNAPVSS
- vss
- WSBExchange
- wuauserv
- YooBackup
- YooIT
- zhudongfangyu
Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:
- agntsvc.exe
- Culture.exe
- dbeng50.exe
- dbsnmp.exe
- dbsrv12.exe
- Defwatch.exe
- encsvc.exe
- excel.exe
- firefox.exe
- httpd.exe
- infopath.exe
- isqlplussvc.exe
- msaccess.exe
- mspub.exe
- mydesktopqos.exe
- mydesktopservice.exe
- notepad.exe
- ocautoupds.exe
- ocomm.exe
- ocssd.exe
- onenote.exe
- oracle.exe
- outlook.exe
- powerpnt.exe
- RAgui.exe
- sqbcoreservice.exe
- sql.exe
- sqlbrowser.exe
- sqlmangr.exe
- Sqlservr.exe
- steam.exe
- supervise.exe
- synctime.exe
- tbirdconfig.exe
- thebat.exe
- thunderbird.exe
- tomcat6.exe
- visio.exe
- vxmon.exe
- WinSAT.exe
- winword.exe
- wordpad.exe
- wrapper.exe
- wsa_service.exe
- wxServer.exe
- wxServerView.exe
- xfssvccon.exe
Otros detalles
Hace lo siguiente:
- It encrypts all available drives except for CD-ROMs.
- It logs its status of activity in the console:
SOLUTION
Step 2
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploraci¨®n, deben comprobar que tienen desactivada la opci¨®n Restaurar sistema para permitir la exploraci¨®n completa del equipo.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Buscar y eliminar estos archivos
- {Malware Path}\.Ra_Lock
- {Encrypted Path}\README_Howtorecover.txt
- %Temp%\Ra_Lock.exe
- C:\Windows\Temp\Team_update.exe
- C:\Windows\Temp\.Ra_Lock
- {Malware Path}\.Ra_Lock
- {Encrypted Path}\README_Howtorecover.txt
- %Temp%\Ra_Lock.exe
- C:\Windows\Temp\Team_update.exe
- C:\Windows\Temp\.Ra_Lock
Step 5
Explorar el equipo con su producto de live casino online para eliminar los archivos detectados como Ransom.Win64.RAWLD.THAAFBE En caso de que el producto de live casino online ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no ser¨¢n necesarios m¨¢s pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta para obtener m¨¢s informaci¨®n.
Step 6
Restore encrypted files from backup.
Did this description help? Tell us how we did.