Análisis

Crea los archivos:

» C:\Users\W7_MMD\AppData\Local\Temp\KMSpico_setup.exe
» C:\Users\W7_MMD\AppData\Local\Temp\31688EFBC3B9C99914A5BB7FB58AEC9E.exe
» C:\Users\W7_MMD\AppData\Local\Temp\help.exe
» C:\Users\W7_MMD\AppData\Local\Temp\HelloWorld.exe

El Ransomware se ejecuta a partir de la instalación del software KMSpico (Crack para Windows) el cual crea (por medio de un servicio KMSELDI) un archivo comprimido .zip que contiene dos nuevos archivos ejecutables:

help.exe
HelloWorld.exe

Estos nuevos archivos son ejecutados por medio del componente 31688EFBC3B9C99914A5BB7FB58AEC9E.exe:

El troyano una vez ejecutado tiene las mismas características y funciones que las identificadas en versiones anteriores:

» Determina los tipos de archivo objetivo (a modificar):

*.C, *.CLASS, *.CPP, *.CS, *.DTD, *.FLA, *.H, *.JAVA, *.LUA, *.M, *.PL, *.PY, *.SH, *.SLN, *.SWIFT, *.VB, *.VCXPROJ, *.XCODEPROJ, *.ASP, *.ASPX, *.CER, *.CFM, *.CSR, *.CSS, *.HTM, *.HTML, *.JS, *.JSP, *.PHP, *.RSS, *.XHTML, *.bak, *.7z, *.3fr, *.accdb, *.ai, *.apk, *.arch00, *.arw, *.asset, *.avi, *.bar, *.bay, *.bc6, *.bc7, *.big, *.bik, *.bkf, *.bkp, *.blob, *.bsa, *.cas, *.cdr, *.cer, *.cfr, *.cr2, *.crt, *.crw, *.css, *.csv, *.d3dbsp, *.das, *.DayZProfile, *.dazip, *.db0, *.dba, *.dbf, *.dbfv, *.dcr, *.der, *.desc, *.dmp, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxg, *.epk, *.eps, *.erf, *.esm, *.ff, *.flv, *.forge, *.fos, *.fpk, *.fsh, *.gdb, *.gho, *.hkdb, *.hkx, *.hplg, *.hvpl, *.ibank, *.icxs, *.indd, *.itdb, *.itl, *.itm, *.iwd, *.iwi, *.jpe, *.jpeg, *.jpg, *.js, *.kdb, *.kdc, *.kf, *.layout, *.lbf, *.litemod, *.lrf, *.ltx, *.lvl, *.m2, *.m3u, *.m4a, *.map, *.mcgame, *.mcmeta, *.mdb, *.mdbackup, *.mddata, *.mdf, *.mef, *.menu, *.mlx, *.mov, *.mp4, *.mpqge, *.mrwref, *.ncf, *.nrw, *.ntl, *.odb, *.odc, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pak, *.pdd, *.pdf, *.pef, *.pem, *.pfx, *.pkpass, *.png, *.ppt, *.pptm, *.pptx, *.psd, *.psk, *.pst, *.ptx, *.py, *.qdf, *.qic, *.r3d, *.raf, *.rar, *.raw, *.rb, *.re4, *.rgss3a, *.rim, *.rofl, *.rtf, *.rw2, *.rwl, *.sav, *.sb, *.sc2save, *.sid, *.sidd, *.sidn, *.sie, *.sis, *.slm, *.snx, *.sql, *.sr2, *.srf, *.srw, *.sum, *.svg, *.syncdb, *.t12, *.t13, *.tax, *.tor, *.txt, *.unity3d, *.upk, *.vcf, *.vdf, *.vfs0, *.vpk, *.vpp_pc, *.vtf, *.w3x, *.wb2, *.wma, *.wmo, *.wmv, *.wotreplay, *.wpd, *.wps, *.x3f, *.xf, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx, *.xxx, *.zip, *.ztmp, wallet, *.c, *.class, *.cpp, *.cs, *.dtd, *.fla, *.h, *.java, *.lua, *.m, *.pl, *.py, *.sh, *.sln, *.swift, *.vb, *.vcxproj, *.xcodeproj, *.asp, *.aspx, *.cer, *.cfm, *.csr, *.css, *.htm, *.html, *.js, *.jsp, *.php, *.rss, *.xhtml, *.BAK, *.7Z, *.3FR, *.ACCDB, *.AI, *.APK, *.ARCH00, *.ARW, *.ASSET, *.AVI, *.BAR, *.BAY, *.BC6, *.BC7, *.BIG, *.BIK, *.BKF, *.BKP, *.BLOB, *.BSA, *.CAS, *.CDR, *.CER, *.CFR, *.CR2, *.CRT, *.CRW, *.CSS, *.CSV, *.D3DBSP, *.DAS, *.dAYzpROFILE, *.DAZIP, *.DB0, *.DBA, *.DBF, *.DBFV, *.DCR, *.DER, *.DESC, *.DMP, *.DNG, *.DOC, *.DOCM, *.DOCX, *.DWG, *.DXG, *.EPK, *.EPS, *.ERF, *.ESM, *.FF, *.FLV, *.FORGE, *.FOS, *.FPK, *.FSH, *.GDB, *.GHO, *.HKDB, *.HKX, *.HPLG, *.HVPL, *.IBANK, *.ICXS, *.INDD, *.ITDB, *.ITL, *.ITM, *.IWD, *.IWI, *.JPE, *.JPEG, *.JPG, *.JS, *.KDB, *.KDC, *.KF, *.LAYOUT, *.LBF, *.LITEMOD, *.LRF, *.LTX, *.LVL, *.M2, *.M3U, *.M4A, *.MAP, *.MCGAME, *.MCMETA, *.MDB, *.MDBACKUP, *.MDDATA, *.MDF, *.MEF, *.MENU, *.MLX, *.MOV, *.MP4, *.MPQGE, *.MRWREF, *.NCF, *.NRW, *.NTL, *.ODB, *.ODC, *.ODM, *.ODP, *.ODS, *.ODT, *.ORF, *.P12, *.P7B, *.P7C, *.PAK, *.PDD, *.PDF, *.PEF, *.PEM, *.PFX, *.PKPASS, *.PNG, *.PPT, *.PPTM, *.PPTX, *.PSD, *.PSK, *.PST, *.PTX, *.PY, *.QDF, *.QIC, *.R3D, *.RAF, *.RAR, *.RAW, *.RB, *.RE4, *.RGSS3A, *.RIM, *.ROFL, *.RTF, *.RW2, *.RWL, *.SAV, *.SB, *.SC2SAVE, *.SID, *.SIDD, *.SIDN, *.SIE, *.SIS, *.SLM, *.SNX, *.SQL, *.SR2, *.SRF, *.SRW, *.SUM, *.SVG, *.SYNCDB, *.T12, *.T13, *.TAX, *.TOR, *.TXT, *.UNITY3D, *.UPK, *.VCF, *.VDF, *.VFS0, *.VPK, *.VPP_PC, *.VTF, *.W3X, *.WB2, *.WMA, *.WMO, *.WMV, *.WOTREPLAY, *.WPD, *.WPS, *.X3F, *.XF, *.XLK, *.XLS, *.XLSB, *.XLSM, *.XLSX, *.XXX, *.ZIP, *.ZTMP, WALLET

» Crea un password aleatorio de 15 caracteres de longitud.
» Se reporta con un servidor de comando y control (no disponible actualmente): http://hu-pe.pe.hu/ckvTrgIyWuXJkB0xgcqND1zUEyi2pb/gMGkwnn3OgnWtr1UtqOfsCIZpTrz2I/URTilo5HN3KYfjz49iTM/l.php
» Cifra el contenido de los archivos a través del algoritmo AES 256 y agrega la extensión .domino a cada uno de ellos.
» Cifra todos los archivos de las unidades conectadas al equipo exceptuando A:\\ y CDRom.
» Hace uso del proceso cmd.exe para eliminar las copias de seguridad por medio del comando: vssadmin delete shadows /all.
» Crea el archivo README_TO_RECURE_YOUR_FILES.txt encargado de informar al usuario de las modificaciones sufridas.

Finalmente ejecuta el segundo archivo HelloWorld.exe cuya finalidad es presentar la imagen de advertencia:

Descarga