
 



     .



-   
-     "   "
     dll,       Cobalt Strike
-   (),      "-"
-     (ChaCha20  ),        .
       REvil/Sodinokibi https://blog.amossys.fr/sodinokibi-malware-analysis.html
(     Chacha20    ;
       RSA4096      ;
  RSA4096   ,          ChaCha20)
-       
-          
-         .


 

-     
-     
-     
-     BaseThreadInitThunk
-     (  WOW64!)
-         (  WOW64!)
-      (  WOW64!)
-    (recovery mode) Windows



  
1. dev-id,    -     -   .
:  .
2.  ,    .
:   ,        .

:

1.   md5/sha-   "_%windir%._._%windir\system32%.___workgroup".
      , MAC-  ,    .
  dev-id 
- dev-id    
-            
-      
-    
-          .
2.      "-",          .
       (     ),      (fingerprint).



 -   , 
-      -   
-   ,    
-       
-       ,        ( )
-       ,     (..9  )
-       ,   .
            , :
locker_aabbccddeeff_01012020.ex_
-       .ex_,    !!!




1.   ,          + ,  .
       .
2.   dev-id
3.   
4.       ,     .
(   )
8.3.       :   .
       .  ,    .
     .
    :
-   
-       (     )
       .
   ,        (  1,  1 ,  1  ),
  -   (   ,        
    )
8.3.1.   ,    -    .
8.4.        Share violation (   ),
      ,    .
 ,         2 ,    .
       .
8.5.       ""  -  ,
   .
8.6.         - -  ,   .

      -  : (*)
8.6.1.       ,    -
8.6.2.   -  ,         ,    
8.6.3.  - ,      ;   .
* .  .12   

8.7.          ;  .
8.8.      ,    :
-    0
-    FF
-    
-     
8.9.      .
    .
8.9.1.   " "      Shares,    .

9.     :
9.1.   (/)
9.2.  
9.4.  
9.5. -
9.6.   
9.7.   
9.8.  -
       ,    .
       :
- wildcards ( *)
-  .
       (   ).
      (    ).


10.     .

11.       :
11.1.   ,  
11.2.   ,     , ,   -     .
      ,     .
    .

12.        / 
12.1. local -     +  
12.2. net -     +  .
     ,   ip\       .
12.3. all -   net + local (  )
12.4. scan -   net +      
12.5. scanext -      +  scan
     -m net    -m. 
     ip\       .

       ,     
     .
 ,                   .
       .
           /,
..          .


-

      .
 readme.<6    >.txt.

   :
%devid%        - dev-id 
%fingerprint%  -  
      2  3 .

    .

     WINDOWS

-     WOW64-  64- Windows 7/8/2009,
 CreateFile/OpenFile    TRUE     .
    /  .
             .
- WOW64-           64- Windows XP/2003
-    WOW64-   FILE_FLAG_OVERLAPPED,
         /.
         .
      !
      !
-         ,    Windows 10.
    .
-   /        
-          ( - .mp3, .mp4, .avi,  ) 

 

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
https://habr.com/ru/company/acronis/blog/522022/
https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
https://www.carbonblack.com/blog/tau-threat-analysis-medusa-locker-ransomware/
https://blog.amossys.fr/sodinokibi-malware-analysis.html
  :      BlackMatter
https://habr.com/ru/company/group-ib/blog/571940/

 

1. 
    .
      .
:
1.1.    
1.2.    
1.3.      
1.4.           
1.5.    1.4,           
1.6.      
1.7.      
1.8.     
1.9.    
1.10.  / 

2. 
      Windows:
2.1. Windows 10
2.2. Windows Server 2012-2018
2.3. Windows 8.1
2.4. Windows 7
2.5. Windows Server 2008 R2
2.6. Windows Server 2008 ( R2)
2.7. Windows XP
2.8. Windows Server 2003

3. 
  .
         -    
3.1.    
3.2.     (..    )
    ,      ,           .

4. 
4.1. Windows Defender
4.2. ESET
4.3. Sophos
4.4. Avast
4.5. BitDefender
4.6. Norton
4.7. Kaspersky
  4.1-4.3 .
  ,      ,         .
