17.04.2013, 19:55
No masakra z tymi szyfratorami,co ciekawe nowe ransomy szyfrujące korzystają z powershellazamiast cmd co daje większe możliwości
look:
i taka przykładowa operacja na plikach:
look:
Kod:
Code injection in process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created a mutex named: Local\IESQMMUTEX_0_274
Created an event named: Global\CorDBIPCSetupSyncEvent_5304
Created process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $path=((get-content -Path ''C:\Users\tachion\Desktop\Ransom-NY\Ransom-NY\844fbf968e2b492394537bfe9bc8990849b7c50111a35ea9c887bff9a684439b.hta '' -totalcount 1) -split ''%'')[1];$bytes= [System.Convert]::FromBase64String($path);$decoded = [System.Text.Encoding]::UTF8.GetString($bytes);Invoke-Expression $decoded, C:\Users\tachion\Desktop\Ransom-NY\Ransom-NY
i taka przykładowa operacja na plikach:
Kod:
[ Changes to filesystem ]
* Deletes file F:\.minecraft\bin\audiomod.zip
* Creates file F:\.minecraft\bin\audiomod.zip.BMCODE
File length: 46856 bytes
File type: Unknown
MD5 hash: 5546f446f95c2e50f1643ea6147f56c5
* Deletes file F:\.minecraft\bin\emibackup.jar
* Creates file F:\.minecraft\bin\emibackup.jar.BMCODE
File length: 4676340 bytes
File type: Unknown
MD5 hash: 65c1f13a213e8edda967a35050ef239e
* Deletes file F:\.minecraft\bin\jinput.jar
* Creates file F:\.minecraft\bin\jinput.jar.BMCODE
File length: 227833 bytes
File type: Unknown
MD5 hash: 07de9f3c198a4ea5482af93275871b04
* Deletes file F:\.minecraft\bin\lwjgl.jar
* Creates file F:\.minecraft\bin\lwjgl.jar.BMCODE
File length: 738345 bytes
File type: Unknown
MD5 hash: c672d74fc9b8a43ea2b6a1f9dd88b9d4
* Deletes file F:\.minecraft\bin\lwjgl_util.jar
* Creates file F:\.minecraft\bin\lwjgl_util.jar.BMCODE
File length: 138318 bytes
File type: Unknown
MD5 hash: cc067e5061fe3ebd5b14957f7ef58336
* Deletes file F:\.minecraft\bin\minecraft.jar
* Creates file F:\.minecraft\bin\minecraft.jar.BMCODE
File length: 4586019 bytes
File type: Unknown
MD5 hash: c0b949c06f61250967e7a9f2a32ab4cb