Home / malware

PDF

Ransom:Win32/Haknata.A!rsm

First posted on 11 February 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Haknata.A!rsm.

Explanation :

Installation

This ransomware gets installed through remote desktop hacking.

It uses the following names for its executable files:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  "Timon and Pumbaa" = "%malware% supermetroidrules"

Payload

Encrypts your files

This ransomware searches all available drives and encrypts files but avoids anything with file name or file path matching the following substrings with wild cards:

*.bat
*.dll
*.exe
*.ini
*.lnk
*.msi
*.scf
*\AVAST Software\*
*\AVG\*
*\AVIRA\*
*\ESET\*
*\Internet Explorer\*
*\java\*
*\TeamViewer\*
*\windows\*
*\winrar\*
*AppData*
*Atheros*
*boot*
*bootmgr*
*chrome*
*CONFIG.SYS*
*firefox*
*HakunaMatata
*IO.SYS*
*MSDOS.SYS*
*NTDETECT.COM*
*ntldr*
*NTUSER.DAT*
*opera*
*pagefile.sys*
*Realtek*
*Recovers files yako.html

Stops running services


This ransomware disables and stops the following services:

• FirebirdServerDefaultInstance
• MSExchangeAB
• MSExchangeADTopology
• MSExchangeAntispamUpdate
• MSExchangeEdgeSync
• MSExchangeFBA
• MSExchangeFDS
• MSExchangeImap4
• MSExchangeIS
• MSExchangeMailboxAssistants
• MSExchangeMailboxReplication
• MSExchangeMailSubmission
• MSExchangeMonitoring
• MSExchangePop3
• MSExchangeProtectedServiceHost
• MSExchangeRepl
• MSExchangeRPC
• MSExchangeSA
• MSExchangeSearch
• MSExchangeServiceHost
• MSExchangeThrottling
• MSExchangeTransport
• MSExchangeTransportLogSearch
• MSSQL$SQLEXPRESS
• MSSQLSERVER
• postgresql-9.0
• wsbexchange

It also disables and stops services with captions matching the following regex:

• %BACKP%
• %Exchange%
• %Firebird%
• %MSSQL%
• %postgresql%
• %SBS%
• %SharePoint%
• %SQL%
• %tomcat%
• %wsbex%

It disables the shadow copy backup:

• cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

It stops processes with the following file names:

• fb_inet_server.exe
• pg_ctl.exe
• sqlservr.exe

It also clears event logs for the folders:

• Application
• security
• setup
• system

Asks for ransom

This threat also drops the following ransom note, Recovers files yako.html, in each folder along with the encrypted files:

SHA1s used in this analysis:

• 0124490eab9422889d0a464e5ecaac00c9ae15a4
• 0eafa185fb574198198558042158aed23797d30c
• 13a549b9b50304b1074eb983976d6e7c392c145b
• 21f94cc641fccc9c2281148064a586168a0a593b
• 2443dcf645c02ff0ca16d6f8c67333a37b31c845
• 37ca888138bb26cb67f23ab10fa9e6c5f870498f
• 6be941c53db47ee74855f97fee780d29b8a40180
• 79f44b49f1d64ff7efdd3f4a0814098a39629e0d
• 7bd78aafd11203af3479f84d736c2b76e00dd157
• 8e4add0fdd9c4656f754e929d61e96a10e9343b5
• 9fe2d70d90fa6b870dfd670bfd9f38829f5a93f5
• aaad8d98edee94f59416f35da3c7d323746fd13a
• ad6823809b08990591d87e21b9e7c5ea7624b8c5
• b98986e32f9deb19ff563b47d7e9c11917c8c06b
• c401afa876e88b29b5ea4280f1349816c79f0411
• d5e1e86e1561e14aa167c36f77fc9e5d6c6cbe2b
• e89df94c96edf5c210727d50ed4463059c5c195b
• f59f26cbed8abfc54985403a60f1d5925269b389

Analysis by Jireh Sanico

Last update 11 February 2017

 

TOP