Home / malwarePDF  

Ransom:Win32/Haknata


First posted on 03 March 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Haknata.

Explanation :

Installation

This ransomware gets installed through remote desktop hacking.

It uses the following names for its executable files:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    "Timon and Pumbaa" = "%malware% supermetroidrules"


Payload

Encrypts your files

This ransomware searches all available drives and encrypts files but avoids anything with following file name or file path in your machine:

*.bat
*.dll
*.exe
*.ini
*.lnk
*.msi
*.scf
*\AVAST Software\*
*\AVG\*
*\AVIRA\*
*\ESET\*
*\Internet Explorer\*
*\java\*
*\TeamViewer\*
*\windows\*
*\winrar\*
*AppData*
*Atheros*
*boot*
*bootmgr*
*chrome*
*CONFIG.SYS*
*firefox*
*HakunaMatata
*IO.SYS*
*MSDOS.SYS*
*NTDETECT.COM*
*ntldr*
*NTUSER.DAT*
*opera*
*pagefile.sys*
*Realtek*
*Recovers files yako.html

Stops running services


This ransomware disables and stops the following services:
  • FirebirdServerDefaultInstance
  • MSExchangeAB
  • MSExchangeADTopology
  • MSExchangeAntispamUpdate
  • MSExchangeEdgeSync
  • MSExchangeFBA
  • MSExchangeFDS
  • MSExchangeImap4
  • MSExchangeIS
  • MSExchangeMailboxAssistants
  • MSExchangeMailboxReplication
  • MSExchangeMailSubmission
  • MSExchangeMonitoring
  • MSExchangePop3
  • MSExchangeProtectedServiceHost
  • MSExchangeRepl
  • MSExchangeRPC
  • MSExchangeSA
  • MSExchangeSearch
  • MSExchangeServiceHost
  • MSExchangeThrottling
  • MSExchangeTransport
  • MSExchangeTransportLogSearch
  • MSSQL$SQLEXPRESS
  • MSSQLSERVER
  • postgresql-9.0
  • wsbexchange


It also disables and stops services with captions matching the following regex:
  • %BACKP%
  • %Exchange%
  • %Firebird%
  • %MSSQL%
  • %postgresql%
  • %SBS%
  • %SharePoint%
  • %SQL%
  • %tomcat%
  • %wsbex%


It disables the shadow copy backup:
  • cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet


It stops processes with the following file names:
  • fb_inet_server.exe
  • pg_ctl.exe
  • sqlservr.exe


It also clears event logs for the folders:
  • Application
  • security
  • setup
  • system


Asks for ransom

This threat also drops the following ransom note, Recovers files yako.html, in each folder along with the encrypted files:



SHA1 used in this analysis:
  • 0bd96303b4f2df961e9d19b94cd686c8816875af




Analysis by Jireh Sanico

Last update 03 March 2017

 

TOP

Malware :