Jump to content


  • Posts

  • Joined

  • Days Won


safety last won the day on July 9 2023

safety had the most liked content!

About safety

  • Rank

Profile Information

  • Gender
  • Location
  • Interests

Recent Profile Visitors

1,276 profile views
  1. 1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk. Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims. >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343 >>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22 >>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
  2. If the builder was launched on the victim’s device, you need to look for these files on the disk, possibly among deleted files. As a result, all the necessary tools for encryption and decryption are automatically created in the *\Build folder. DECRYPTION_ID.txt LB3.exe LB3Decryptor.exe LB3_pass.exe LB3_ReflectiveDll_DllMain.dll LB3_Rundll32.dll LB3_Rundll32_pass.dll Password_dll.txt Password_exe.txt priv.key pub.key here the LB3.exe file is enough for encryption, and LB3Decryptor.exe or priv.key for decryption
  3. Dear Marcos, The fact of the matter is that nothing is detected. However, through this service, a malicious thread is injected into syswow64\svchost.exe and the folder with the miner is restored. If it was deleted, restoration occurs with a different name. Okay, I'll send the files to Virlab.
  4. Dear Colleagues! Is it possible to decrypt a *.dat file paired with mobsync.dll/evntagnt.dll? Presumably this file may contain a config for the task, with the help of which the miner is launched from a folder with an arbitrary name For example: RescueSwift-fc4b811c-e35f-4a8d-a903-db85344b9d7f PicturePerfect-d2f4adbc-5e35-42fd-bfe5-bbdf187ada08 ExpressEditor-22b9dab3-7036-45b3-9fda-b264e8491726 BoltDownloader-e1648eb4-dcd2-4e6d-b19a-7fc96278e3b5 and others. The miner launch chain looks like this: (filmed via Universal Virus Sniffer) Полное имя C:\WINDOWS\SYSWOW64\SVCHOST.EXE Имя файла SVCHOST.EXE Тек. статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Фильтр Удовлетворяет критериям THREADS IN PROCESSES (ПРЕДУПРЕЖДЕНИЕ ~ ОБНАРУЖЕН ВНЕДРЕННЫЙ ПОТОК В ПРОЦЕССЕ)(1) [filtered (0)] Сохраненная информация на момент создания образа Статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Процесс 32-х битный File_Id 768582FAD000 Linker 14.20 Размер 46544 байт Создан 27.11.2023 в 13:19:16 Изменен 27.11.2023 в 13:19:16 TimeStamp 04.01.2033 в 14:21:46 EntryPoint + OS Version 10.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Действительна, подписано Microsoft Windows Publisher Оригинальное имя svchost.exe.mui Версия файла 10.0.19041.1 (WinBuild.160101.0800) Описание Хост-процесс для служб Windows Производитель Microsoft Corporation Доп. информация на момент обновления списка pid = 4092 NT AUTHORITY\СИСТЕМА CmdLine C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Процесс создан 13:01:43 [2023.12.03] С момента создания 00:01:21 CPU 0,09% CPU (1 core) 1,10% parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE Предупреждение (!) ПРЕДУПРЕЖДЕНИЕ: Обнаружен внедренный поток в процессе C:\WINDOWS\SYSWOW64\SVCHOST.EXE [4092], tid=5376 Создание задачи \Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl pid = 4092 NT AUTHORITY\СИСТЕМА TaskXML <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="hxxp://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <URI>\Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger id="Trigger1"> <EndBoundary>2023-12-03T13:02:54</EndBoundary> <Enabled>true</Enabled> <Delay>PT25S</Delay> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3326377353-2303841640-77764357-1003</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> </Actions> </Task> Время 13:01:49 [2023.12.03] parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE SHA1 53C010F3CC328D4764359DA02D209750E4616BB4 MD5 BBFF42F3C7E8FC0E3049F6F88FBB88E2 Ссылки на объект Ссылка HKLM\System\CurrentControlSet\Services\EvntAgntSvc_daa0aa\ImagePath ImagePath %SystemRoot%\SysWOW64\svchost.exe -k DcomLaunch DisplayName EvntAgnt_999b80 Description Event Translator SNMP subagent EvntAgntSvc_daa0aa тип запуска: Авто (2) Изменен 27.11.2023 в 12:21:35 Образы EXE и DLL SVCHOST.EXE C:\WINDOWS\SYSWOW64 Загруженные DLL НЕИЗВЕСТНЫЕ EVNTAGNT.DLL C:\WINDOWS\SYSWOW64 -------------------- Here is the task TaskXML <?xml version="1.0" encoding="UTF-16"?> created after service starts C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa Presumably, this is the task that is extracted from the *.dat file After creating the task, the miner is launched from the preinstalled folder, in this case from C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a execution block: <Exec> <Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command> <Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments> </Exec> There are three different pairs in the archives, collected from different cases. archive password - "infected" (without quotes) Samples.rar
  5. I assume that he opened (or launched) a malicious file from the archive using legal Winrar. A ransom note and a couple of encrypted files, if any, are needed to at least determine the type of encryption.
  6. With a high probability, this was a STOP (DJVU) ransomware ransomware attack. If the files on your device did not change the extension to *.miqe, then the attack was successfully repulsed. Most likely, ESET reacted to the ransom note.  Time;Scan Engine;Object Type;Object;Detection;Action;User;Info;Hash;First Detection Here 2023/07/26 15:08:15;Real-time file system protection;file;E:\files\_readme.txt;MSIL/Filecoder.ANG trojan;removed;**\safety;Event occurred in a file modified by an application : C:\Program Files (x86)\Total Commander\TOTALCMD64.EXE (05BF026F5834567EEF2711B0E9F980E36C9C8C13).;6FFE53DAFEA78BF7D01D23B2B5F75B226AB84797;12.06.2023 20: 09:37
  7. In general, the topic with this miner ("REALTEKD / TASKHOSTW") on technical forums in Russia and apparently in Ukraine over the past few years in popularity can only be compared with the Stop Djvu encryptor (but there at least the file extension changes stably, but here there is practically nothing does not change). Many antiviruses are taken out and blocked, not only ESET. In both cases, the infection occurs as a result of the use of hacked programs. The installer with this miner, as a rule, is several Gb, and there is no way to check it for viruses. In addition to blocking the launch of installers and utilities, blocking standard installation paths for anti-virus programs, access to the sites of technical forums and anti-virus companies is also blocked.
  8. @itman, Is it possible to block such scripts from running through HIPS rules?
  9. Dear colleagues, is it possible In ESET products to detect malicious scripts *.py in the .unitypackage files (a compressed package created by Unity-a 3D-game development program contains access to the project and library files used to build a game)? To create scripts, for example, Hawkish-Grabber builder can be used, then the script can be added to the .unitypackage file and when the Unity application is opened automatically when opening this file.
  10. Reinstalling the system may affect the investigation of the incident, but in order to analyze "whether or not decryption of files is possible", the user transferred everything that was needed: encrypted files, the body of the encryptor, a ransom note, additional files, from which it was previously possible to restore the key. DrWeb requirements are quite strict: free decryption is possible if the user has a license for the DrWeb product, if the product has been installed, updated and skipped the encryptor file. Nothing is known about the presence of FONIX decryption in DrWeb, Bitdef used cpriv.key (i.e. key file) previously, Gillespie (Emsisoft) also wrote about the need for a key file to decrypt FONIX, Avast uses a key file (cpriv.key, hrmlog1 ) to restore the session private key and then decrypt the files, Kaspersky receives the session key and adds it to the Rakhni public decryptor.
  11. This user is not under sanctions: WebClientComputerName, *.almaty.*.kz LicensePartnerCountry, KZ -------- I don't think it would be convenient to say in this thread why Kaspersky is stronger than DrWeb or vice versa.
  12. This is a fresh wave of FONIX, somewhere from the beginning of June. The previous wave was in January-March of this year. Most likely hacked by RDP The antivirus was installed after encryption.
  13. @itman, The key file cpriv.key was in Fonix/XINOF variants, for Fonix/RYUK this file is called hrmlog1. Unfortunately, according to the current version of FONIX / RYK, the previous known decoders do not work. Alas.
  14. @itman, My guess is that Bitdefender hasn't updated the decryptor since April 2021 when the FONIX/XINOF master key was released. (date of signing the decoder 27 April 2021 16:09:21). After repter/FONIX/XINOF, new variants of FONIX were released disguised as Crysis, Phobos, RYUK. Avast, LK, possibly Emsisoft have a decoder for them. The current version of FONIX/RYUK is different from the previous version RYK.
  15. Thanks for the answer! but judging by the detection of ESET, it is still FONIX (modified for RYUK), A Variant Of Win64/Filecoder.FONIX.A the previous versions of FONIX were deciphered. Is it possible to transfer these files to the laboratory for research?
  • Create New...