欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

警惕“黑心”勒索病毒再度来袭

来源:本站整理 作者:佚名 时间:2018-11-07 TAG: 我要投稿

一、样本简介
BlackHeart(黑心)勒索病毒家族是一款使用NET语言进行编写的勒索病毒,之前深信服EDR安全团队已经报道过它的变种家族样本捆绑知名的远程软件AnyDesk进行传播,此次深信服EDR安全团队发现的是它的一个家族的最新的变种,加密算法仍然使用AES+RSA,加密后的文件无法还原,加密后的文件后缀名为mariacbc。
BlackHeart(黑心)勒索病毒也是SF勒索病毒家族成员之一,SF家族的勒索病毒,一共有如下几类:
· Spartacus(斯巴达克斯勒索病毒)
· Satyr(萨克斯勒索病毒)
· BlackRouter(BlackRouter勒索病毒)
· BlackHeart(黑心勒索病毒)
它们都采用NET语言进行编写,并使用了相似的加密核心代码进行勒索加密,统称为SF勒索家族。
二、详细分析
1.样本仍然采用之前的B字图标,同时也是使用NET语言进行编写的,如下所示:

2.程序的入口函数,如下所示:

3.生成唯一的AES的KEY,如下所示:

4.再利用RSA2048的公钥Key加密之后生成的AES的Key,然后再转化为BASE64编码,如下所示:

生成的加密的Key,如下所示:
"mox1nR9OkprIdiwITblhpiD0XclNiMcMMNaP18mqVN1bkmsALjPThj9ckRNKC1uriLkOzc9BqAsgdLcNpmAJ/OPZDzKZhLsNv5GZAZotlMPX/gZzXvNvXqzKIxTxBv5NLzawTeyQuOuZMeU6gcuZdPThNItes0oFGsozxzsZCWuJoQuoXlfVDHnJC8dNGJ1+/EswCIB9jl5Hov0j9BNnwqOaKaTDJWYqayvKY4dnt14moA2ZzODVarydgHOit7CcJLGjCEijXV4Shrz8LkiBfKcH+haDcNWtT4EXT+zGae4DiAUIrAm+FPwLOuodHdrJwflJgkfawnXZA/6Emv/Vbw=="
5.遍历主机相关目录,进行加密操作,如下所示:

遍历的目录,如下所示:

相应的目录列表,如下所示:
· %Desktop%
· %Documents% 
· %Music%
· %History%
· %Downloads%
· %Pictures%
· %Videos%
· %Favorites%
· %User Profile%
· %Program Data%
· %System Root%\Users
6.遍历目录下的文件,如下所示:

判断文件的后缀名是否在相应的需要加密的文件的后缀名列表中,如下所示:

勒索病毒会加密的文件后缀名列表,如下所示:
".exe",".der",".pfx",".key",".crt",".csr",".p12",".pem",".odt",".sxw",".stw",".3ds",".max",".3dm",".ods",".sxc",".stc",".dif",".slk",".wb2",".odp",".sxd",".std",".sxm",".sqlite3",".sqlitedb",".sql",".accdb",".mdb",".dbf",".odb",".mdf",".ldf",".cpp",".pas",".asm",".cmd",".bat",".vbs",".sch",".jsp",".php",".asp",".java",".jar",".class",".mp3",".wav",".swf",".fla",".wmv",".mpg",".vob",".mpeg",".asf",".avi",".mov",".mp4",".mkv",".flv",".wma",".mid",".m3u",".m4u",".svg",".psd",".tiff",".tif",".raw",".gif",".png",".bmp",".jpg",".jpeg",".iso",".backup",".zip",".rar",".tgz",".tar",".bak",".ARC",".vmdk",".vdi",".sldm",".sldx",".sti",".sxi",".dwg",".pdf",".wk1",".wks",".rtf",".csv",".txt",".msg",".pst",".ppsx",".ppsm",".pps",".pot",".pptm",".pptx",".ppt",".xltm",".xltx",".xlc",".xlm",".xlt",".xlw",".xlsb",".xlsm",".xlsx",".xls",".dotm",".dot",".docm",".docx",".doc",".ndf",".pdf",".ib",".ibk"

[1] [2]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载