MSIL/APT.677A!tr.ransom
Analysis
MSIL/APT.677A!tr.ransom is a detection for the APT Ransomware trojan.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %CurrentPath%\2.exe : This file is detected as MSIL/Agent.B486!tr.
- %CurrentPath%\delete.bat: This bat file intends to delete the dropped file 2.exe.
- %CurrentPath%\log.txt: This file is a text file.
- %AppData%\godmode.{ed7ba470-8e54-465e-825c-99712043e01c}\denve.exe : This file is detected as MSIL/Agent.B486!tr.
- %AppData%\delback.bat : This bat file intends to delete the backup in the form of shadow volume copies.
- decrypt_your_files.html : This file is dropped in every infected folder and will serve as ransom notes.
- Affected files of this Ransomware will use the filenaming format {Original_Filename}.Ext.dll.
- It assigns an unique identifier to identify each infection.
- This malware was also observed to affect/encrypt files located on shared drived within the same subnet.
- This malware was also observed to affect/encrypt files located on USB or external drives.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Audio HD Driver = %AppData%\Roaming\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- Audio Hd Driver = %AppData%\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer\Run
- Audio Hd Driver = %AppData%\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Below is an illustration of the this malware:
- Figure 1: Ransom notes.
- Below is an illustration of the dropped log file:
- Figure 2: Text File.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |