MSIL/APT.677A!tr.ransom

description-logoAnalysis

MSIL/APT.677A!tr.ransom is a detection for the APT Ransomware trojan.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %CurrentPath%\2.exe : This file is detected as MSIL/Agent.B486!tr.
    • %CurrentPath%\delete.bat: This bat file intends to delete the dropped file 2.exe.
    • %CurrentPath%\log.txt: This file is a text file.
    • %AppData%\godmode.{ed7ba470-8e54-465e-825c-99712043e01c}\denve.exe : This file is detected as MSIL/Agent.B486!tr.
    • %AppData%\delback.bat : This bat file intends to delete the backup in the form of shadow volume copies.
    • decrypt_your_files.html : This file is dropped in every infected folder and will serve as ransom notes.

  • Affected files of this Ransomware will use the filenaming format {Original_Filename}.Ext.dll.

  • It assigns an unique identifier to identify each infection.

  • This malware was also observed to affect/encrypt files located on shared drived within the same subnet.

  • This malware was also observed to affect/encrypt files located on USB or external drives.

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Audio HD Driver = %AppData%\Roaming\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe
      This automatically executes the dropped file every time the infected user logs on.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
      • Audio Hd Driver = %AppData%\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe
      This registry corresponds to an autostart pointed out by windows for every restart of the host machine.
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer\Run
      • Audio Hd Driver = %AppData%\GodMode.{ed7ba470-8e54-465e-825c-99712043e01c}\\denve.exe

  • Below is an illustration of the this malware:

    • Figure 1: Ransom notes.

  • Below is an illustration of the dropped log file:

    • Figure 2: Text File.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-01-22 65.82800 Sig Updated
2018-11-06 63.98100 Sig Updated
2018-10-26 63.72000 Sig Updated