Manuel Statik Analiz (LLM Okumali) — Cl0p Ransomware | Tehdit: KRITIK

文件 Kimligi

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
大小102.400 byte

Anti-Kurtarma — 50+ Servis ve Proses Kill Komutu

Cl0p, sifrelemeden once kurtarma mekanizmalarini etkisiz kilmak icin 50+ servis ve proses kill komutu icermektedir. Bunlar binary icerisinde cleartext olarak bulunmaktadir.

Yedekleme Yazilimi Kill

UrunKill Edilen Servisler
VeeamVeeamDeploymentService, VeeamDeploySvc, VeeamCatalogSvc, VeeamBackupSvc, VeeamRESTSvc, VeeamCloudSvc, VeeamHvIntegrationSvc, VeeamMountSvc, MSSQL$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2008R2
AcronisAcronisAgent, ARSM, Acronis VSS Provider, SDRSVC
BackupExecBackupExecAgentBrowser, MSSQL$BKUPEXEC, SQLAgent$BKUPEXEC, SQL Backups
ZoolzZoolz 2 Service

Antiviirus Kill

AVKill Edilen Servisler
Sophosswi_update, swi_filter, swi_update_64, SAVService, Sophos Message Router, Sophos MCS Client, Sophos MCS Agent, Sophos Device Control Service, sophossps
McAfeeMcAfeeFramework, McAfeeFrameworkMcAfeeFramework, masvc
SymantecSymantec System Recovery
KasperskyKAVFS, kavfsslp
Trend Microntrtscan, TmCCSF

Veritabani Kill

MySQL80, mysqld.exe, MSSQLFDLauncher, SQLBrowser, SQLAgent$TPS, SQLTELEMETRY, MSSQL$SHAREPOINT,
MsDtsServer100, msftesql$PROD, ReportServer$TPS, MSOLAP$TPS, MSSQLServerADHelper100, SQLTELEMETRY$ECWDB2

Uygulama Kill

outlook.exe, powerpnt.exe, mspub.exe, wordpad.exe (belge kilitlenme onleme)
steam.exe, mysqld.exe, sqlagent.exe, sqlwriter.exe, msftesql.exe, dbeng50.exe

Shadow Copy Silme

/C vssadmin Delete Shadows /all /quiet
/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
/C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

Cl0p Hakkinda

Cl0p (TA505 ile iliskilendirilir), 2019 yilinda kuresel kuruluslari hedef alan bir fidye yazilimi ailesisidir. GoAnywhere MFT ve MOVEit Transfer gibi kurumsal dosya transfer sistemlerindeki sifir gun (0-day) aciklari ile buyuk kampanyalar gerceklestirmistir.

IOC

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Kill Listesi50+ servis (Veeam, Acronis, Sophos, McAfee, Kaspersky, Symantec, SQL)
Anti-Kurtarmavssadmin delete shadows, shadow storage resize

Clop — 恶意软件档案

Cl0p (Clop), 2019 dan beri aktif FIN11 ransomware ailesidir. GOZi kaynaklı. MOVEit/GoAnywhere zaafiyetleri ile kitlesel veri hirsizligi. RSA-1024 + AES + IOCP hizli sifreleme.

恶意软件类型
Ransomware
编程语言
C/C++
C2协议
Email
目标系统
Kuresel — Kurumsal, Saglik, Finans

能力与行为

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC列表 (1 个指标)

IOC — Clop
# SHA256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
类型备注
sha256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
标签
clopcl0pransomwareservis-killveeamacronissophosmcafeemssqlvssadminenterprise