Am I right that if something autosandboxed other than “fully virtualized” then it’s really just restricted (according to the set level from “Partially limited” to “Blocked”) but not sandboxed? So “reset sandbox” won’t clean the system from the activity of the autosandboxed app.
There is a new Ransomlock strain that is making its way to the rest of the world from China. It is basically just a script trojan that is backdoored to legitimate programs resulting in the Windows password being changed. One can read about it here:
Upon analysis of the sample I was able to reproduce the malware and run it against CIS. The default CIS settings will allow the malicious behavior, as well as the Full V auto-sandbox setting. Limited, Restricted, and Untrusted settings will protect the user.
Please note that this trojan strain is FUD, so will only be stopped by the most annoying HIPS settings or tightly restricted sandboxes.
CIS set at default. Auto-0Sandbox changed to Full V:
1). sample run (application installer + backdoor)
2). CIS alert that file is Unknown, Default “Run Isolated” selected.
3). Application finished installing
4). Script then runs
5). Shutdown.exe is called up by script
6). On startup Windows passwords Changed.
I will not be able to test this on my computer, as I do not have a VM set up at the moment.
In order to get this looked at as quickly as possible, can you please create a properly formatted bug report for this in this section of the forum? The format can be found in this post. The fact that it’s able to change the password when sandboxed as FV definitely constitutes a bug.
Once you have done that I can forward this directly to the devs and hopefully have it fixed quickly. Can you also PM me a download link for the sample?