About a ransomware

This one. ;D


Here is another break down from CWsandbox. https://mwanalysis.org/?site=1&page=details&id=1012118&password=ggokihwnvc

Thx. Is the malware from cruelsister the same one as yours? The passwords are different. If so I will merge this topic with yours.

I looked up the malware on VT by its hash. It gets detected by Comodo as a trojan.

It is not clear by your description what happens when the malware gets run with CIS running and with what setting(s) it gets past CIS.

Please be more descriptive and start a separate topic with a proper topic start. That way this topic will not go astray and your topic will get proper exposure.

Eric- You can merge the topics if you wish- I was unaware of the previous thread. My sample is different only to the extent that I wrote the script and backdoored it to a valid installer; done more as a proof of concept (that any malware of this type is FUD) than to present a different malware class. But note that this is not the same malware that KJ has presented above.

But as I wasn’t initially clear about what exactly occurs, I’ll do so now. My sample is a simple script (can be done either as a batch file or a vbs script) that is backdoored to a legitimate installer. When the installer exe is run it will trigger the script. The script will wait until either the legitimate application is installed or until the user exits the install routine prior to its completion. With a little more effort the malicious commands can be incorporated into a valid application’s Restart routine. A colleague of mine has done just this with the Symantec Endpoint Protection installer.

The script does 2 things- it will change the User, Admin Windows logon password to whatever is specified in the script, then call up shutdown.exe to shut the computer down. When the computer is restarted one is presented with the logon screen. It makes no system changes other than what is stated (no registry changes, no dll or dat files dropped). CIS at default will fail. CIS at default with auto-sandbox at the Full V setting Fails. CIS at default with either Limited, Restricted or Untrusted auto-sandbox settings will stop it,

Merged as per request.

Sadly the 6.3 version is still susceptible to this trojan. Under Full V and Partially Limited Sandbox levels with HIPS at Safe Mode the malicious changes go undetected.

Is it still undetected if in HIPS settings “Set popup alerts to verbose mode” is checked?

Please create a bug report for this so I can bring it to the devs attention as quickly as possible.

This really help against rasomware?

I wish I knew.

It look like this one:

If this is still not fixed with CIS version 7.0.313494.4115 please create a bug report for it.