Manuel Statik Analiz (LLM Okumali) — Cl0p Ransomware | Tehdit: KRITIK

Fichier Kimligi

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Taille102.400 byte

Anti-Kurtarma — 50+ Servis ve Proses Kill Komutu

Cl0p, sifrelemeden once kurtarma mekanizmalarini etkisiz kilmak icin 50+ servis ve proses kill komutu icermektedir. Bunlar binary icerisinde cleartext olarak bulunmaktadir.

Yedekleme Yazilimi Kill

UrunKill Edilen Servisler
VeeamVeeamDeploymentService, VeeamDeploySvc, VeeamCatalogSvc, VeeamBackupSvc, VeeamRESTSvc, VeeamCloudSvc, VeeamHvIntegrationSvc, VeeamMountSvc, MSSQL$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2008R2
AcronisAcronisAgent, ARSM, Acronis VSS Provider, SDRSVC
BackupExecBackupExecAgentBrowser, MSSQL$BKUPEXEC, SQLAgent$BKUPEXEC, SQL Backups
ZoolzZoolz 2 Service

Antiviirus Kill

AVKill Edilen Servisler
Sophosswi_update, swi_filter, swi_update_64, SAVService, Sophos Message Router, Sophos MCS Client, Sophos MCS Agent, Sophos Device Control Service, sophossps
McAfeeMcAfeeFramework, McAfeeFrameworkMcAfeeFramework, masvc
SymantecSymantec System Recovery
KasperskyKAVFS, kavfsslp
Trend Microntrtscan, TmCCSF

Veritabani Kill

MySQL80, mysqld.exe, MSSQLFDLauncher, SQLBrowser, SQLAgent$TPS, SQLTELEMETRY, MSSQL$SHAREPOINT,
MsDtsServer100, msftesql$PROD, ReportServer$TPS, MSOLAP$TPS, MSSQLServerADHelper100, SQLTELEMETRY$ECWDB2

Uygulama Kill

outlook.exe, powerpnt.exe, mspub.exe, wordpad.exe (belge kilitlenme onleme)
steam.exe, mysqld.exe, sqlagent.exe, sqlwriter.exe, msftesql.exe, dbeng50.exe

Shadow Copy Silme

/C vssadmin Delete Shadows /all /quiet
/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
/C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

Cl0p Hakkinda

Cl0p (TA505 ile iliskilendirilir), 2019 yilinda kuresel kuruluslari hedef alan bir fidye yazilimi ailesisidir. GoAnywhere MFT ve MOVEit Transfer gibi kurumsal dosya transfer sistemlerindeki sifir gun (0-day) aciklari ile buyuk kampanyalar gerceklestirmistir.

IOC

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Kill Listesi50+ servis (Veeam, Acronis, Sophos, McAfee, Kaspersky, Symantec, SQL)
Anti-Kurtarmavssadmin delete shadows, shadow storage resize

Clop — Profil du malware

Cl0p (Clop), 2019 dan beri aktif FIN11 ransomware ailesidir. GOZi kaynaklı. MOVEit/GoAnywhere zaafiyetleri ile kitlesel veri hirsizligi. RSA-1024 + AES + IOCP hizli sifreleme.

Type de malware
Ransomware
Langage de programmation
C/C++
Protocole C2
Email
Systèmes ciblés
Kuresel — Kurumsal, Saglik, Finans

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — Clop
# SHA256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
TypeValeurNote
sha256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Tags
clopcl0pransomwareservis-killveeamacronissophosmcafeemssqlvssadminenterprise