"taskmgr", "sqlagent", "winword", "sqlbrowser", "sqlservr", "sqlwriter", "oracle", "ocssd", "dbsnmp", "synctime", "mydesktopqos", "agntsvc.exeisqlplussvc", "xfssvccon", "mydesktopservice", "ocautoupds", "agntsvc.exeagntsvc", "agntsvc.exeencsvc", "firefoxconfig", "tbirdconfig", "ocomm", "mysqld", "sql", "mysqld-nt", "mysqld-opt", "dbeng50", "sqbcoreservice" The malware also terminates the following processes: The following are the extensions that the Big Head ransomware encrypts:
The malware avoids the directories that contain the following substrings:īy excluding these directories from its malicious activities, the malware reduces the likelihood of being detected by security solutions installed in the system and increases its chances of remaining undetected and operational for a longer duration. These binaries are encrypted, rendering their contents inaccessible without the appropriate decryption mechanism. It also displays a fake Windows update to deceive the victim into thinking that the malicious activity is a legitimate process. Xarch.exe drops a file named BXIuSsB.exe, a piece of ransomware that encrypts files and encodes file names to Base64.Archive.exe drops a file named teleratserver.exe, a Telegram bot responsible for establishing communication with the threat actor’s chatbot ID.This is a piece of ransomware that checks for the extension “.r3d” before encrypting and appending the “.poop” extension. 1.exe drops a copy of itself for propagation.Īdditionally, we noted the presence of three resources that contained data resembling executable files with the “*.exe” extension: The format that the malware adheres to in terms of its behavior upon installation is as follows:
0 kommentar(er)
