YourCyanide: A CMD-based Ransomware With Multiple Layers of Obfuscation

Trend Micro -

GONNACOPE

   

File

SHA256

Detection

GonnaCope.Bat

ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968

Trojan.BAT.GONNACOPE.A

GonnaCope.Bat

0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122

Ransom.BAT.GONNACOPE.THEOEBB

GonnaCopeDL

f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3

Trojan.MSIL.GONNACOPE.A

GonnaCopeCryptor

2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280

Ransom.MSIL.GONNACOPE.YXCEE

GonnaCope

7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7

TrojanSpy.MSIL.GONNACOPE.A

GonnaCopeRansNote

7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374

Ransom.MSIL.GONNACOPE.A.note

mail.vbs

26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9

Worm.VBS.GONNACOPE.A

msg.vbs

ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a

PUA.VBS.GonnaLoop.A

msgbox.vbs

d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54

PUA.VBS.GonnaLoop.A

nokeyboard.reg

a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e

PUA.Win32.Disabler.A

Readme.txt

9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38

Ransom.Win32.GONNACOPE.YXCEW.note

downloader.vbs

45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083

Trojan.VBS.GONNACOPE.A

     

KEKPOP

   

File

SHA256

Detection

Arrival

c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262

 Trojan.BAT.KEKPOP.THEACBB

296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722

Main File 

bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f

Ransom.BAT.KEKPOP.THEAABB

f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d

1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54

d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56

Dropped BAT File 1

Trojan.BAT.KEKPOP.THEACBB

Dropped BAT File 2

9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75

TrojanSpy.BAT.KEKPOP.THEACBB

Dropped BAT File 3

7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b

Trojan.BAT.KEKPOP.THEACBB

Dropped Text File

Ransom.BAT.KEKPOP.THEACBB.note

Dropped HTML File

Ransom.HTML.KEKPOP.THEACBB.note

Passwords.exe

53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56

HackTool.Win32.NirsoftPT.SM

GetToken.exe

6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

Trojan.MSIL.TOKENSTEALER.YXCES

kekpopdicord.exe

e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913

Trojan.Win64.KEKPOP.YXCET

Trojan.BAT.KEKPOP.YXCEZ

     

KEKWARE

   

File

SHA256

Detection

Arrival

3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259

Read More: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html