Manuel Statik Analiz (LLM Okumali) — Cl0p Ransomware | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |
|---|---|
| Boyut | 102.400 byte |
Anti-Kurtarma — 50+ Servis ve Proses Kill Komutu
Cl0p, sifrelemeden once kurtarma mekanizmalarini etkisiz kilmak icin 50+ servis ve proses kill komutu icermektedir. Bunlar binary icerisinde cleartext olarak bulunmaktadir.
Yedekleme Yazilimi Kill
| Urun | Kill Edilen Servisler |
|---|---|
| Veeam | VeeamDeploymentService, VeeamDeploySvc, VeeamCatalogSvc, VeeamBackupSvc, VeeamRESTSvc, VeeamCloudSvc, VeeamHvIntegrationSvc, VeeamMountSvc, MSSQL$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2008R2 |
| Acronis | AcronisAgent, ARSM, Acronis VSS Provider, SDRSVC |
| BackupExec | BackupExecAgentBrowser, MSSQL$BKUPEXEC, SQLAgent$BKUPEXEC, SQL Backups |
| Zoolz | Zoolz 2 Service |
Antiviirus Kill
| AV | Kill Edilen Servisler |
|---|---|
| Sophos | swi_update, swi_filter, swi_update_64, SAVService, Sophos Message Router, Sophos MCS Client, Sophos MCS Agent, Sophos Device Control Service, sophossps |
| McAfee | McAfeeFramework, McAfeeFrameworkMcAfeeFramework, masvc |
| Symantec | Symantec System Recovery |
| Kaspersky | KAVFS, kavfsslp |
| Trend Micro | ntrtscan, TmCCSF |
Veritabani Kill
MySQL80, mysqld.exe, MSSQLFDLauncher, SQLBrowser, SQLAgent$TPS, SQLTELEMETRY, MSSQL$SHAREPOINT, MsDtsServer100, msftesql$PROD, ReportServer$TPS, MSOLAP$TPS, MSSQLServerADHelper100, SQLTELEMETRY$ECWDB2
Uygulama Kill
outlook.exe, powerpnt.exe, mspub.exe, wordpad.exe (belge kilitlenme onleme) steam.exe, mysqld.exe, sqlagent.exe, sqlwriter.exe, msftesql.exe, dbeng50.exe
Shadow Copy Silme
/C vssadmin Delete Shadows /all /quiet /C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded /C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB /C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
Cl0p Hakkinda
Cl0p (TA505 ile iliskilendirilir), 2019 yilinda kuresel kuruluslari hedef alan bir fidye yazilimi ailesisidir. GoAnywhere MFT ve MOVEit Transfer gibi kurumsal dosya transfer sistemlerindeki sifir gun (0-day) aciklari ile buyuk kampanyalar gerceklestirmistir.
IOC
| SHA256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |
|---|---|
| Kill Listesi | 50+ servis (Veeam, Acronis, Sophos, McAfee, Kaspersky, Symantec, SQL) |
| Anti-Kurtarma | vssadmin delete shadows, shadow storage resize |
Clop — Malware Profile
Cl0p (Clop), 2019 dan beri aktif FIN11 ransomware ailesidir. GOZi kaynaklı. MOVEit/GoAnywhere zaafiyetleri ile kitlesel veri hirsizligi. RSA-1024 + AES + IOCP hizli sifreleme.
Malware Type
Ransomware
Programming Language
C/C++
C2 Protocol
Email
Target Systems
Kuresel — Kurumsal, Saglik, Finans
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — Clop
# SHA256
ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
| Type | Value | Note |
|---|---|---|
| sha256 | ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a |