Manuel Statik Analiz (LLM Okumali) — Cl0p Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Boyut102.400 byte

Anti-Kurtarma — 50+ Servis ve Proses Kill Komutu

Cl0p, sifrelemeden once kurtarma mekanizmalarini etkisiz kilmak icin 50+ servis ve proses kill komutu icermektedir. Bunlar binary icerisinde cleartext olarak bulunmaktadir.

Yedekleme Yazilimi Kill

UrunKill Edilen Servisler
VeeamVeeamDeploymentService, VeeamDeploySvc, VeeamCatalogSvc, VeeamBackupSvc, VeeamRESTSvc, VeeamCloudSvc, VeeamHvIntegrationSvc, VeeamMountSvc, MSSQL$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2008R2
AcronisAcronisAgent, ARSM, Acronis VSS Provider, SDRSVC
BackupExecBackupExecAgentBrowser, MSSQL$BKUPEXEC, SQLAgent$BKUPEXEC, SQL Backups
ZoolzZoolz 2 Service

Antiviirus Kill

AVKill Edilen Servisler
Sophosswi_update, swi_filter, swi_update_64, SAVService, Sophos Message Router, Sophos MCS Client, Sophos MCS Agent, Sophos Device Control Service, sophossps
McAfeeMcAfeeFramework, McAfeeFrameworkMcAfeeFramework, masvc
SymantecSymantec System Recovery
KasperskyKAVFS, kavfsslp
Trend Microntrtscan, TmCCSF

Veritabani Kill

MySQL80, mysqld.exe, MSSQLFDLauncher, SQLBrowser, SQLAgent$TPS, SQLTELEMETRY, MSSQL$SHAREPOINT,
MsDtsServer100, msftesql$PROD, ReportServer$TPS, MSOLAP$TPS, MSSQLServerADHelper100, SQLTELEMETRY$ECWDB2

Uygulama Kill

outlook.exe, powerpnt.exe, mspub.exe, wordpad.exe (belge kilitlenme onleme)
steam.exe, mysqld.exe, sqlagent.exe, sqlwriter.exe, msftesql.exe, dbeng50.exe

Shadow Copy Silme

/C vssadmin Delete Shadows /all /quiet
/C vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
/C vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
/C vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

Cl0p Hakkinda

Cl0p (TA505 ile iliskilendirilir), 2019 yilinda kuresel kuruluslari hedef alan bir fidye yazilimi ailesisidir. GoAnywhere MFT ve MOVEit Transfer gibi kurumsal dosya transfer sistemlerindeki sifir gun (0-day) aciklari ile buyuk kampanyalar gerceklestirmistir.

IOC

SHA256ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Kill Listesi50+ servis (Veeam, Acronis, Sophos, McAfee, Kaspersky, Symantec, SQL)
Anti-Kurtarmavssadmin delete shadows, shadow storage resize

Clop — Malware Profile

Cl0p (Clop), 2019 dan beri aktif FIN11 ransomware ailesidir. GOZi kaynaklı. MOVEit/GoAnywhere zaafiyetleri ile kitlesel veri hirsizligi. RSA-1024 + AES + IOCP hizli sifreleme.

Malware Type
Ransomware
Programming Language
C/C++
C2 Protocol
Email
Target Systems
Kuresel — Kurumsal, Saglik, Finans

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — Clop
# SHA256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
TypeValueNote
sha256 ae355c321f1fe36c9539457301a3cf5d8babc58c72a3f6a5ef160253b4002b1a
Tags
clopcl0pransomwareservis-killveeamacronissophosmcafeemssqlvssadminenterprise