Derin Analiz — yan1 AV-Killer + Ransomware Komponenti | Tehdit: KRITIK

Dosya Kimligi

SHA256d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
Boyut408,040 byte (PE32 console x86, 5 sections)
Entropi6.705 (normal)
TLSfound (no functions)

net stop WinDefend + taskkill wrsa: AV Katili

AV KATIL: Windows Defender + Webroot antivirus devre disi birakma komutu bulundu!
net stop WinDefend\ntaskkill /f /im wrsa*\ntaskkill /f /im wrsa.exe\n\n-- WinDefend: Windows Defender servisi\n-- wrsa.exe = Webroot SecureAnywhere (WRSA) antivirus\n-- wrsa* wildcard: Webroot tum process isimlerini sonlandir\n-- Amac: sifreleme baslmadan once AV koruma kaldirmak\n-- Ransomware vektoru: AV kaldirildiktan sonra dosya sifreleme baslar

PDB Yollarinden Gelistirici Bilgisi

C:\Users\111\Desktop\wifi\project\ConsoleApplication2\Release\ConsoleApplication2.pdb\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\rijndael_simd.cpp\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\sha_simd.cpp\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\gf2n_simd.cpp\n\n-- Kullanici "111": ana binary gelistiricisi\n-- Kullanici "cake": Crypto++ kutuphanesi entegratoru\n-- Iki farkli gelistirici = organize gelistirme takimi\n-- cryptopp-master: Crypto++ kutuphanesi (AES, SHA, GF) arastirma kayitlari\n-- ConsoleApplication2: hizli prototipleme ismi (acemi veya jenerik isimlendirme)

Crypto++ ile AES Sifreleme Kapasitesi

CryptAcquireContext\nCryptGenRandom\nrijndael_simd.cpp (AES/Rijndael)\nsha_simd.cpp (SHA hash)\ngf2n_simd.cpp (Galois field)\nsse_simd.cpp (SIMD optimizasyon)\n\n-- Crypto++ kutuphanesi: C++ acik kaynak kriptografi kutuphanesi\n-- rijndael = AES sifreleme (128/256-bit)\n-- sha = dosya imzalama ve dogrulama icin SHA-256\n-- gf2n = Galois Field cok terimli (ileri kriptografi)\n-- Amac: dosyalari AES-256 ile sifrele, anahtar SHA ile koruma

Drive Enumeration + Dosya Timestamp Manipulasyonu

GetLogicalDriveStringsA\nGetDriveTypeW\nGetSystemTime\nSystemTimeToFileTime\nSetFileTime\n\n-- GetLogicalDriveStringsA: tum suruculer (A:, C:, D:, F:, ...)\n-- GetDriveTypeW: ag surucu, cikarilabilir disk tespiti\n-- SetFileTime: dosya tarihini degistir (timestomping/antiadli)\n-- Amac: sifreleme sonrasi dosya tarihlerini gizle veya kendi tarihini sakla\n-- Process32FirstW: proses listesi tarama (AV kontrolu?)

IOC

SHA256d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
Dosyayan1.exe (console PE32 x86)
PDB-1C:\Users\111\Desktop\wifi\project\ConsoleApplication2\
PDB-2C:\Users\cake\Desktop\project-main\cryptopp-master\
AV Killnet stop WinDefend; taskkill /f /im wrsa*
SifrelemeCrypto++ AES (Rijndael) + SHA

yan1AVKiller — Malware Profile

Ransomware component with AV killing capability. net stop WinDefend + taskkill /f /im wrsa* disables Windows Defender and Webroot. Crypto++ library AES/Rijndael+SHA encryption. Drive enumeration (GetLogicalDriveStringsA). File timestomping (SetFileTime). Two developer PDB paths: user111 (wifi/project) and user cake (project-main/cryptopp-master).

Malware Type
Ransomware
Programming Language
C++/Crypto++
C2 Protocol
N/A
Target Systems
Kuresel/Kurumsal

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — yan1AVKiller
# SHA256 d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
TypeValueNote
sha256 d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
Tags
yan1-avkillerransomware-componentnet-stop-windefend-windows-defender-disabletaskkill-wrsa-webroot-antivirus-killcryptopp-aes-rijndael-encryption-capabilitysha-simd-gf2n-simd-advanced-cryptogetlogicaldrivestringsa-drive-enumeration-ransomwaresetfiletime-timestomping-anti-forensicspdb-user111-desktop-wifi-project-iocpdb-user-cake-project-main-cryptopp-master-iocconsolapplication2-rapid-prototype-developer