Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by none

  1. each folder as it. also it run on startup, as mention above its an encrypted file , i guess it will excute on boot from the registery. if u want it just ask.
  2. gotcha here it is https://id-ransomware.malwarehunterteam.com/identify.php?case=903544e15a3e26b6351e6b62bde07e2a3098f386
  3. i did upload a file or two, however no link was given. there is anydesk, not sure if its run the same thing, i dont remember i've installed pc anywhere. Process Hacker was never installed by me, it was purely the ransom . unfortunately i dont have ares666.exe, i just have the pf file. no that wasnt me.
  4. funny story, node eset end point was installed, and yea, it did not catch it. Virus signature database: 19658 (20190709) Rapid Response module: 14516 (20190709) Update module: 1072.1 (20190626) Antivirus and antispyware scanner module: 1553 (20190617) Advanced heuristics module: 1193 (20190626) Archive support module: 1288 (20190606) Cleaner module: 1195 (20190610) Anti-Stealth support module: 1151 (20190326) ESET SysInspector module: 1275 (20181220) Self-defense support module: 1018 (20100812) Real-time file system protection module: 1014 (20160223) Translation support module: 1746 (20190530) HIPS support module: 1362.3 (20190628) Internet protection module: 1355.1 (20181204) Database module: 1107 (20190613) Rootkit detection and cleaning module: 1019 (20170825) Cryptographic protocol support module: 1028.1 (20190327)
  5. so after abit of research heres my conclusion . above 4 pcs (the dc server aswell) were infected , some of them are windows 7 and some are windows 10. the server itself is a windows server 2012 R2 all pcs had their sys version above eternal blue version, meaning they did not transfer this way. i thought about keepblue (since on the windows 7 didn't had the patch), however that does not answer why win 10s and the server itself got infected. u could say it infected the active directory files and some one clicked it, however no one was in work at 02:20 AM to click on a file. when searching on the infected PCs, i saw the first files that showed up with ares666 was at 02:01 AM (8 jul,19) (reception pc) on the pc i did the investigation on, the first file show up at 02:20 BUT right before the first file aka ".DF7ADA61E0284DDD4F1E" showed up awhost32 was open. the most important information is right after this file ".DF7ADA61E0284DDD4F1E" showed up , processhacker.exe was run apparently the ransomware downloaded it and ran it, since i dont have it. now i've looked something really intresting , no one of the files were crypted right away, FIRST it went into all directory and begun to infect all directory with .DF7ADA61E0284DDD4F1E and the HOW TO text file after a 1 min+- it begun to crypt the files, now u are asking urself how? another process was run named ares666.exe which my guess is the file that crypted the files. note that this .DF7ADA61E0284DDD4F1E is an excutable file but crypted, i can that because it runs on startup, my thought was if it runs on startup and the file is crypted, than it must have something in the registery , however i could not find anything (perhaps im lacking of experience ) but i did manage to find something interesting when searching for ares666. in PendingFileRenameOperations (just to mention it is just an imported hive, system inf= system reg file) HKEY_LOCAL_MACHINE\system inf\ControlSet001\Control\Session Manager this what was find there. C:\Users\administrator\Downloads\build\PH 2.39\Ares666.exe thats it about the ares666 but when searching PROCESSHACKER in the registery , u found multiple registery LEGACY_KPROCESSHACKER3 HKEY_LOCAL_MACHINE\system inf\ControlSet001\Enum\Root\LEGACY_KPROCESSHACKER3 next was HKEY_LOCAL_MACHINE\system inf\ControlSet001\services\KProcessHacker3 this this reg directory ImagePath C:\Users\administrator\Downloads\build\PH 2.39\x86\kprocesshacker.sys this was find inside the build folder, those files were not there (unfortunately ) , i tried to use easus recovery to maybe recover the file but i could not, instead i found out that. a file named ids.txt was there. inside of that file, u can find all encrypted files (the path of them) and the ur "id" probably the pub key. i'd like to mention that user administrator was not in used by anyone. inside %appdata% i could find "Process Hacker 2" folder funny thing is his files were crypted aswell (extension ares666) inside %temp% in appdata (of administrator user), a file named ArmUI.ini was there. can be find here > https://pastebin.com/6aW64w2v thats about it i think. hope i helped the community with all of this. i gathered some of the files crypted one , and the one that i showed here (register directories and pf files ) and the HOW TO(from a different pc), if u'd like the files to investigate or w.e drop ur email here. i have yet found how it got transfer and infected to other pc on the network, and how its possible it reached so many pcs on the network, which they were pretty updated (against eternalblue , and keepblue) if u could help me to find how and where to look for that would be great . thanks.
  6. so, it seems a new ransom is hiting . extension .ares666 mail to contact : [email protected] "HOW TO BACK YOUR FILES.txt" NOTE: all files were encrypted , a file .DF7ADA61E0284DDD4F1E was created aswell in each directory . i think its an crypted excutable . NOTE: multiple pcs on the same network got hit, im not sure how contamination went , the files begin to be modified (encrypted) at night around 2am , im checking how the contamination started . since it was around 2 am no one could have clicked a file to infect themself files in the active directory got also encrypted, and the owner seems to be Administrator (builtin) same for all station on the network. i have yet find the file who infected everything. some pcs in the network seems to have the sys version above "6.1.7601.23689" meaning they couldnt be infected via enternal blue right ?
  • Create New...