|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
import os
import regquery
import logger
import tomb
import winver
from modules.module import Module
from mount import mount,umount
from runcmd import runProcess
import time
import findfile
def getInstance():
return RegistryModule()
class RegistryModule(Module):
def __init__(self):
self.name = "globeimposter2"
self.description = "Detects a Globeimposter 2.0 infection"
self.requiredVars = ["ntfsvol","winvol"]
self.vars = {}
def execute(self):
path = tomb.getPath() + self.name + "/"
if(not os.path.exists(path)):
os.mkdir(path)
logger.msgLog("Scanning volumes " + repr(self.vars['winvol'].value) + " " + repr(self.vars['ntfsvol'].value) + " for Globeimposter 2.0 infection","globeimposter2", logger.TYPE_INFO)
for vol in self.vars['winvol'].value:
mntpoint = "/mnt/"
try:
mntid = mount("/dev/" + vol)
except:
raise
mntpoint += mntid
profiles = winver.getUserProfiles(mntpoint)
for profile in profiles:
hkcu = profile + "/NTUSER.DAT"
value = regquery.queryValue(hkcu,"""Software\Microsoft\Windows\CurrentVersion\RunOnce""","CertificatesCheck")
if(value != None):
logger.msgLog("FOUND Globeimposter 2.0 value in RunOnce: " + value,"globeimposter2",logger.TYPE_WARNING)
#VSS
for vol in self.vars['ntfsvol'].value:
mntpoint = "/mnt/"
try:
mntid = mount("/dev/" + vol)
except:
raise
mntpoint += mntid
result = find_pattern("*.725",mntpoint,False)
if(result != None):
logger.msgLog("FOUND at least one file with 725 extension: " + result,"globeimposter2",logger.TYPE_WARNING)
result = find("RECOVER-FILES.html",mntpoint)
if(result != None):
logger.msgLog("FOUND ransom letter: " + result,"globeimposter2",logger.TYPE_WARNING)
|
