import os import regquery import logger import tomb import winver from modules.module import Module from mount import mount,umount from runcmd import runProcess import time import findfile def getInstance(): return RegistryModule() class RegistryModule(Module): def __init__(self): self.name = "globeimposter2" self.description = "Detects a Globeimposter 2.0 infection" self.requiredVars = ["ntfsvol","winvol"] self.vars = {} def execute(self): path = tomb.getPath() + self.name + "/" if(not os.path.exists(path)): os.mkdir(path) logger.msgLog("Scanning volumes " + repr(self.vars['winvol'].value) + " " + repr(self.vars['ntfsvol'].value) + " for Globeimposter 2.0 infection","globeimposter2", logger.TYPE_INFO) for vol in self.vars['winvol'].value: mntpoint = "/mnt/" try: mntid = mount("/dev/" + vol) except: raise mntpoint += mntid profiles = winver.getUserProfiles(mntpoint) for profile in profiles: hkcu = profile + "/NTUSER.DAT" value = regquery.queryValue(hkcu,"""Software\Microsoft\Windows\CurrentVersion\RunOnce""","CertificatesCheck") if(value != None): logger.msgLog("FOUND Globeimposter 2.0 value in RunOnce: " + value,"globeimposter2",logger.TYPE_WARNING) #VSS for vol in self.vars['ntfsvol'].value: mntpoint = "/mnt/" try: mntid = mount("/dev/" + vol) except: raise mntpoint += mntid result = find_pattern("*.725",mntpoint,False) if(result != None): logger.msgLog("FOUND at least one file with 725 extension: " + result,"globeimposter2",logger.TYPE_WARNING) result = find("RECOVER-FILES.html",mntpoint) if(result != None): logger.msgLog("FOUND ransom letter: " + result,"globeimposter2",logger.TYPE_WARNING)