Derin Analiz — yan1 AV-Killer + Ransomware Komponenti | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c |
|---|---|
| Boyut | 408,040 byte (PE32 console x86, 5 sections) |
| Entropi | 6.705 (normal) |
| TLS | found (no functions) |
net stop WinDefend + taskkill wrsa: AV Katili
AV KATIL: Windows Defender + Webroot antivirus devre disi birakma komutu bulundu!
net stop WinDefend\ntaskkill /f /im wrsa*\ntaskkill /f /im wrsa.exe\n\n-- WinDefend: Windows Defender servisi\n-- wrsa.exe = Webroot SecureAnywhere (WRSA) antivirus\n-- wrsa* wildcard: Webroot tum process isimlerini sonlandir\n-- Amac: sifreleme baslmadan once AV koruma kaldirmak\n-- Ransomware vektoru: AV kaldirildiktan sonra dosya sifreleme baslar
PDB Yollarinden Gelistirici Bilgisi
C:\Users\111\Desktop\wifi\project\ConsoleApplication2\Release\ConsoleApplication2.pdb\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\rijndael_simd.cpp\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\sha_simd.cpp\nC:\Users\cake\Desktop\project-main\project-main\ConsoleApplication2\cryptopp-master\gf2n_simd.cpp\n\n-- Kullanici "111": ana binary gelistiricisi\n-- Kullanici "cake": Crypto++ kutuphanesi entegratoru\n-- Iki farkli gelistirici = organize gelistirme takimi\n-- cryptopp-master: Crypto++ kutuphanesi (AES, SHA, GF) arastirma kayitlari\n-- ConsoleApplication2: hizli prototipleme ismi (acemi veya jenerik isimlendirme)
Crypto++ ile AES Sifreleme Kapasitesi
CryptAcquireContext\nCryptGenRandom\nrijndael_simd.cpp (AES/Rijndael)\nsha_simd.cpp (SHA hash)\ngf2n_simd.cpp (Galois field)\nsse_simd.cpp (SIMD optimizasyon)\n\n-- Crypto++ kutuphanesi: C++ acik kaynak kriptografi kutuphanesi\n-- rijndael = AES sifreleme (128/256-bit)\n-- sha = dosya imzalama ve dogrulama icin SHA-256\n-- gf2n = Galois Field cok terimli (ileri kriptografi)\n-- Amac: dosyalari AES-256 ile sifrele, anahtar SHA ile koruma
Drive Enumeration + Dosya Timestamp Manipulasyonu
GetLogicalDriveStringsA\nGetDriveTypeW\nGetSystemTime\nSystemTimeToFileTime\nSetFileTime\n\n-- GetLogicalDriveStringsA: tum suruculer (A:, C:, D:, F:, ...)\n-- GetDriveTypeW: ag surucu, cikarilabilir disk tespiti\n-- SetFileTime: dosya tarihini degistir (timestomping/antiadli)\n-- Amac: sifreleme sonrasi dosya tarihlerini gizle veya kendi tarihini sakla\n-- Process32FirstW: proses listesi tarama (AV kontrolu?)
IOC
| SHA256 | d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c |
|---|---|
| Dosya | yan1.exe (console PE32 x86) |
| PDB-1 | C:\Users\111\Desktop\wifi\project\ConsoleApplication2\ |
| PDB-2 | C:\Users\cake\Desktop\project-main\cryptopp-master\ |
| AV Kill | net stop WinDefend; taskkill /f /im wrsa* |
| Sifreleme | Crypto++ AES (Rijndael) + SHA |
yan1AVKiller — Malware Profile
Ransomware component with AV killing capability. net stop WinDefend + taskkill /f /im wrsa* disables Windows Defender and Webroot. Crypto++ library AES/Rijndael+SHA encryption. Drive enumeration (GetLogicalDriveStringsA). File timestomping (SetFileTime). Two developer PDB paths: user111 (wifi/project) and user cake (project-main/cryptopp-master).
Malware Type
Ransomware
Programming Language
C++/Crypto++
C2 Protocol
N/A
Target Systems
Kuresel/Kurumsal
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — yan1AVKiller
# SHA256
d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
| Type | Value | Note |
|---|---|---|
| sha256 | d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c |