\u0110\u01b0\u1ee3c bi\u00ean d\u1ecbch trong .NET v\u00e0 \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 b\u1eb1ng obfuscator ngu\u1ed3n m\u1edf Obfuscar, HavanaCrypt \u1ea9n c\u1eeda s\u1ed5 sau khi th\u1ef1c thi, ki\u1ec3m tra registry AutoRun \u0111\u1ec3 t\u00ecm m\u1ee5c nh\u1eadp \u201cGoogleUpdate\u201d v\u00e0 ti\u1ebfp t\u1ee5c quy tr\u00ecnh n\u1ebfu kh\u00f4ng t\u00ecm th\u1ea5y registry.<\/p>\n
M\u00e3 \u0111\u1ed9c th\u1ef1c hi\u1ec7n ch\u1ed1ng \u1ea3o h\u00f3a b\u1eb1ng c\u00e1ch ki\u1ec3m tra c\u00e1c d\u1ecbch v\u1ee5 \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi m\u00e1y \u1ea3o, c\u00e1c t\u1ec7p li\u00ean quan \u0111\u1ebfn \u1ee9ng d\u1ee5ng m\u00e1y \u1ea3o, c\u00e1c t\u00ean t\u1ec7p \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho c\u00e1c t\u1ec7p th\u1ef1c thi VM v\u00e0 \u0111\u1ecba ch\u1ec9 MAC c\u1ee7a m\u00e1y.<\/p>\n
N\u1ebfu v\u01b0\u1ee3t qua b\u1ed1n ki\u1ec3m tra n\u00e0y, m\u00e3 \u0111\u1ed9c s\u1ebd t\u1ea3i xu\u1ed1ng t\u1ec7p \u201c2.txt\u201d t\u1eeb \u0111\u1ecba ch\u1ec9 IP c\u1ee7a d\u1ecbch v\u1ee5 l\u01b0u tr\u1eef web c\u1ee7a Microsoft, l\u01b0u n\u00f3 d\u01b0\u1edbi d\u1ea1ng t\u1ec7p .bat v\u00e0 th\u1ef1c thi. T\u1ec7p batch ch\u1ee9a c\u00e1c h\u01b0\u1edbng d\u1eabn \u0111\u1ec3 Windows Defender b\u1ecf qua c\u00e1c ph\u00e1t hi\u1ec7n trong th\u01b0 m\u1ee5c \u201cWindows\u201d v\u00e0 \u201cUser\u201d.<\/p>\n
Ti\u1ebfp theo, ransomware d\u1eebng m\u1ed9t lo\u1ea1t c\u00e1c ti\u1ebfn tr\u00ecnh \u0111ang ch\u1ea1y, g\u1ed3m c\u1ea3 nh\u1eefng ti\u1ebfn tr\u00ecnh d\u00e0nh cho c\u00e1c \u1ee9ng d\u1ee5ng c\u01a1 s\u1edf d\u1eef li\u1ec7u (Microsoft SQL Server v\u00e0 MySQL) v\u00e0 ti\u1ebfn tr\u00ecnh c\u1ee7a Microsoft Office v\u00e0 Steam.<\/p>\n
Sau \u0111\u00f3, HavanaCrypt truy v\u1ea5n t\u1ea5t c\u1ea3 c\u00e1c \u1ed5 \u0111\u0129a v\u00e0 x\u00f3a t\u1ea5t c\u1ea3 c\u00e1c shadow copy, \u0111\u1ed3ng th\u1eddi s\u1eed d\u1ee5ng Windows Management Instrumentation (WMI) \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u00e1c instance kh\u00f4i ph\u1ee5c h\u1ec7 th\u1ed1ng v\u00e0 x\u00f3a ch\u00fang.<\/p>\n
K\u1ebf ti\u1ebfp, ransomware th\u1ea3 c\u00e1c b\u1ea3n sao th\u1ef1c thi c\u1ee7a ch\u00ednh n\u00f3 v\u00e0o th\u01b0 m\u1ee5c \u201cProgramData\u201d v\u00e0 \u201cStartUp\u201d, \u0111\u1eb7t ch\u00fang l\u00e0m t\u1ec7p h\u1ec7 th\u1ed1ng \u1ea9n v\u00e0 th\u1ea3 v\u00e0o th\u01b0 m\u1ee5c \u201cUser Startup\u201d m\u1ed9t t\u1ec7p .bat c\u00f3 ch\u1ee9a ch\u1ee9c n\u0103ng v\u00f4 hi\u1ec7u h\u00f3a Task Manager.<\/p>\n
HavanaCrypt t\u1ea1o m\u00e3 \u0111\u1ecbnh danh duy nh\u1ea5t (UID) d\u1ef1a tr\u00ean th\u00f4ng tin h\u1ec7 th\u1ed1ng nh\u01b0 l\u00f5i v\u00e0 ID b\u1ed9 x\u1eed l\u00fd, t\u00ean b\u1ed9 x\u1eed l\u00fd, \u1ed5 c\u1eafm, nh\u00e0 s\u1ea3n xu\u1ea5t bo m\u1ea1ch ch\u1ee7, t\u00ean, phi\u00ean b\u1ea3n BIOS v\u00e0 s\u1ed1 s\u1ea3n ph\u1ea9m.<\/p>\n
Trong qu\u00e1 tr\u00ecnh m\u00e3 h\u00f3a, m\u00e3 \u0111\u1ed9c s\u1eed d\u1ee5ng ch\u1ee9c n\u0103ng CryptoRandom c\u1ee7a KeePass Password Safe \u0111\u1ec3 t\u1ea1o kh\u00f3a m\u00e3 h\u00f3a, g\u1eafn ph\u1ea7n m\u1edf r\u1ed9ng \u201c.Havana\u201d v\u00e0o c\u00e1c t\u1ec7p b\u1ecb m\u00e3 h\u00f3a, tr\u00e1nh m\u00e3 h\u00f3a c\u00e1c t\u1ec7p b\u1eb1ng m\u1ed9t s\u1ed1 extension nh\u1ea5t \u0111\u1ecbnh ho\u1eb7c nh\u1eefng extension trong th\u01b0 m\u1ee5c c\u1ee5 th\u1ec3, bao g\u1ed3m c\u1ea3 c\u1ee7a tr\u00ecnh duy\u1ec7t Tor. Vi\u1ec7c n\u00e0y cho th\u1ea5y k\u1ebb \u0111\u1ee9ng sau c\u00f3 th\u1ec3 l\u1eadp k\u1ebf ho\u1ea1ch giao ti\u1ebfp qua m\u1ea1ng Tor.<\/p>\n
M\u00e3 \u0111\u1ed9c c\u0169ng t\u1ea1o ra m\u1ed9t t\u1ec7p v\u0103n b\u1ea3n (text file) ghi l\u1ea1i t\u1ea5t c\u1ea3 c\u00e1c th\u01b0 m\u1ee5c ch\u1ee9a c\u00e1c t\u1ec7p b\u1ecb m\u00e3 h\u00f3a v\u00e0 c\u0169ng m\u00e3 h\u00f3a t\u1ec7p n\u00e0y. Kh\u00f4ng c\u00f3 ghi ch\u00fa \u0111\u00f2i ti\u1ec1n chu\u1ed9c \u0111\u1ec3 l\u1ea1i cho n\u1ea1n nh\u00e2n. \u0110\u00e2y c\u00f3 th\u1ec3 l\u00e0 d\u1ea5u hi\u1ec7u cho th\u1ea5y HavanaCrypt v\u1eabn \u0111ang trong giai \u0111o\u1ea1n ph\u00e1t tri\u1ec3n, Trend Micro cho bi\u1ebft.<\/p>\n