Ransomware DearCry

 

Technical details of Ransomware DearCry


Identification

 

Vendor

Detection

TrendMicro

Ransom.Win32.DEARCRY.THCABBA

McAfee

Ransom-DearCry!CDDA3913408C

Malwarebytes

Ransom.DearCry

 

The following table contains list of artifacts that had been analyzed within this document.


Summary

DearCry is ransomware which encrypts files on a device and demands ransom in exchange for decryption.


Technical details

 

Anti-Analysis

It gets current system date and time as shown in figure below.




 

It starts new service called msupdate as shown in figure below.




It generates key called “d37fc1eabc6783a418d23a8d2ba5db5a" as shown in figure below. This hash will be note when ransoamware finished encryption files.




It pushes two strings which related to communication with attack as shown in figure below.




Email address

konedieyp@airmail.cc or uenwonken@memail.com

Message

Your file has been encrypted!

 

It gets windows directory path (C:\Windows) as shown in figure below.



It will get paths of “Temp, APPDATA and  PROGRAMFILES” then put paths in array as shown in figure below.



It inserts hardcoded public key as shown in figure below.



Public key

MIIBCAKCAQEA5+mVBe75OvCzCW4oZHl7vqPwV2O4kgzgfp9odcL9LZc8Gy2+NJPDwrHbttKI3z4Yt3G04lX7bEp1RZjxUYfzX8qvaPC2EBduOjSN1WMSbJJrINs1IzkqXRrggJhSbp881Jr6NmpE6pns0Vfv//Hk1idHhxsXg6QKtfXlzAnRbgA1WepSDJq5H08WGFBZrgUVM0zBYI3JJH3b9jIRMVQMJUQ57w3jZpOnpFXSZoUy1YD7Y3Cu+n/Q6cEft6t29/FQgacXmeA2ajb7ssSbSntBpTpoyGc/kKoaihYPrHtNRhkMcZQayy5aXTgYtEjhzJAC+esXiTYqklWMXJS1EmUpoQIBAw==.


It resolves interesting strings which indicate the encryption process of the target system's user files is implemented utilizing the OPENSSL library as shown in figure below.



Interesting strings

crypto\evp\e_aes.c

crypto\bio\bio_lib.c

crypto\rsa\rsa_lib.c

crypto\evp\evp_enc.c

assertion failed: bl <= (int)sizeof(ctx->buf)

assertion failed: b <= sizeof ctx->buf

assertion failed: b <= sizeof ctx->final

assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)

assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16

%lu:%s:%s:%d:%s

secure memory buffer

memory buffer

crypto\bio\bss_mem.c

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

PKCS7

CERTIFICATE

RSA PUBLIC KEY

DH PARAMETERS

X9.42 DH PARAMETERS

crypto\rsa\rsa_crpt.c

crypto\evp\evp_lib.c

assertion failed: l <= sizeof(c->iv)

assertion failed: j <= sizeof(c->iv)

init fail

called a function that was disabled at compile-time

internal error

passed a null parameter

called a function you should not call

malloc failure

It gets logical drives as shown in figure below.


It gets drive type as shown in figure below.


It searches for files in machine then start encryption using RSA as shown in figure below.





Target files

It targets some extensions of files to encrypt them as shown in figure below.



After encryption end it delete malware service “msupdate” as shown in figure below.




It adds extension called CRYPT as shown in figure2 below.




Encrypted data




It writes the ransom note "readme.txt" to every folder as shown in figure below.


Readme.txt

If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  

YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

Malware Analyst : Mahmoud El Menshawy
Contact me : mahmoudmorsy372@gmail.com
Linkedin:
https://www.linkedin.com/in/mahmoudmorsy1/

Comments

Popular posts from this blog

Sunburst Solarwinds Backdoor

Ragnarok Ransomware

Phishing Attacks 9_4_2021