Ransomware DearCry

 

Technical details of Ransomware DearCry


Identification

 

Vendor

Detection

TrendMicro

Ransom.Win32.DEARCRY.THCABBA

McAfee

Ransom-DearCry!CDDA3913408C

Malwarebytes

Ransom.DearCry

 

The following table contains list of artifacts that had been analyzed within this document.


Summary

DearCry is ransomware which encrypts files on a device and demands ransom in exchange for decryption.


Technical details

 

Anti-Analysis

It gets current system date and time as shown in figure below.




 

It starts new service called msupdate as shown in figure below.




It generates key called “d37fc1eabc6783a418d23a8d2ba5db5a" as shown in figure below. This hash will be note when ransoamware finished encryption files.




It pushes two strings which related to communication with attack as shown in figure below.




Email address

konedieyp@airmail.cc or uenwonken@memail.com

Message

Your file has been encrypted!

 

It gets windows directory path (C:\Windows) as shown in figure below.



It will get paths of “Temp, APPDATA and  PROGRAMFILES” then put paths in array as shown in figure below.



It inserts hardcoded public key as shown in figure below.



Public key

MIIBCAKCAQEA5+mVBe75OvCzCW4oZHl7vqPwV2O4kgzgfp9odcL9LZc8Gy2+NJPDwrHbttKI3z4Yt3G04lX7bEp1RZjxUYfzX8qvaPC2EBduOjSN1WMSbJJrINs1IzkqXRrggJhSbp881Jr6NmpE6pns0Vfv//Hk1idHhxsXg6QKtfXlzAnRbgA1WepSDJq5H08WGFBZrgUVM0zBYI3JJH3b9jIRMVQMJUQ57w3jZpOnpFXSZoUy1YD7Y3Cu+n/Q6cEft6t29/FQgacXmeA2ajb7ssSbSntBpTpoyGc/kKoaihYPrHtNRhkMcZQayy5aXTgYtEjhzJAC+esXiTYqklWMXJS1EmUpoQIBAw==.


It resolves interesting strings which indicate the encryption process of the target system's user files is implemented utilizing the OPENSSL library as shown in figure below.



Interesting strings

crypto\evp\e_aes.c

crypto\bio\bio_lib.c

crypto\rsa\rsa_lib.c

crypto\evp\evp_enc.c

assertion failed: bl <= (int)sizeof(ctx->buf)

assertion failed: b <= sizeof ctx->buf

assertion failed: b <= sizeof ctx->final

assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)

assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16

%lu:%s:%s:%d:%s

secure memory buffer

memory buffer

crypto\bio\bss_mem.c

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

PKCS7

CERTIFICATE

RSA PUBLIC KEY

DH PARAMETERS

X9.42 DH PARAMETERS

crypto\rsa\rsa_crpt.c

crypto\evp\evp_lib.c

assertion failed: l <= sizeof(c->iv)

assertion failed: j <= sizeof(c->iv)

init fail

called a function that was disabled at compile-time

internal error

passed a null parameter

called a function you should not call

malloc failure

It gets logical drives as shown in figure below.


It gets drive type as shown in figure below.


It searches for files in machine then start encryption using RSA as shown in figure below.





Target files

It targets some extensions of files to encrypt them as shown in figure below.



After encryption end it delete malware service “msupdate” as shown in figure below.




It adds extension called CRYPT as shown in figure2 below.




Encrypted data




It writes the ransom note "readme.txt" to every folder as shown in figure below.


Readme.txt

If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  

YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

Malware Analyst : Mahmoud El Menshawy
Contact me : mahmoudmorsy372@gmail.com
Linkedin:https://www.linkedin.com/in/mahmoudmorsy1/

Comments

Post a Comment

Popular posts from this blog

IOCs 7_8_2021

Image
  (1) File Name Netflix Checker AutoProxy.rar Created process Qsbb.exe Connected (Ip/Dns) Fhruhceio[.]eu5[.]org MD5 54407258f1e20055897fe7dad504a5dc SHA256 4c54592475d4636eb0fe0555dbe44813332059d787c755571797484b87983a50 Family njRAT   (2) File Name Start.exe Created process yGYkD7gHOX.exe Connected (Ip/Dns) Telete[.]in MD5 e123bd2a5d074027510e792b92bce913 SHA256 245c87b29983815f1bad519d8490e4fae064ec3f4788781f3944cbe4ad7e8e8b Family Raccoon   (3) File Name Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Created process Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Connected (Ip/Dns) www[.]transinta[.]com MD5 c5
Read more

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH)NBI/20-22"
Read more

Phishing Attacks 15_2_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 137.184.90.200 From "<zita@anthonybirch.ml>" Subject "Attached our formal P/O : 4501226854." Attachment "PO - 4501226854,pdf (1).iso" MD5 9addd85060db79af3b0ac0e3011c69c1 SHA256 b0b0135c292340ab5993a9f2bea6f3f6e6478fb5883fe2e1ef67c60cf3dd0944 Family Formbook   (2) Sender ip 143.198.41.151 From "Gilbert Anderson <info@digimaincheckshower.com>" Subject "Please accept my applicant " Attachment "Approvald-32134.doc" MD5 40582aacc0f7f8a0946a64249dae4767 SHA256 1b97ac97a845c9f63cf7308e3f6f983
Read more