Technical details of Ransomware DearCry
Identification
Vendor | Detection |
TrendMicro | Ransom.Win32.DEARCRY.THCABBA |
McAfee | Ransom-DearCry!CDDA3913408C |
Malwarebytes | Ransom.DearCry |
The following table contains list of artifacts that had been analyzed within this document.
Summary
DearCry is ransomware which encrypts files on a device and demands ransom in exchange for decryption.
Technical details
Anti-Analysis
It gets current system date and time as shown in figure below.
It starts new service called msupdate as shown in figure below.
It generates key called “d37fc1eabc6783a418d23a8d2ba5db5a" as shown in figure below. This hash will be note when ransoamware finished encryption files.
It pushes two strings which related to communication with attack as shown in figure below.
Email address | |
Message | Your file has been encrypted! |
It gets windows directory path (C:\Windows) as shown in figure below.
It will get paths of “Temp, APPDATA and PROGRAMFILES” then put paths in array as shown in figure below.
It inserts hardcoded public key as shown in figure below.
Public key
MIIBCAKCAQEA5+mVBe75OvCzCW4oZHl7vqPwV2O4kgzgfp9odcL9LZc8Gy2+NJPDwrHbttKI3z4Yt3G04lX7bEp1RZjxUYfzX8qvaPC2EBduOjSN1WMSbJJrINs1IzkqXRrggJhSbp881Jr6NmpE6pns0Vfv//Hk1idHhxsXg6QKtfXlzAnRbgA1WepSDJq5H08WGFBZrgUVM0zBYI3JJH3b9jIRMVQMJUQ57w3jZpOnpFXSZoUy1YD7Y3Cu+n/Q6cEft6t29/FQgacXmeA2ajb7ssSbSntBpTpoyGc/kKoaihYPrHtNRhkMcZQayy5aXTgYtEjhzJAC+esXiTYqklWMXJS1EmUpoQIBAw==.
It resolves interesting strings which indicate the encryption process of the target system's user files is implemented utilizing the OPENSSL library as shown in figure below.
Interesting strings
crypto\evp\e_aes.c
crypto\bio\bio_lib.c
crypto\rsa\rsa_lib.c
crypto\evp\evp_enc.c
assertion failed: bl <= (int)sizeof(ctx->buf)
assertion failed: b <= sizeof ctx->buf
assertion failed: b <= sizeof ctx->final
assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)
assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16
%lu:%s:%s:%d:%s
secure memory buffer
memory buffer
crypto\bio\bss_mem.c
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
PKCS7
CERTIFICATE
RSA PUBLIC KEY
DH PARAMETERS
X9.42 DH PARAMETERS
crypto\rsa\rsa_crpt.c
crypto\evp\evp_lib.c
assertion failed: l <= sizeof(c->iv)
assertion failed: j <= sizeof(c->iv)
init fail
called a function that was disabled at compile-time
internal error
passed a null parameter
called a function you should not call
malloc failure
It gets logical drives as shown in figure below.
It gets drive type as shown in figure below.
It searches for files in machine then start encryption using RSA as shown in figure below.
Target files
It targets some extensions of files to encrypt them as shown in figure below.
After encryption end it delete malware service “msupdate” as shown in figure below.
It adds extension called CRYPT as shown in figure2 below.
Encrypted data
It writes the ransom note "readme.txt" to every folder as shown in figure below.
Readme.txt
Malware Analyst : Mahmoud El Menshawy
Contact me : [email protected]
Linkedin:https://www.linkedin.com/in/mahmoudmorsy1/
Article Link: https://menshaway.blogspot.com/2021/04/ransomware-dearcry.html