Technical details of Ransomware DearCry
The following table contains list of artifacts that had been analyzed within this document.
DearCry is ransomware which encrypts files on a device and demands ransom in exchange for decryption.
It gets current system date and time as shown in figure below.
It starts new service called msupdate as shown in figure below.
It generates key called “d37fc1eabc6783a418d23a8d2ba5db5a" as shown in figure below. This hash will be note when ransoamware finished encryption files.
It pushes two strings which related to communication with attack as shown in figure below.
Your file has been encrypted!
It gets windows directory path (C:\Windows) as shown in figure below.
It will get paths of “Temp, APPDATA and PROGRAMFILES” then put paths in array as shown in figure below.
It inserts hardcoded public key as shown in figure below.
It resolves interesting strings which indicate the encryption process of the target system's user files is implemented utilizing the OPENSSL library as shown in figure below.
assertion failed: bl <= (int)sizeof(ctx->buf)
assertion failed: b <= sizeof ctx->buf
assertion failed: b <= sizeof ctx->final
assertion failed: EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)
assertion failed: ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16
secure memory buffer
NEW CERTIFICATE REQUEST
RSA PUBLIC KEY
X9.42 DH PARAMETERS
assertion failed: l <= sizeof(c->iv)
assertion failed: j <= sizeof(c->iv)
called a function that was disabled at compile-time
passed a null parameter
called a function you should not call
It gets logical drives as shown in figure below.
It gets drive type as shown in figure below.
It searches for files in machine then start encryption using RSA as shown in figure below.
It targets some extensions of files to encrypt them as shown in figure below.
After encryption end it delete malware service “msupdate” as shown in figure below.
It adds extension called CRYPT as shown in figure2 below.
It writes the ransom note "readme.txt" to every folder as shown in figure below.
Malware Analyst : Mahmoud El Menshawy
Contact me : [email protected]