Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- There are a number of files and folders wannacrypt will avoid.
- Some because it's entirely pointless and others because it might destabilize the system.
- During scans, it will search the path for the following strings and skip over if present.
- "Content.IE5"
- "Temporary Internet Files"
- " This folder protects against ransomware. Modifying it will reduce protection"
- "\Local Settings\Temp"
- "\AppData\Local\Temp"
- "\Program Files (x86)"
- "\Program Files"
- "\WINDOWS"
- "\ProgramData"
- "\Intel"
- "$\"
- The strange looking folder name referring to ransomware was probably used during tests
- or perhaps the authors left it behind by accident.
- Naturally, it will avoid encrypting itself and skips the following.
- @Please_Read_Me@.txt
- @WanaDecryptor@.exe.lnk
- @WanaDecryptor@.bmp
- It will also skip files that have extensions: .DLL, .EXE, .WNCRY and .WNCRYT
- For everything else, there are 2 tables with file extensions it checks,
- the first and default list consists of
- .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg,
- .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf,
- .dwg, .onetoc2, .snt, .jpeg, .jpg
- The other is a much more extensive list, but is not used by the sample
- I have.
- It's not clear what the purpose of multiple file extensions are, but perhaps
- the ransomeware uses a library or framework that can be tweaked for specific targets.
- .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc,
- .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb,
- .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes,
- .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup,
- .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai,
- .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov,
- .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class,
- .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs,
- .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,
- .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb,
- .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd,
- .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds,
- .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
Add Comment
Please, Sign In to add comment