DoejoCrypt Analysis

doejocrypt
Samples analyzed:
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff,
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6,
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede


Ransomware seems to be able to be deployed as both a service and as an executable binary.  The first function called in _main is StartServiceCtrlDispatcherA, which is necessary for service execution.
In normal execution, this errors with "ERROR_FAILED_SERVICE_CONTROLLER_CONNECT".  It then calls the Main Encryption function.
In Service Execution, Disables the service "msupdate" and then call the Main Encryption function.

In the main encryption function, it first hashes the embedded RSA key with MD5, and then uses that to generate the readme.txt.

Next it resolves the following environment variables to get its exclusion directories: %WINDIR%, %TEMP%, %APPDATA%


During File encryption, data starts with a header of "DEARCRY!".  Encrypted files have the extension ".CRYPT"

precursor queries based on above info:


// query to detect the msupdate service install
// Author: James Quinn, Binary Defense
DeviceRegistryEvents
| where RegistryKey has "CurrentControlSet\\Services\\msupdate"

// Query to detect .crypt filewrite
// Author: James Quinn, Binary Defense
DeviceFileEvents
| where FileName endswith ".CRYPT"

// Query to detect the possible msupdate service install
// Author: James Quinn, Binary Defense
DeviceEvents
| where ActionType == "ServiceInstalled"
| evaluate bag_unpack(AdditionalFields)
| where ServiceName =~ "msupdate"


Targeted Extensions:
ExtensionList:

.TIF
.TIFF
.PDF
.XLS
.XLSX
.XLTM
.PS
.PPS
.PPT
.PPTX
.DOC
.DOCX
.LOG
.MSG
.RTF
.TEX
.TXT
.CAD
.WPS
.EML
.INI
.CSS
.HTM
.HTML
.XHTML
.JS
.JSP
.PHP
.KEYCHAIN
.PEM
.SQL
.APK
.APP
.BAT
.CGI
.ASPX
.CER
.CFM
.C
.CPP
.GO
.CONFIG
.PL
.PY
.DWG
.XML
.JPG
.BMP
.PNG
.EXE
.DLL
.CAD
.AVI
.H
.CSV
.DAT
.ISO
.PST
.PGD
.7Z
.RAR
.ZIP
.ZIPX
.TAR
.PDB
.BIN
.DB
.MDB
.MDF
.BAK
.LOG
.EDB
.STM
.DBF
.ORA
.GPG
.EDB
.MFS