Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- doejocrypt
- Samples analyzed:
- 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff,
- e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6,
- feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
- Ransomware seems to be able to be deployed as both a service and as an executable binary. The first function called in _main is StartServiceCtrlDispatcherA, which is necessary for service execution.
- In normal execution, this errors with "ERROR_FAILED_SERVICE_CONTROLLER_CONNECT". It then calls the Main Encryption function.
- In Service Execution, Disables the service "msupdate" and then call the Main Encryption function.
- In the main encryption function, it first hashes the embedded RSA key with MD5, and then uses that to generate the readme.txt.
- Next it resolves the following environment variables to get its exclusion directories: %WINDIR%, %TEMP%, %APPDATA%
- During File encryption, data starts with a header of "DEARCRY!". Encrypted files have the extension ".CRYPT"
- precursor queries based on above info:
- // query to detect the msupdate service install
- // Author: James Quinn, Binary Defense
- DeviceRegistryEvents
- | where RegistryKey has "CurrentControlSet\\Services\\msupdate"
- // Query to detect .crypt filewrite
- // Author: James Quinn, Binary Defense
- DeviceFileEvents
- | where FileName endswith ".CRYPT"
- // Query to detect the possible msupdate service install
- // Author: James Quinn, Binary Defense
- DeviceEvents
- | where ActionType == "ServiceInstalled"
- | evaluate bag_unpack(AdditionalFields)
- | where ServiceName =~ "msupdate"
- Targeted Extensions:
- ExtensionList:
- .TIF
- .TIFF
- .PDF
- .XLS
- .XLSX
- .XLTM
- .PS
- .PPS
- .PPT
- .PPTX
- .DOC
- .DOCX
- .LOG
- .MSG
- .RTF
- .TEX
- .TXT
- .CAD
- .WPS
- .EML
- .INI
- .CSS
- .HTM
- .HTML
- .XHTML
- .JS
- .JSP
- .PHP
- .KEYCHAIN
- .PEM
- .SQL
- .APK
- .APP
- .BAT
- .CGI
- .ASPX
- .CER
- .CFM
- .C
- .CPP
- .GO
- .CONFIG
- .PL
- .PY
- .DWG
- .XML
- .JPG
- .BMP
- .PNG
- .EXE
- .DLL
- .CAD
- .AVI
- .H
- .CSV
- .DAT
- .ISO
- .PST
- .PGD
- .7Z
- .RAR
- .ZIP
- .ZIPX
- .TAR
- .PDB
- .BIN
- .DB
- .MDB
- .MDF
- .BAK
- .LOG
- .EDB
- .STM
- .DBF
- .ORA
- .GPG
- .EDB
- .MFS
Add Comment
Please, Sign In to add comment