MalwareQuinn

DoejoCrypt Analysis

Mar 12th, 2021 (edited)
2,427
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. doejocrypt
  2. Samples analyzed:
  3. 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff,
  4. e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6,
  5. feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
  6.  
  7.  
  8. Ransomware seems to be able to be deployed as both a service and as an executable binary. The first function called in _main is StartServiceCtrlDispatcherA, which is necessary for service execution.
  9. In normal execution, this errors with "ERROR_FAILED_SERVICE_CONTROLLER_CONNECT". It then calls the Main Encryption function.
  10. In Service Execution, Disables the service "msupdate" and then call the Main Encryption function.
  11.  
  12. In the main encryption function, it first hashes the embedded RSA key with MD5, and then uses that to generate the readme.txt.
  13.  
  14. Next it resolves the following environment variables to get its exclusion directories: %WINDIR%, %TEMP%, %APPDATA%
  15.  
  16.  
  17. During File encryption, data starts with a header of "DEARCRY!". Encrypted files have the extension ".CRYPT"
  18.  
  19. precursor queries based on above info:
  20.  
  21.  
  22. // query to detect the msupdate service install
  23. // Author: James Quinn, Binary Defense
  24. DeviceRegistryEvents
  25. | where RegistryKey has "CurrentControlSet\\Services\\msupdate"
  26.  
  27. // Query to detect .crypt filewrite
  28. // Author: James Quinn, Binary Defense
  29. DeviceFileEvents
  30. | where FileName endswith ".CRYPT"
  31.  
  32. // Query to detect the possible msupdate service install
  33. // Author: James Quinn, Binary Defense
  34. DeviceEvents
  35. | where ActionType == "ServiceInstalled"
  36. | evaluate bag_unpack(AdditionalFields)
  37. | where ServiceName =~ "msupdate"
  38.  
  39.  
  40. Targeted Extensions:
  41. ExtensionList:
  42.  
  43. .TIF
  44. .TIFF
  45. .PDF
  46. .XLS
  47. .XLSX
  48. .XLTM
  49. .PS
  50. .PPS
  51. .PPT
  52. .PPTX
  53. .DOC
  54. .DOCX
  55. .LOG
  56. .MSG
  57. .RTF
  58. .TEX
  59. .TXT
  60. .CAD
  61. .WPS
  62. .EML
  63. .INI
  64. .CSS
  65. .HTM
  66. .HTML
  67. .XHTML
  68. .JS
  69. .JSP
  70. .PHP
  71. .KEYCHAIN
  72. .PEM
  73. .SQL
  74. .APK
  75. .APP
  76. .BAT
  77. .CGI
  78. .ASPX
  79. .CER
  80. .CFM
  81. .C
  82. .CPP
  83. .GO
  84. .CONFIG
  85. .PL
  86. .PY
  87. .DWG
  88. .XML
  89. .JPG
  90. .BMP
  91. .PNG
  92. .EXE
  93. .DLL
  94. .CAD
  95. .AVI
  96. .H
  97. .CSV
  98. .DAT
  99. .ISO
  100. .PST
  101. .PGD
  102. .7Z
  103. .RAR
  104. .ZIP
  105. .ZIPX
  106. .TAR
  107. .PDB
  108. .BIN
  109. .DB
  110. .MDB
  111. .MDF
  112. .BAK
  113. .LOG
  114. .EDB
  115. .STM
  116. .DBF
  117. .ORA
  118. .GPG
  119. .EDB
  120. .MFS
  121.  
RAW Paste Data