SHOW:
|
|
- or go back to the newest paste.
| 1 | There are a number of files and folders wannacrypt will avoid. | |
| 2 | Some because it's entirely pointless and others because it might destabilize the system. | |
| 3 | During scans, it will search the path for the following strings and skip over if present. | |
| 4 | ||
| 5 | "Content.IE5" | |
| 6 | "Temporary Internet Files" | |
| 7 | " This folder protects against ransomware. Modifying it will reduce protection" | |
| 8 | "\Local Settings\Temp" | |
| 9 | "\AppData\Local\Temp" | |
| 10 | "\Program Files (x86)" | |
| 11 | "\Program Files" | |
| 12 | "\WINDOWS" | |
| 13 | "\ProgramData" | |
| 14 | "\Intel" | |
| 15 | "$\" | |
| 16 | ||
| 17 | The strange looking folder name referring to ransomware was probably used during tests | |
| 18 | or perhaps the authors left it behind by accident. | |
| 19 | ||
| 20 | Naturally, it will avoid encrypting itself and skips the following. | |
| 21 | ||
| 22 | @[email protected] | |
| 23 | @[email protected] | |
| 24 | @[email protected] | |
| 25 | ||
| 26 | It will also skip files that have extensions: .DLL, .EXE, .WNCRY and .WNCRYT | |
| 27 | ||
| 28 | For everything else, there are 2 tables with file extensions it checks, | |
| 29 | the first and default list consists of | |
| 30 | ||
| 31 | .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, | |
| 32 | .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, | |
| 33 | .dwg, .onetoc2, .snt, .jpeg, .jpg | |
| 34 | ||
| 35 | The other is a much more extensive list, but is not used by the sample | |
| 36 | I have. | |
| 37 | ||
| 38 | It's not clear what the purpose of multiple file extensions are, but perhaps | |
| 39 | the ransomeware uses a library or framework that can be tweaked for specific targets. | |
| 40 | ||
| 41 | .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, | |
| 42 | .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, | |
| 43 | .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, | |
| 44 | .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, | |
| 45 | .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, | |
| 46 | .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, | |
| 47 | .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, | |
| 48 | .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, | |
| 49 | .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, | |
| 50 | .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, | |
| 51 | .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, | |
| 52 | .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, | |
| 53 | .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der |
