This program decrypts the RSA private key, which is used for encryption, via the MasterRSA private key. In each folder, a #DECRYPTMYFILES#.html file is created, which is empty by default. Then an id.dp file is created in the same directory as the program to save information, which may be used to identify attackers. Files with the extension of dp respectively record whether the program successfully runs as admin and whether file encryption is complete. In %APPDATA%\DP, the program copies itself. The part in the red frame is the public key in plain text. The code shown in the following figure begins with the private key encrypted with RSA. The th file is dropped to C:\Users\xxx\Documents or C:\ProgramFiles(x86)\DP for saving RSA keys used for encrypting files. For this reason, in the analysis, we modified the code to avoid the decryption failure.Īfter the encryption is complete, the following file is dropped: Note: When encrypting the private key, the original code splices character strings, which may cause key decryption to fail. Therefore, it may be used for encrypting network shared files.
Though the newview and newuser commands are executed, this function is not used. The ransomware contains the GetNetwork function. The ransomware preferentially encrypts the database directory.īesides, it skips system and browser directories. If a file to be encrypted is larger than 64 KB, the program will encrypt only its end otherwise, it will encrypt the entire file. After that, it uploads the encryption information and displays the ransom file at %APPDATA%/DP/welldone.dp. The program uses CMD command parameters to delete volume shadow backups.Īfter obtaining disk information, the program begins to encrypt local files. The program copies itself to %APPDATA%/DP/DP_Main.exe, and modifies the registry for automatic running at startup. 2.2 Self Copy and Automatic Running at Startup
0 kommentar(er)
