🦑Then generate the local RSA 512 key pair information, export its RSA 512 Private Key (N, D), and splice and save it for later use.
> Then use the hard-coded RSA 2048 Public Key in the decompressed configuration to encrypt its RSA 512 Private Key, and the encryption result will be processed further.
> Then use the hard-coded RSA 2048 Public Key in the decompressed configuration to encrypt its RSA 512 Private Key, and the encryption result will be processed further.
🦑After the RSA 512 Private Key is encrypted, the following three processes are performed:
> Calculate the encrypted content length of RSA 512 Private Key: the following figure (Offset: 0x0, Size: 0x8);
Carry out CRC32 check on the encrypted content of RSA 512 Private Key and save its Hash: the following picture (Offset: 0x8, Size: 0x4);
> ZLib-Level 2 compression is performed on the encrypted content of its RSA 512 Private Key, the compression flag of 2 bytes before compression is removed, and the trailing 5 bytes are removed and saved (Offset: 0xC, Size: size after compression).
> Calculate the encrypted content length of RSA 512 Private Key: the following figure (Offset: 0x0, Size: 0x8);
Carry out CRC32 check on the encrypted content of RSA 512 Private Key and save its Hash: the following picture (Offset: 0x8, Size: 0x4);
> ZLib-Level 2 compression is performed on the encrypted content of its RSA 512 Private Key, the compression flag of 2 bytes before compression is removed, and the trailing 5 bytes are removed and saved (Offset: 0xC, Size: size after compression).
🦑Finally, the processed 3 parts of data are encoded using modified Base64:
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
Before the virus encrypts the file, rdtsc will be used to generate a total of 0x30 (0x10 + 0x20 two parts) random key data for each file.
The generated size of 0x20 bytes will be used as the key first, and the file name will be encrypted using RC4.
Then, the RC4 encrypted file name data is non-standard Base64 encoded. The encoded string is the random file name after the file encryption. For example, the file name cef_100_percent.pak in the following figure will be renamed to iDQbLSy99iHpsRqiT2f7kwmrQhhHKOcKFaq5TnhlZgEX5gLATUo.cov
File encryption uses the AES-256 CBC mode. The previously generated 0x10 byte data will be used as the IV again, and the 0x20 byte random data will be used as the Key to encrypt the file content.
After the file content is encrypted, the randomly generated 0x30 bytes of data are spliced together using the locally generated RSA 512 Public Key for encryption, and finally appended to the end of the file, because the RSA 512 Private Key information is encrypted by the hard-coded RSA 2048 Public Key The Zlib compressed Base64 code is stored in the ransom note and the plain text cannot be obtained, so the encrypted file cannot be decrypted without the private key.
🦑Other behavior analysis
The author of the virus is suspected to be from a Russian-speaking country. The virus encryption will avoid the following regions 0x7 (Russia), 0x177 (Belarus), 0x17C (Ukraine)
The author of the virus is suspected to be from a Russian-speaking country. The virus encryption will avoid the following regions 0x7 (Russia), 0x177 (Belarus), 0x17C (Ukraine)