🦑Finally, the processed 3 parts of data are encoded using modified Base64:
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
The standard Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
The virus modified Base64-Table is:
ABCDEFGHIJKLMNOPQRSTUVWXYZ + = 0123456789abcdefghijklmnopqrstuvwxyz
Before the virus encrypts the file, rdtsc will be used to generate a total of 0x30 (0x10 + 0x20 two parts) random key data for each file.
The generated size of 0x20 bytes will be used as the key first, and the file name will be encrypted using RC4.
Then, the RC4 encrypted file name data is non-standard Base64 encoded. The encoded string is the random file name after the file encryption. For example, the file name cef_100_percent.pak in the following figure will be renamed to iDQbLSy99iHpsRqiT2f7kwmrQhhHKOcKFaq5TnhlZgEX5gLATUo.cov
File encryption uses the AES-256 CBC mode. The previously generated 0x10 byte data will be used as the IV again, and the 0x20 byte random data will be used as the Key to encrypt the file content.
After the file content is encrypted, the randomly generated 0x30 bytes of data are spliced together using the locally generated RSA 512 Public Key for encryption, and finally appended to the end of the file, because the RSA 512 Private Key information is encrypted by the hard-coded RSA 2048 Public Key The Zlib compressed Base64 code is stored in the ransom note and the plain text cannot be obtained, so the encrypted file cannot be decrypted without the private key.
🦑Other behavior analysis
The author of the virus is suspected to be from a Russian-speaking country. The virus encryption will avoid the following regions 0x7 (Russia), 0x177 (Belarus), 0x17C (Ukraine)
The author of the virus is suspected to be from a Russian-speaking country. The virus encryption will avoid the following regions 0x7 (Russia), 0x177 (Belarus), 0x17C (Ukraine)
The virus encrypts a large number of extended suffix files, including almost all data file types:
Because the virus will delete the system backup, the file shadow information, and the encrypted file cannot be recovered by file recovery. A large number of files in the system will be encrypted in the form of "garbled. Cov19", and the virus will modify the file modification time. Reset to prevent the possibility of time-related random generation parameters being blasted.
> In the actual attack environment of the virus, tools such as processhacker (a security analysis tool), NetworkShare v.2.exe (network share scanning) left by the attacker were also found, which shows that the attacker is not satisfied with only encryption One machine, the attacker will also try to scan and attack other machines in the LAN to expand the results.
> In the actual attack environment of the virus, tools such as processhacker (a security analysis tool), NetworkShare v.2.exe (network share scanning) left by the attacker were also found, which shows that the attacker is not satisfied with only encryption One machine, the attacker will also try to scan and attack other machines in the LAN to expand the results.
🦑 This ransomware is for learn, don't use it for illegal subjects☠️
- don't clone our tutorials 👿
- don't clone our tutorials 👿