Analysis of Dcry Ransomware
Recently @malwrhunterteam discovered a ransomware called as Dcry Ransomware with file name "Paypalfree.apk" which infects Android devices. In this blog, I will take you through the analysis of Dcry Ransomware sample.
Once launched, the ransomware checks if it's a first run of the app. Depending on the check it performs other functions.
On the first run, username and password gets generated and stored as userInfo in shared preferences with random values assigned to it.
After that, a POST request is sent to the C2 server containing the generated username and password of the infected host. Later, a service gets started and the value of first run is set to false.
The files gets encrypted by using AES with a random 32 length generated encryption key which is stored in shared preferences.
.Dcry extension gets appended to all the files after the encryption process and a wallpaper is set with a ransom note.
|Wallpaper with Ransom Note|
Delete on Boot:
delonboot service is started so that if the phone reboots all the encrypted files will be deleted permanently.
A launcher starts which shows a decryption interface where it asks for a key to decrypt file along with a ransom note. Depending on the input of the key length different messages are shown.