Analysis of Dcry Ransomware

Dcry Ransomware

Introduction:

    Recently @malwrhunterteam discovered a ransomware called as Dcry Ransomware with file name "Paypalfree.apk" which infects Android devices. In this blog, I will take you through the analysis of Dcry Ransomware sample.

Functionality:

    Once launched, the ransomware checks if it's a first run of the app. Depending on the check it performs other functions.

Main Activity

On the first run, username and password gets generated and stored as userInfo in shared preferences with random values assigned to it.

User Info

After that, a POST request is sent to the C2 server containing the generated username and password of the infected host. Later, a service gets started and the value of first run is set to false.

C&C communication



Encryption:

    The files gets encrypted by using AES with a random 32 length generated encryption key which is stored in shared preferences.

Encryption

.Dcry extension gets appended to all the files after the encryption process and a wallpaper is set with a ransom note.

.Dcry Extension


Wallpaper with Ransom Note

Delete on Boot:

     delonboot service is started so that if the phone reboots all the encrypted files will be deleted permanently.

delonboot.class


OnBootReciever Activity

Decryption:

    A launcher starts which shows a decryption interface where it asks for a key to decrypt file along with a ransom note. Depending on the input of the key length different messages are shown.

Decryption Service

IOCs:

cf071549df9491cb2e87396f5315e3e39e145ca9858fc510508cdaaf5e69546a (com.example.kico.myapplication)

arefy[.]net/addslave.php

tuvieja@yopmail.com



Comments

Post a Comment

Popular posts from this blog

Analysis of TikTok Scam

Image
Unmasking the TikTok Scam Introduction:     After the ban of TikTok by Indian Government, scammers are using this as a opportunity to distribute a malware named as TikTok Pro.  Many users reported a SMS coming from their friends or other contacts to download the app. Recently, Telangana Police & Maharashtra Cyber Cell  tweeted  about this incident. This blog will be my technical analysis of the malware sample spreading via SMS.  Maharashtra Cyber Cell Advisory Technical Analysis: Main Activity:     Once the app is downloaded & executed it starts the MainActivity and sleeps for 2000s and later it calls login class to show the login form which looks similar to official TikTok app. Main Activity Login.Class:     After calling the login class, the app checks for all the required permissions. If the check is passed it displays a login form which  accepts any username or password having length greater than 3 and shows a fake message "Checking Username and Password... "  wh
Read more