Analysis of .Net Ransomware of “Ryzerlo” Malware Family.
Static Analysis (Basic)
Static Analysis (Advanced)
Starting off with the Main function present in Program class present in namespace hidden_tear.
Further in the main function there are three functions defined:
called in class Application.
In this class mainly basic operations of running this application are being operated in which mainly operations related to processes, thread, application information all are being operated inside the victim system.
Moving on to the three functions called using Application class.
First function is : EnableVisualStyles
This function sets up visuals for HiddenTear Ransomware.
In the beginning of this function there is the call is made to FileIOPermission is being made in which for crafting confusion for Analyst is being made creating the flag called “m_unrestricted” which is used for the passing the boolean value 1 or 0 to state.
PermissionState enum defines the State of Permission which is assigned as 1 to Unrestricted and 0 assigned as None.
further as we move in the function, we counter with enum FileIOPermissionAccess where is “AllFiles” component is defined. In which the access of Files is defined.
Then as we move in this function EnableVisualStyles(), there three conditional statements are being executed. try, finally, if . In the finally conditional check what happens is that the exceptions are being created.
lastly in this function call to styling the theme is being activated using the function “EnableVisualStylesInternal” is being done.
Now moving on to the second function “SetCompatibleTextRenderingDefault” called using the class Application. In this function manly what happens is that conditional “if” statement is being created for raising exception.
In the conditional “if” check the NativeWindow function is being deployed for the disposing the residual from cache memory created due to NativeWindow function after syncing the event handler to C&C server.
Here comes the Main function called “Run”.
Main class : Form1:
In this function, main operation like AES algo. encryption ,decryption happens.
Analysis Report E3rDVPhyAf
Sample Name: E3rDVPhyAf (renamed file extension from none to exe) Analysis ID: 359421 MD5…