BeijingCrypt勒索病毒样本分析

相关信息阅读：BeiJingCrypt勒索病毒家族详情
一、        样本信息

文件名：beijing_en.exe
MD5：fe850a6c98438612dcee23df2150030d
SHA-1：ceaa511a1f0f8ef84b36e709cd7693b2939ea98e

二、        简要分析
    病毒使用RSA+AES的加密方案对文件进行加密。

    病毒开始执行后，创建启动项：

    创建文件C:\\ProgramData\\8dc628adb629d6a39b99a547b9f50f4c57553936c0292b0d31f33313974e2298，写入被攻击者RSA公钥加密后的文件加密密钥。
加密文件时，采用CFB加密模式，IV被RSA加密后追加于文件尾部。

    每个被加密目录下创建一个勒索信息文件!RECOVER.txt。

    勒索信息如（文件名为“!RECOVER.txt”）：

1. <div>ALL YOUR DATA WAS ENCRYPTED
   
2. </div><div>Whats Happen?
   
3. </div><div>Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .beijing
   
4. </div><div>By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
   
5. </div><div>What guarantees?
   
6. </div><div>It's just a business. We absolutely do not care about you and your deals, except getting benefits.
   
7. </div><div>If we do not do our work and liabilities - nobody will not cooperate with us.
   
8. </div><div>It's not in our interests.
   
9. </div><div>If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
   
10. </div><div>In practise - time is much more valuable than money.
    
11. </div><div>What should You include in your message?
    
12. </div><div>1. Your country and city
    
13. </div><div>2. This TXT file
    
14. </div><div>3. Some files for free decryption
    
15. </div><div>Free decryption as guarantee!
    
16. </div><div>Before paying you send us up to 2 files for free decryption.
    
17. </div><div>Send pictures, text files. (files no more than 1mb)
    
18. </div><div>If you upload the database, your price will be doubled
    
19. </div><div>Contacts:
    
20. </div><div>beijing520@aol.com
    
21. </div><div>beijing520@cock.li
    
22. </div><div>
    
23. </div><div>Your Personal ID: aaFFEFhU3TRoAHXbZsPXmQPuMhct1ywaMWyALYKEQgbURBvGqo8VvcrMey/eYQXa4NWHIZjp0dnsdrZgtya2sVdYnx7t0qsCmDOXWJRIwyhPflwME0aBuSBiPQ55wCQ6yUW9aDIPYxKSd6l1zYvk3jXG14lPO6wFEWssLKmRhJw=:8dc628adb629d6a39b99a547b9f50f4c57553936c0292b0d31f33313974e2298
    
24. </div><div>
    
25. </div>

复制代码