*** DLL operations ***

1] Checks to see if task already running by attempting to open mutex with name MsWinZonesCacheCounterMutexA

If already exists, app exits

2] Obtains name of current directory.

3] Reads 780 bytes of information from c.wnry which it expects in current directory. This has

bitcoin and TOR info. 

4] Checks if running as LocalSystem. Sets a flag used later when running @[email protected]

5] Resolves api from advapi32.dll 

  CryptAcquireContextA

  CryptImportKey

  CryptDestroyKey

  CryptEncrypt

  CryptDecrypt

  CryptGenKey

6] Resolves api from kernel32.dll

  CreateFileW

  WriteFile

  ReadFile

  MoveFileW

  MoveFileExW

  DeleteFileW

  CloseHandle

7] Initializes names of files

00000000.res   - C2 communications

00000000.pky   - Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files

00000000.eky   - Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware. 

                 It is encrypted using the public key that belongs to a private key embedded inside the ransomware.

8] creates mutex with name MsWinZonesCacheCounterMutexA and sets the security

ACL to allow EVERYONE full access

9] tries to open 00000000.dky. if available, will import key into Crypto API object.

presumably this would be decryption key from the authors of ransomware..

10] if cannot open *.dky file, will generate new RSA key pair of 2048-bits.

Public key is exported as blob and saved to 00000000.pky

Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL.

unsigned char wc_key1[] =

{

  0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 

  0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 

  0x75, 0x97, 0x4C, 0x3B, 0x84, 0x46, 0xDE, 0x2C, 0x2A, 0xF4, 

  0x95, 0xA8, 0x5D, 0xC0, 0xCD, 0x6D, 0xDA, 0xD7, 0xD4, 0x92, 

  0x1E, 0x13, 0x82, 0x34, 0x6A, 0x70, 0x8D, 0x8F, 0x7C, 0xF7, 

  0x04, 0x92, 0x55, 0x7F, 0xF1, 0xA2, 0x27, 0xB2, 0x9E, 0x41, 

  0xAC, 0x90, 0x80, 0x91, 0x18, 0x93, 0xC2, 0xB1, 0x7B, 0xAD, 

  0x2B, 0xF3, 0xFF, 0xAF, 0xDB, 0x2B, 0x51, 0xBE, 0x1D, 0xA3, 

  0x27, 0xE3, 0xA7, 0x57, 0x08, 0x5A, 0xBE, 0xC1, 0x1D, 0xF6, 

  0x04, 0xF8, 0x1C, 0xBE, 0x5B, 0xB1, 0x67, 0xFB, 0xE4, 0xC8, 

  0xDA, 0x75, 0x00, 0x70, 0xB1, 0x17, 0x70, 0x24, 0x6C, 0x09, 

  0x63, 0x74, 0xAC, 0x4B, 0x0A, 0x1D, 0x71, 0xAE, 0x7F, 0xAE, 

  0x65, 0xB8, 0xC5, 0x86, 0x79, 0xC5, 0x7E, 0x9F, 0x98, 0x60, 

  0x4C, 0x52, 0xB9, 0x29, 0x62, 0xCB, 0x23, 0x29, 0xED, 0x31, 

  0x91, 0x74, 0x7B, 0x7B, 0x0B, 0x26, 0x1B, 0xF2, 0x7D, 0x67, 

  0xBF, 0xDA, 0x7A, 0x40, 0xDA, 0xF2, 0x61, 0x4D, 0x94, 0xA5, 

  0x7D, 0xAD, 0x59, 0x6B, 0xAD, 0x9E, 0xA3, 0x3A, 0x39, 0xC6, 

  0x5B, 0x6E, 0x9F, 0xD2, 0xBB, 0x36, 0xB5, 0xF5, 0xD2, 0x65, 

  0xF5, 0x2C, 0x30, 0xD8, 0xC1, 0x17, 0xBD, 0xAF, 0x28, 0x00, 

  0x96, 0x20, 0x46, 0xA7, 0x2D, 0x62, 0x03, 0x0C, 0xD7, 0xD0, 

  0x75, 0xA0, 0x0B, 0x07, 0xEA, 0xD4, 0x1F, 0xCA, 0xE8, 0xD9, 

  0x4E, 0xDB, 0x38, 0xF2, 0x26, 0x75, 0xCB, 0x12, 0xA6, 0x88, 

  0x70, 0x9B, 0xE1, 0xEA, 0x32, 0xDC, 0xF8, 0x71, 0x72, 0x50, 

  0x41, 0xE6, 0x17, 0x81, 0x68, 0x27, 0x42, 0x8E, 0xDF, 0xE5, 

  0xDE, 0xA1, 0x72, 0xD9, 0x3B, 0xFB, 0xE5, 0x9D, 0x30, 0x11, 

  0x69, 0x92, 0xCD, 0x60, 0x2B, 0xE2, 0xD5, 0x46, 0x3C, 0x28, 

  0xCF, 0x9D, 0x30, 0x4A, 0xF7, 0xAD, 0xB9, 0xFB, 0x0F, 0x91, 

  0xFE, 0x2E, 0xBE, 0x18, 0xF1, 0xCE

};

The AES-128 key generated for each file is derived from CryptGenRandom  which 

is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky.

In order to decrypt, we need the users private key which is

encrypted using a public key owned by the ransomware authors.

Presumably what authors do is decrypt the users private key in *.eky file 

using their private key and then send the user a *.dky file

to decrypt files.