Bitcrypt v2.0

Bitcrypt is a ransomware program where in it encrypts certain types of file in the system using RSA public-key cryptography. This malware will display a message offering the user to decrypt the data once the payment is made through Bitcoin.

Summary
  
Upon execution, it will create a thread that will periodically check and terminate running instance of taskmgr.exe and regedit.exe.

It will also check the existence of the following registry entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
• Value Name: Bitcomint 
• %APPDATA%\[RANDOM FILE NAME].exe

If the above registry entry doesn't exist it will create one and also create a copy of itself in %APPDATA%. After ensuring that the malware will start every time the Windows start, it will execute the following commands:

• /K bcdedit /set {bootmgr} displaybootmenu no
• /K bcdedit /set {default} bootstatuspolicy ignoreallfailures

It will set country or region location of windows through the following registry entry:

• HKEY_CURRENT_USER\Control Panel\International\Geo
• Value Name: Nation
• Data : 244 (244 is the country code of US)

It will then check if the following files exists in %APPDATA%, if not it will create a copy of the following files and then execute a copy of itself in %APPDATA%, then terminate and delete the currently running file.

• bitcrypt.ccw
• This file contains base 64 strings, BitCrypt ID and status of encryption of files in the system
• BitCrypt ID format
• WIN -<region location of Windows>-<4 random numbers><index of base64 strings>

• BitCrypt.txt 
• This file contains information where to download the program decryptor. This note is in 10 different languages: English, French, German, Russian, Italian, Spanish, Portuguese, Japanese, Chinese and Arabic. In this note it also claims that files are encoded using RSA-1024 key. As of this moment, links given by this note is not accessible.

It will create del.bat to delete the currently running file and execute the copy of itself in %APPDATA%.

Extraction of base 64 strings

This malware creates jump table of the available random base 64 string arrays. Using Delphi generator it randomly chose an index of what set of strings to use at the time of infection.

Based from the image above, the string index is 1A2h, based on malware code it extracts the base 64 string using the following instruction:

• MOV EDX,DWORD PTR DS:[ESI*4+47DE98]  ESI: = 0x1A2 (418)
• ESI*4 = 1A2 * 4 = 688

Infection Routine

This malware will encrypt files with the following file extensions:

• *.dbf
• *.mdb
• *.mde
• *.xls
• *.xlw
• *.docx
• *.doc
• *.cer
• *.key
• *.rtf
• *.xlsm
• *.xlsx
• *.txt
• *.xlc
• *.docm
• *.xlk
• *.text
• *.ppt
• *.djvu
• *.pdf
• *.lzo
• *.djv
• *.cdx
• *.cdt
• *.cdr
• *.bpg
• *.xfm
• *.dfm
• *.pas
• *.dpk
• *.dpr
• *.frm
• *.vbp
• *.php
• *.js
• *.wri
• *.css
• *.asm
• *.jpg
• *.jpeg
• *.dbx
• *.dbt
• *.odc
• *.sql
• *.abw
• *.pab
• *.vsd
• *.xsf
• *.xsn
• *.pps
• *.lzh
• *.pgp
• *.arj
• *.gz
• *.pst
• *.xl

It will first search and list down all the files with the above file extensions.

It will encrypt the target file and write the encrypted data to a new file with ".bitcrypt2" extension then delete the original file. 

Encryption routine

Payload

After encryption of files, it will change the status of infection in bitcrypt.ccw file from false to EncryptComplete.

It will change the wall paper with BitCrypt.bmp to notify the user that the system has been infected by Bitcrypt v2.0.

And just to make sure that the user will be able to read Bitcrypt.txt, it will open this file through notepad.exe