The decrypted and unpacked configuration data uses a public key called RSA-1024, an identifier named "bot_company" by the designers, and the key AES-128 ECB to encrypt data sent to attackers.
This is followed by 8 logical flags, which define the ransomware configuration (the value set in the sample is presented in parentheses):
– Encrypting odd megabytes in large files starting with the first one (0);
– Applying authentication attempts using the following credentials contained in the configuration (1):
– Mounting volumes and encrypting files on them (1).
– Encrypting files on available network resources (1). While performing this operation, the program also enumerates Active Directory using LDAP requests.
– Terminating processes that contain the following substrings in their names (1):
encsvc, thebat, mydesktopqos, xfssvccon, firefox, infopath,winword, steam, synctime, notepad, ocomm, onenote, mspub, thunderbird, agntsvc, sql, excel, powerpnt, outlook, wordpad, dbeng50, isqlplussvc, sqbcoreservice, oracle, ocautoupds, dbsnmp, msaccess, tbirdconfig, ocssd, mydesktopservice, visio
– Stopping and deleting services (1):
mepocs, memtas, veeam, svc$, backup, sql, vss
– Creating and checking the mutex (1):
MUTEX_NAME: name of the mutex, formed based on the string from the registry parameter MachineGuid.
– Transferring information about compromised system and encryption results to threat actors (1). Encrypted information (AES-128 ECB) is transferred as HTTP POST requests to one of the following addresses:
The rest of the configuration data is contained as Base64 strings. The strings have a list of hashes of the bypassed directory/file names and file extensions, a list of substrings in the names of the terminated processes, names of services to be removed, links to attackers' resources used for transferring credentials, an encrypted list of credentials used for authentication attempts, and an encrypted text with ransomware demands.