SHA1:
- 16b84004778505afbcc1032d1325c9bed8679b79
An encryption Trojan for Windows. Launches an application %SYSTEM%\svchost.exe on the attacked computer and infiltrates its process, then starts a separate thread to remove its own copy. Contains an encrypted library in its body and uses it to access onion sites in the TOR network. The Trojan loads the network to the memory on its own.
It also contains an encrypted public part of master key. The encryption ransomware generates an RSA pair and saves it to a file with a name created by the template *-Bravo NEW-*.key. The file is saved to the folder %COMMON_APPDATA% and encrypted, the resulting file has the following name: *-Bravo NEW-*.key.aes_ni_0day. Files are encrypted with the AES algorithm, a key for AES is encrypted with the public key of the generated RSA pair and written in the end of the file. In the end of files the following information is saved:
| Offset | Length | Data |
|---|---|---|
| 0x00 | 0x08 | Marker (453728192A384756) |
| 0x08 | 0x21 | PCID and terminating null |
| 0x29 | var | Original file name |
| 0x233 | 0x100 | The encrypted AES key of the file, RSA encryption (with the public key of the generated pair) |
In the end of May 2017, private part of the Trojan’s master key was made public, so decryption of corrupted files is now possible.