>_ Malware Analysis Lab

> EncryptAll.exe.txt — Strings Output

[SAFE DUMMY FILE - PRACIVO LAB - NOT REAL MALWARE]

Strings that would be extracted from a real ransomware binary:

SUSPICIOUS_STRINGS_FOUND:
  - "CryptEncrypt"
  - "CryptGenKey"
  - "DeleteShadowCopies"
  - "vssadmin delete shadows /all /quiet"
  - "YOUR FILES HAVE BEEN ENCRYPTED"
  - "Send 0.5 BTC to: 1A2b3C4d5E6f7G8h9I0jKlMnOpQrStUvWx"
  - "bitcoin.org"
  - "tor2web.org"
  - "DECRYPT_INSTRUCTIONS.txt"
  - "*.doc", "*.xls", "*.pdf", "*.jpg", "*.png"
  - "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  - "C:\Users\%USERNAME%\AppData\Roaming\"
  - "cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  - "cmd.exe /c bcdedit /set {default} recoveryenabled No"

IMPORTED_FUNCTIONS:
  - kernel32.dll: CreateFileA, WriteFile, ReadFile, DeleteFileA
  - advapi32.dll: CryptAcquireContextA, CryptEncrypt, CryptGenKey
  - wininet.dll: InternetOpenA, InternetConnectA (C2 communication)
  - shell32.dll: ShellExecuteA

NETWORK_INDICATORS:
  - C2 Server: 185.220.101.45:8080 (Tor exit node)
  - DNS query: randomhash123.onion.to

REGISTRY_MODIFICATIONS:
  - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater

ANALYSIS_NOTES:
  This is a teaching sample showing what strings analysts look for.
  Real ransomware families: WannaCry, REvil, LockBit, Conti, BlackBasta.
  Tools to use: strings.exe, PEStudio, IDA Free, Ghidra.