Reading Time: 5 minutes

Comodo Cyber Security team reveals the inner-workings of the latest strain of this persistent threat

The Comodo Cyber Security team constantly researches the latest ransomware to help better protect our users and to share our findings with the wider netsec and antivirus communities. Today we’d like to tell you about a newer version of the ransomware called Dharma version 2.0.

The malware first appeared in 2016 under the name CrySIS. It targeted Windows systems and encrypts victim’s files with strong AES-256 and RSA-1024 algorithms, before demanding a ransom in Bitcoins. As with virtually all strains of ransomware, the files are completely unrecoverable without the decryption key, and the victim must pay the ransom to get the key.

The Dharma trojan is delivered by brute-forcing weak passwords on RDP connections, or by getting the victim to open a malicious email attachment. The first method involves the attacker scanning port 3389 for connections that use the RDP protocol. Once a target is found, the attacker tries to login to the connection by automatically trying different passwords from a huge library of known passwords, until one of them works. From there, the attacker has complete control over the target machine and runs the Dharma ransomware manually on the user’s files.

The latter method is a classic email attack. The victim receives an email that looks as though it comes from their real-life antivirus provider. It contains a warning about malware on their machine and instructs them to install the attached antivirus file to remove the threat. Of course, the attachment isn’t an antivirus program, it’s Dharma 2.0, which then proceeds to encrypt the user’s files and demand a ransom to unlock them.

In February 2020, the Comodo Cyber Security team discovered the latest evolution of this malware, Dharma 2.0. This version contains the core encrypt-then-ransom functionality of previous versions, but also contains an additional backdoor which grants remote admin capabilities. Let’s take a close look at the details of Dharma 2.0, with the help of the Comodo Cyber Security team.

Process Execution Hierarchy of Dharma 2.0

The execution tree of the malware is shown in the screenshot below, with ‘Wadhrama 2.0.exe’ at the head of the list:

The malware uses the DOS device mode utility to gather some information about the victim’s keyboard and deletes any shadow copies of their files. The command ‘vssadmin delete shadows /all /quiet’ is commonly used in ransomware to delete existing Windows restore points, robbing the user of a backup of their files:

With the shadow copies gone, users cannot restore their files unless they have an external, 3rd party backup in place. Many businesses have such backups in place, but an alarming number do not.

After encrypting all files on the computer, the attacker now needs a way to communicate their instructions to the victim. It does this by using ‘mshta.exe’ to open ‘Info.hta’ as an auto-run with the command

‘C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Info.hta’.

‘Info.hta’ is the file which contains the ransom note:

“All your files have been encrypted!”

Dynamic analysis of Dharma 2.0

Wadhrama 2.0.exe creates two sql files, ‘about.db’ and ‘about.db-journal’ in <%users\administrator\appdata\local\temp%>. It creates a copy of itself in <%system32%> , <%startup%>, and adds the extension ‘[bitlocker@foxmail.com ].wiki’ to the end of all encrypted files:

c:\users\administrator\appdata\local\temp\about.db
c:\users\administrator\appdata\local\temp\about.db-journal
c:\windows\system32\Wadhrama 2.0.exe
c:\users\administrator\appdata\roaming\microsoft\windows\start menu\programs\startup\Wadhrama 2.0.exe
c:\programdata\microsoft\windows\start menu\programs\startup\Wadhrama 2.0.exe
c:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\desktop.ini.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\boot\bootstat.dat.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\bootsect.bak.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\msocache\all users\{90120000-0012-0000-0000-0000000ff1ce}-c\office64ww.xml.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\config.sys.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\msocache\all users\{90120000-0012-0000-0000-0000000ff1ce}-c\setup.xml.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\autoexec.bat.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\$r1vq4s7.exe.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki
c:\$recycle.bin\s-1-5-21-2565079894-3367861067-2626173844-500\$i1vq4s7.exe.id-5A3EBE7D.[bitlocker@foxmail.com ].wiki

Static analysis of Dharma 2.0

The cybersecurity team tested the encryption complexity of Dharma 2.0 by creating three identical, 5 line text files with the following content:

We named the three files as ‘autorun.inf’, ‘boot.sdi’ and ‘bootsect.exe’ and moved each to a different location. Because the files are all the same type, size, and have the same content, they all share the same SHA1 signature – 9ea0e7343beea0d319bc03e27feb6029dde0bd96.

This is a screenshot of the files before encryption by Dharma:

After encryption, each has a different file size and signature:

Dharma 2.0 payload 

  • Dharma 2.0 creates two database files called ‘about.db’ and ‘about.db-journal’ in ‘<%AppData%>\\local\\temp’. The files are SQLite files and contain the following

tables – ‘setting’ and ‘keymap’. The databases allow remote admin commands such as /eject/eject<disk>, /runas/runas<application>, /syserr/syserr<error code>, /url/url<link>,

/runscreensaver/runscreensaverd, /shutdisplay/shutdisplayd, /edithost/edithostsd,

/restart/restard, /shutdown/shutdownd/logoff/logoffd, /lock/lockd,/quit/quitd,/config/configd

/about/aboutd.

• Dharma 2.0 creates two mutex objects called ‘Global\\syncronize_261OR3A’ and ‘Global\\syncronize_261OR3U’. Mutex objects limit the amount of a processes that can access a specific piece of data. This effectively locks the data from other processes so the encryption can go ahead uninterrupted.

• Dharma 2.0 searches for the following file extensions to encrypt:
◦ Personal document file formats: ‘doc(.doc;.docx,.pdf;.xls;.xlss;.ppt;)’
◦ Archive files format: ‘arc(.zip;.rar;.bz2;.7z;)’
◦ Database files format: ‘dbf(.dbf;)’
◦ SafeDis encryption file format: ‘1c8(.1cd;)’
◦ Image file format: ‘jpg(.jpg;)’

• It also searches out well-known database, mail and server software:

◦‘1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;’

◦‘FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;Sqlserveradhelper;’

• Dhama 2.0 copies itself into three different locations
◦ ‘%appdata%’
◦ ‘%windir%\\system32’
◦ ’%sh(Startup)%’

• It creates a pipe, ‘%comspec%’, with the command ‘C:\\windows\\system32\\cmd.exe’:

• It collects details about boot files such as ‘boot.ini’, ‘bootfont.bin’, and others:

• The ransom note text is saved in a file called ‘FILES ENCRYPTED.txt’:

• ‘Info.hta’ to displays the ransom message to the victim:

• The encryption extension is drawn from the buffer ‘.[bitlocker@foxmail.com]’

• Dharma then creates an encrypted version of the original file with the new extension:


• It subsequently deletes the original file and repeats the loop until every drive and file has been encrypted. The final, encrypted, files look as follows:

• This is the ransom message shown to the victim when they next boot their computer:

TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE