Bajrang Mane

An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs

May 2, 2018
  • 25
Estimated reading time: 7 minutes

On April 25, 2018, Quick Heal Security Labs issued an advisory on a new ransomware outbreak. We are observing a sudden spike of Dharma Ransomware. Even though Dharma ransomware is old, we observed its new variant which is encrypting files and appending the “.arrow” extension to it. Previously the encrypted files were having the “.dharma” extension.

Infection Vector

As specified in the advisory, along with the RDP brute force attack, we suspect that any one of the below infection vectors can be used to spread the ransomware.

  1. Spam and phishing emails
  2. Exploit Kits
  3. SMB vulnerabilities like (EternalBlue, etc.)
  4. Drive-by-downloads
  5. Dropped by other malware

So, largely we will categorize these infection vectors into two categories.

  • Vector 1 – RDP Brute Force Attack
  • Vector 2 – Other Suspicious means

Let’s take a look at these infection vectors in detail.

Vector 1 – RDP Brute Force Attack

In this vector, the Remote Desktop Protocol (RDP) running on port 3389, is targeted with a typical brute force attack. As a result of the brute force, the attacker gets hold of victim’s administrative user credentials. Once credentials are obtained he gets the ability to carry out any type of attack. In this case, ransomware is used to infect the system. Also, it’s observed, before executing the ransomware payload it uninstalls the security software installed on the system.

We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal/Seqrite firewall feature.

  • Deny access to Public IPs to important ports (in this case RDP port 3389)
  • Allow access to only IPs which are under your control
  • Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it’s advised to block unused ports.

Get more such safety measures here.

Vector 2 – Other suspicious means

Here the source of infection is unknown but when we started analyzing the attack chain, it landed us on an interesting set of entries in victim’s registry. These were autorun PowerShell script entries in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services. Which drops and execute multiple malicious components. Below are the different components observed.

  • Inf.exe – It enables RDP and runs sticky key exploit.
  • i.exe – Gets the list of IP addressed from APR cache and sends to CnC server.
  • ipcheck.exe – It also finds out the list of IP address and passes on to ‘sc.exe’.
  • sc.exe – This is WannaCry scanner tool which runs on the list of IP address passed by ‘ipcheck.exe’. This gives a list of vulnerable machines, this list is sent to CnC server by ‘ipcheck.exe’.
  • rc.exe – This is main payload i.e Dharma ransomware

Malicious registry entries

Below were the malicious registry entries found.

Fig 1. Powershell autorun registry entries


The ‘inf.exe’ component is mainly used to enable the Remote Desktop Protocol (RDP) on the victim’s machine.

It pretends itself as genuine Microsoft Corporations dllhost file. More details are as shown in the figure below.

Fig 2. Fake version information of ‘inf.exe’ and ‘dllhost.exe’

Once executed it drops self-copy at ‘%system32%\DllHost\dllhost.exe

It registers itself as a service for autorun on the next boot with name “COM Surrogate” as follows

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM Surrogate]

“ImagePath”=C:\Windows\system32\DllHost\DllHost s

“DisplayName”=”COM Surrogate”

Malware executes following steps to Enable RDP.

Adds/Modify Registry Keys:

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0

HKLM\System\CurrentControlSet\Control\Terminal Server\AllowTSConnections = 0

Executes Commands:

Fig 3. Enable Remote desktop

Once RDP has enabled it creates a new user from one of the hardcoded username list and randomly generates a password for it. Further, it gives administrative privileges to the newly created user account and enables this account for the remote session. Figure 4 shows the commands used to perform above-mentioned activities.

Fig 4. Create a new user on the victim’s machine

Here is a hardcoded list of usernames:

Fig 5. Hard-coded list of usernames

It connects to a CnC server and sends victim’s data.

Fig 6. Sends users data to the CnC server

The POST parameters sent to CnC are as follows:

bits: Processor 32/64 bit
cpun: CPU details
osv: OS Version
username: Username of created account
userpass: Password of created account.

The server looks like a server of an infobot hosted at ‘hxxp://’.

i.exe / ipcheck.exe and sc.exe

Both components scan for a vulnerability in the systems present in the network and send the information to the server mentioned above.

i.exe / ipcheck.exe check for IPs present in ARP cache with the following command:

Fig 7. Command to check IPs present in ARP cache


Fig 8. Output: IPs present in ARP cache

It creates a pipe to save the above data. It reads the output and extract the IPs from it and give it as input to the sc.exe.

‘sc.exe’ is a vulnerability scanner, it scans the IP given as input for WannaCry vulnerability and saves the result into out.txt.

‘sc.exe’ is a WannaCry scanner tool by BiZone and it’s a vulnerability scanner for MS17-010 vulnerabilities.

Fig 9. WannaCry scanner tool

Command executed:

Fig 10. WannaCry scanner tool scanning for ip.

The above command is executed for every IP present in the ARP cache list.

Output from command in the above figure is saved in the out.txt in the working directory:

Fig 11. Output of WannaCry scanner tool.

i.exe/ipcheck.exe then parse “out.txt” to check for the vulnerable systems present in ARP caches IP list and then send the count of the vulnerable system to the server i.e. hxxp:// shown in the figure below.

Fig 12. Sends the vulnerable system’s information to the server

Above is the data send to the IP, number of vulnerable systems i.e. 9.


The rc.exe is main payload i.e., Dharma ransomware. This variant appends the extension ‘.arrow’ to the files it encrypts.

Once executed, it uses the below command to disable Windows’ repair and backup option using vssadmin.exe.

C:\Windows\system32\vssadmin.exe, vssadmin delete shadows /all /quiet

It uses the below command i.e. which is a genuine process of Windows.

C:\Windows\system32\, mode con cp select=1251

Fig. 13 Command to delete the backup files.

After execution of the above commands, Dharma ransomware starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.


If the file size is greater than 98304 bytes, the ransomware overwrites this file with encrypted content else creates a new file with encrypted content and deletes the old one. The ransomware encrypts all the above-mentioned extension files using AES 256 algorithm. The AES key is further encrypted with an RSA 1024. This encrypted AES key is kept at the end of the encrypted file.

The dropped infection marker files and encrypted files have the following pattern.

Fig. 14 Encrypted files Extension.

From the dropped infection marker files, .hta file has a ransom note.

Dharma’s ransom note

Fig. 15 Ransom note

Indicators of compromise:



We recommend our users to apply the latest Microsoft update packages and keep their antivirus up-to-date.

Subject Matter Experts

Prakash Galande, Pandurang Terkar, Dhwanit Shrivastava | Quick Heal Security Labs

  • 25

Have something to add to this story? Share it in the comments.

Bajrang Mane
About Bajrang Mane
Bajrang Mane is leading the Threat Analysis, Incident response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry,...
Articles by Bajrang Mane »

No Comments, Be The First!

Your email address will not be published.