in ransomware/artifact.lua [2037:2085]
function globals.BuildCanaries()
local canaries = {}
local canaryDirNames = {}
local canaryFileNames = {}
local canaryExtensions = {'txt', 'doc', 'docx', 'docm', 'dot', 'xls', 'xlsx', 'xlsm', 'ppt', 'pptx', 'pptm'}
local canaryContent = globals.CreateCanaryContent()
local windowsPath = GetKnownFolderPath('{F38BF404-1D43-42F2-9305-67DE0B28FC23}')
if globals.namespace.diagnosticMode then
canaryDirNames = {
'aaAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7',
'zzAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7'
}
canaryFileNames = {'AntiRansomElastic-DO-NOT-TOUCH-def8452b-fc17-414d-afb6-ddeceb5ec54c'}
else
canaryDirNames = {
'aaAntiRansomElastic-DO-NOT-TOUCH-dab6d40c-a6a1-442c-adc4-9d57a47e58d7',
'zzAntiRansomElastic-DO-NOT-TOUCH-dab6d40c-a6a1-442c-adc4-9d57a47e58d7'
}
canaryFileNames = {'AntiRansomElastic-DO-NOT-TOUCH-4568452b-fc17-414d-afb6-ddeceb5ec54c'}
end
for _, dirName in ipairs(canaryDirNames) do
for _, fileName in ipairs(canaryFileNames) do
for _, ext in ipairs(canaryExtensions) do
local canaryFileName = fileName .. '.' .. ext
for _, userProfile in ipairs(utils.GetAllUserProfiles()) do
local canaryFullPath = userProfile .. '\\' .. dirName .. '\\' .. canaryFileName
local canary = globals.Canary(canaryFullPath, canaryContent)
table.insert(canaries, canary)
end
local canaryFullPath = windowsPath .. '\\..\\' .. dirName .. '\\' .. canaryFileName
local canary = globals.Canary(canaryFullPath, canaryContent)
table.insert(canaries, canary)
end
end
end
return canaries
end