Before attempting to download files, the Sheriff Main Module uploads a log message containing the public IP address of the victim and the list of loaded modules. The log is XOR-encrypted using the victim ID consisting of the GUID (from the arguments or randomly generated) and the serial number. After encryption, the log is uploaded to a Dropbox folder named to match the victim ID.

All files are retrieved from the Dropbox folder at /<victim_id>/Dow/ and are downloaded to the local "ModulsFolder" hardcoded as "/DxyVS1". After download, all files are instantly deleted from Dropbox. Next, we will discuss how the downloaded files are handled by the main module.

The upload process begins by enumerating all local files in the "UploadLocalFolder", in this case hardcoded as "/gyTufW". Depending on their extensions, they are sorted into three categories:

Files using the hardcoded "_defaultZipExt" .d7r are already zipped; Files without an extension are already encrypted and ready for upload; and, All other files are still in clear text.

The function "PreparingForUpload" will then compress all clear text files into a new ZIP file. All ZIP files are subsequently encrypted using a randomly generated AES key which is in turn encrypted using the public RSA key and concatenated with the encrypted file. During execution, the function deletes all residual files from the folder until only fully compressed and encrypted files are left. These are then uploaded to the Dropbox folder at /<victim_id>/Up/ while deleted locally.

Both the upload and download functions are executed asynchronously and run with a timer hardcoded to 30 seconds in the analyzed sample.

At the time of investigation, the Dropbox account did not host any files anymore, as indicated by the space usage: