Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- master_private_key - unlocks all victim's session_key's (of this sample at the least)
- master_public_key - encrypts session_key (RSA-2048)
- session_key - unlocks all files (unlocks file_key, filesize_key, and filename_key) (RC4)
- file_key - unlocks specific file (AES-256)
- filesize_key - unlocks the original filesize (Salsa20)
- filename_key - unlocks the original filename (Salsa20)
- Ransom note contains the RSA(session_key, master_public_key)
- All keys (with exception of master_key) are generated securely by RNGCryptoServiceProvider, aka CryptGenRandom
- File Format (spaced for readability)
- ----------------------
- <AES(filebytes, file_key)> : 0x00 - -0x200
- <first 16 original bytes> : 0x10 bytes
- <last 16 original bytes> : 0x10 bytes
- <RC4(file_key, session_key)> : 0x20 bytes
- <SHA256(file_key)> : 0x20 bytes
- <Salsa20(filesize, filesize_key)> : 0x20 bytes
- <RC4(filesize_key, session_key)> : 0x20 bytes
- <SHA256(filesize_key)> : 0x20 bytes
- <Salsa20(filename, filename_key)> : 0x100 bytes
- <RC4(filename_key, session_key)> : 0x20 bytes
- <SHA256(filename_key)> : 0x20 bytes
- ----------------------
- Or pseudo-struct:
- struct KrakenEncryptedFile{
- BYTE *AesEncryptedFileBytes;
- BYTE FirstOriginalBlock[0x10];
- BYTE LastOriginalBlock[0x10];
- BYTE Rc4EncryptedAesKey[0x20];
- BYTE Sha256HashedAesKey[0x20];
- BYTE Salsa20EncryptedFileSize[0x20];
- BYTE Rc4EncryptedFileSizeKey[0x20];
- BYTE Sha256HashedFileSizeKey[0x20];
- BYTE Salsa20EncryptedFileName[0x100];
- BYTE Rc4EncryptedFileNameKey[0x20];
- BYTE Sha256HashedFileNameKey[0x20];
- }
Add Comment
Please, Sign In to add comment