SHOW:
|
|
- or go back to the newest paste.
1 | Packed sample: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297 | |
2 | ||
3 | Files encrypted w/ Salsa20 using custom-built matrix (x8 calls of RtlRandomEx -> ULONG, skips Position = 0) | |
4 | https://en.wikipedia.org/wiki/Salsa20#Structure | |
5 | ||
6 | Keys (technically matrix) encrypted using RSA-1024 | |
7 | ||
8 | # File Format | |
9 | Length | Description | |
10 | --------------------- | |
11 | ? | Salsa20(FileMatrix, FileContents) | |
12 | 0x80 | RSA1024(PublicKey, Blob) | |
13 | 0x10 | Checksum(RSA1024(PublicKey, Blob)) | |
14 | ||
15 | # Blob Format | |
16 | Length | Description | |
17 | --------------------- | |
18 | 0x40 | FileMatrix | |
19 | 0x08 | OriginalFileSize | |
20 | 0x08 | 0xFFFFFFFFFFFFFFFF | |
21 | ||
22 | Checksum function with optional compression (only used for ID): | |
23 | 1. CRC32 (IEEE polynomial) input x5 times w/ initial value 0xDEADBEEF | |
24 | 2. Take each step (except first) and concat into 16 byte buffer | |
25 | 3. (Optional) Compress by XORing first half with last half to get 8 bytes, again to get 4 bytes | |
26 | ||
27 | Checksum function in Python: https://gist.github.com/Demonslay335/f82b8d9f94040b875ceb2386f9533362 | |
28 | ||
29 | Victim's ID (used as the extension and in the ransom note filename) is the Checksum (with compression) of the primary MAC address, converted to lowercase hex | |
30 | ID: Checksum(MAC, true) | |
31 | ||
32 | Mutex is created by running the Checksum function (without compression) on the malware's own executable | |
33 | Mutex: "Global\" + Checksum(EXE, false) |