SHOW:
|
|
- or go back to the newest paste.
| 1 | Packed sample: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297 | |
| 2 | ||
| 3 | Files encrypted w/ Salsa20 using custom-built matrix (x8 calls of RtlRandomEx -> ULONG, skips Position = 0) | |
| 4 | https://en.wikipedia.org/wiki/Salsa20#Structure | |
| 5 | ||
| 6 | Keys (technically matrix) encrypted using RSA-1024 | |
| 7 | ||
| 8 | # File Format | |
| 9 | Length | Description | |
| 10 | --------------------- | |
| 11 | ? | Salsa20(FileMatrix, FileContents) | |
| 12 | 0x80 | RSA1024(PublicKey, Blob) | |
| 13 | 0x10 | Checksum(RSA1024(PublicKey, Blob)) | |
| 14 | ||
| 15 | # Blob Format | |
| 16 | Length | Description | |
| 17 | --------------------- | |
| 18 | 0x40 | FileMatrix | |
| 19 | 0x08 | OriginalFileSize | |
| 20 | 0x08 | 0xFFFFFFFFFFFFFFFF | |
| 21 | ||
| 22 | Checksum function with optional compression (only used for ID): | |
| 23 | 1. CRC32 (IEEE polynomial) input x5 times w/ initial value 0xDEADBEEF | |
| 24 | 2. Take each step (except first) and concat into 16 byte buffer | |
| 25 | 3. (Optional) Compress by XORing first half with last half to get 8 bytes, again to get 4 bytes | |
| 26 | ||
| 27 | Checksum function in Python: https://gist.github.com/Demonslay335/f82b8d9f94040b875ceb2386f9533362 | |
| 28 | ||
| 29 | Victim's ID (used as the extension and in the ransom note filename) is the Checksum (with compression) of the primary MAC address, converted to lowercase hex | |
| 30 | ID: Checksum(MAC, true) | |
| 31 | ||
| 32 | Mutex is created by running the Checksum function (without compression) on the malware's own executable | |
| 33 | Mutex: "Global\" + Checksum(EXE, false) |
