Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Packed sample: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
- Files encrypted w/ Salsa20 using custom-built matrix (x8 calls of RtlRandomEx -> ULONG, skips Position = 0)
- https://en.wikipedia.org/wiki/Salsa20#Structure
- Keys (technically matrix) encrypted using RSA-1024
- # File Format
- Length | Description
- ---------------------
- ? | Salsa20(FileMatrix, FileContents)
- 0x80 | RSA1024(PublicKey, Blob)
- 0x10 | Checksum(RSA1024(PublicKey, Blob))
- # Blob Format
- Length | Description
- ---------------------
- 0x40 | FileMatrix
- 0x08 | OriginalFileSize
- 0x08 | 0xFFFFFFFFFFFFFFFF
- Checksum function with optional compression (only used for ID):
- 1. CRC32 (IEEE polynomial) input x5 times w/ initial value 0xDEADBEEF
- 2. Take each step (except first) and concat into 16 byte buffer
- 3. (Optional) Compress by XORing first half with last half to get 8 bytes, again to get 4 bytes
- Checksum function in Python: https://gist.github.com/Demonslay335/f82b8d9f94040b875ceb2386f9533362
- Victim's ID (used as the extension and in the ransom note filename) is the Checksum (with compression) of the primary MAC address, converted to lowercase hex
- ID: Checksum(MAC, true)
- Mutex is created by running the Checksum function (without compression) on the malware's own executable
- Mutex: "Global\" + Checksum(EXE, false)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement