{
"SHA256_SAMPLE": "706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D",
"RSA_KEY": "232FBA5316E1C9A3F0E603EF0ECB534A1FC1E8BA5F89DBD886D98FBF88EEDDE66CC65E00BBB827CD0262B65C505D95A008C48427A73AE6EB888EB47A8A6246B43326931A7D59DFDAD141A054B445C51FBA1E3DF3F41CBA82AF44B96F21388C00DD696F7B3B976313C662B6283C0D082B5E68F3FFD7946A72C67F8A698172BE70",
"COMPANY_VICTIM_ID": "90A881FFA127B004CEC6802588FCE307",
"AES_KEY": "B59C952C492BD3D1F8F5140AA2855CDE",
"BOT_MALWARE_VERSION": "2.0",
"ODD_CRYPT_LARGE_FILES": "false",
"NEED_MAKE_LOGON": "true",
"MOUNT_UNITS_AND_CRYPT": "true",
"CRYPT_NETWORK_RESOURCES_AND_AD": "true",
"TERMINATE_PROCESSES": "true",
"STOP_SERVICES_AND_DELETE": "true",
"CREATE_MUTEX": "true",
"PREPARE_VICTIM_DATA_AND_SEND": "true",
"PRINT_RANSOM_NOTE": "true",
"PROCESS_TO_KILL": [
{ "": "encsvc" },
{ "": "thebat" },
{ "": "mydesktopqos" },
{ "": "xfssvccon" },
{ "": "firefox" },
{ "": "infopath" },
{ "": "winword" },
{ "": "steam" },
{ "": "synctime" },
{ "": "notepad" },
{ "": "ocomm" },
{ "": "onenote" },
{ "": "mspub" },
{ "": "thunderbird" },
{ "": "agntsvc" },
{ "": "sql" },
{ "": "excel" },
{ "": "powerpnt" },
{ "": "outlook" },
{ "": "wordpad" },
{ "": "dbeng50" },
{ "": "isqlplussvc" },
{ "": "sqbcoreservice" },
{ "": "oracle" },
{ "": "ocautoupds" },
{ "": "dbsnmp" },
{ "": "msaccess" },
{ "": "tbirdconfig" },
{ "": "ocssd" },
{ "": "mydesktopservice" },
{ "": "visio" }
],
"SERVICES_TO_KILL": [
{ "": "mepocs" },
{ "": "memtas" },
{ "": "veeam" },
{ "": "svc$" },
{ "": "backup" },
{ "": "sql" },
{ "": "vss" },
{ "": "msexchange" }
],
"C2_URLS": [
{ "": "https://mojobiden[.]com" },
{ "": "http://mojobiden[.]com" },
{ "": "https://nowautomation[.]com" },
{ "": "http://nowautomation[.]com" }
],
"LOGON_USERS_INFORMATION": [
{ "": "" },
{ "": "" },
{ "": "" },
{ "": "" },
{ "": "" },
{ "": "" }
],
"RANSOM_NOTE": [
{
"": " ~+ \r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o - \r\n '=/_ \\ | \r\n * | '=._ | \r\n \\ `=./`, ' \r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\n\r\n>>> Whathappens?\r\n Your network is encrypted,and currently not operational. \r\n Weneed only money, after payment we will give you a decryptor for the entirenetwork and you will restore all the data.\r\n\r\n>>> What datastolen?\r\n From your network wasstolen 1000 GB of data.\r\n If you donot contact us we will publish all your data in our blog and will send it tothe biggest mass media.\r\n Blog postlink: http://.onion/\r\n\r\n>>>What guarantees? \r\n We are not apolitically motivated group and we do not need anything other than your money.\r\n If you pay, we will provide youthe programs for decryption and we will delete your data. \r\n If we do not give you decrypters or we donot delete your data, no one will pay us in the future, this does not complywith our goals. \r\n We always keep ourpromises.\r\n\r\n>> How to contact with us? \r\n 1. Download and install TOR Browser (https://www.torproject.org/).\r\n 2. Open http://.onion/\r\n \r\n>> Warning! Recoveryrecommendations. \r\n We strongly recommend you to do not MODIFYor REPAIR your files, that will damage them."
}
]
}
# Author: Alexey Kleymenov (a member of Nozomi Networks Labs)
import os
import struct
import pefile
import ida_kernwin
PATH_TO_DLLS = 'c:\\windows\\system32\\'
HARDCODED_XOR_KEY = 0x17019FF8
def extract_api_hashes(start):
'''
Returns a dictionary where keys are import functions to write data and values are list of hashes.
The first hash is the DLL name's hash, the rest are WinAPI names' hashes.
'''
decryptor_address = start
print('Bulk API decryptor address: %x' % decryptor_address)
api_hashes = {}
for head in Heads():
flags = GetFlags(head)
if isCode(flags):
prev = prev_head(head)
prev_2 = prev_head(prev)
if print_insn_mnem(head) == 'call' and get_operand_value(head, 0) == decryptor_address:
print('Found the decryptor called: %x' % head)
if print_insn_mnem(prev) == 'push' and print_insn_mnem(prev_2) == 'push':
func_hashes = get_operand_value(prev_2, 0)
import_table = get_operand_value(prev, 0)
api_hashes[import_table] = []
for i in range(0, 0xffff, 4):
api_hash = struct.unpack("<I", get_bytes(func_hashes + i, 4))[0]
if api_hash == 0xCCCCCCCC:
break
else:
api_hashes[import_table].append(api_hash ^ HARDCODED_XOR_KEY)
else:
print('Non-standard arguments %x' % head)
return api_hashes
def calculate_checksum(name, value):
'''Standard ror 0x0D'''
for symbol in name:
value = ((value >> 0x0D) | (value << (0x20 - 0x0D))) & 0xFFFFFFFF
value += ord(symbol) & 0xFFFFFFFF
return value
def build_mappings(dll_filepath, dll_hashes):
'''
Calculates API checksums for the DLLs of interest
'''
dll_name = os.path.basename(dll_filepath)
dll_checksum = calculate_checksum(dll_name.lower() + '\x00', 0)
result = {}
if dll_checksum in dll_hashes:
dll = pefile.PE(dll_filepath, fast_load=True)
dll.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])
if hasattr(dll, 'DIRECTORY_ENTRY_EXPORT'):
dll_name = dll_name.replace('.', '_')
result[dll_checksum] = {'dll_name': dll_name}
export_directory = dll.DIRECTORY_ENTRY_EXPORT
for symbol in export_directory.symbols:
if symbol.name is not None:
api_name = symbol.name.decode('latin-1')
api_checksum = calculate_checksum(api_name + '\x00', dll_checksum)
result[api_checksum] = {'dll_name': dll_name, 'api_name': api_name}
return result
def parse_dlls(path_to_dlls, dll_hashes):
'''
Walks all files in the given path and builds export hash mappings
'''
list_dlls = os.listdir(path_to_dlls)
mappings = {}
for dll_filename in list_dlls:
full_path = os.path.join(path_to_dlls, dll_filename)
mappings.update(build_mappings(full_path, dll_hashes))
return mappings
def decrypt_all():
'''
Should be run with the cursor at the bulk decryption function
'''
start = get_screen_ea()
api_hashes = extract_api_hashes(start)
dll_hashes = []
for _, hashes in api_hashes.items():
dll_hashes.append(hashes[0])
dll_mappings = parse_dlls(PATH_TO_DLLS, dll_hashes)
for import_table, hashes in api_hashes.items():
dll_hash = hashes[0]
api_hashes = hashes[1:]
if dll_hash in dll_mappings:
print('Found DLL hash %x = %s' % (dll_hash, dll_mappings[dll_hash]['dll_name']))
for i, api_hash in enumerate(api_hashes):
if api_hash in dll_mappings:
addr = import_table + (i + 1) * 4
print('Found API hash for %x = %s (%s)' % (
addr,
dll_mappings[api_hash]['api_name'],
dll_mappings[api_hash]['dll_name']
))
set_name(addr, dll_mappings[api_hash]['api_name'])
else:
print('API hash %x not found' % api_hash)
else:
print('DLL hash %x not found' % dll_hash)
ida_kernwin.add_hotkey("z", decrypt_all)
# Additional: Search & Decrypt Encrypted Strings
# Author: Alexey Kleymenov (a member of Nozomi Networks Labs)
import struct
import ida_kernwin
HARDCODED_XOR_KEY = 0x17019FF8
def is_utf16_heur(string):
counter = 0
for val in string:
if val == 0:
counter += 1
if counter / float(len(string)) > 0.4:
return True
return False
def decrypt_string(start_addr):
addr = start_addr
result = b""
for i in range(0xFFFF):
instr = print_insn_mnem(addr)
if instr != 'mov' or 'dword ptr' not in GetDisasm(addr):
break
value = get_operand_value(addr, 1)
decoded_value = value ^ HARDCODED_XOR_KEY
result += struct.pack("<I", decoded_value)
addr = next_head(addr)
result_orig = result
if is_utf16_heur(result):
result = result.decode('utf-16le')
else:
result = result.decode('latin-1')
if all(ord(c) < 128 for c in result):
result = result.rstrip('\x00')
else:
result = 'hex: ' + result_orig.hex()
print('%x - %s' % (start_addr, result))
set_cmt(start_addr, result, 0)
def decrypt_string_manual():
start_addr = get_screen_ea()
decrypt_string(start_addr)
def search_for_encrypted_strings():
for head in Heads():
flags = GetFlags(head)
if isCode(flags):
if print_insn_mnem(head) == 'xor' and 'dword ptr' in GetDisasm(head) and get_operand_value(head, 1) == HARDCODED_XOR_KEY:
next = next_head(head)
if print_insn_mnem(next) == 'add' and get_operand_value(next, 1) == 4:
prev = prev_head(head)
if 'mov ecx' in GetDisasm(prev):
num = get_operand_value(prev, 1)
for i in range(num):
prev = prev_head(prev)
# print('Found the encryption string candidate: %x' % prev)
decrypt_string(prev)
ida_kernwin.add_hotkey(",", decrypt_string_manual)
search_for_encrypted_strings()
