Malware Analysis Cant find decryption key

The_Hash

Level 1
Thread author
May 26, 2022
13
Hi,
I'm doing malware analysis on a ransomware(MD5- 2B96C1985D2C9CE7E885B5732B54CB84), I found the source code but didn't manage to find the decryption key.
I'll be grateful for any help and if you can explain me how to find the decryption key.
 
  • Like
Reactions: vtqhtr413

Razza

Level 4
Verified
Well-known
Aug 12, 2014
165
Don't think you will find the decrypt key in the source code, the only ransomware you will find it in the source code are poorly coded ones.

Am pretty sure ransomware uses public/private keys, so you're files are encrypted with public key the only way to de-encrypt is using the private key which will be on ransomware operators system.
 

The_Hash

Level 1
Thread author
May 26, 2022
13
The question is how I can find it if you want I can send you the source code to look its for my class work and I cant find the right way to crack it.
Ill be grateful for any help.
 
  • Like
Reactions: vtqhtr413

The_Hash

Level 1
Thread author
May 26, 2022
13
I saw this topic but it didn't answer for my question, I want to know how to decrypt the key from this ransomware and this topic focus on how to decompile.
 
Last edited:
  • Like
Reactions: vtqhtr413

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hello @The_Hash

I can help you, but I would like to make sure you understand how it works.
If you check these parts of the code:

key.png


genkey.png


Do you understand what each part of this code does?
Which lines of the code are unclear to you?

I suggest you actually go through line by line and try to make a description (for yourself) what it is doing on a high level. Then make this description for increasingly bigger chunks of the code.
With high level I mean
NOT THIS: assigns return value of function X to variable Y
BUT THIS: calculates IV for encryption

This way you can build up an understanding for the code as well as identify what parts actually trouble you.
For each part that you do not understand, ask for help (e.g. reply here) or do further research.
 
Last edited:

The_Hash

Level 1
Thread author
May 26, 2022
13
Hey @struppigel thanks alot for the help if I got it right the genenrates it self by connecting to botnet server and the key should be inside one of the files the ransomware created, Or the ransomware generates the key inside the registry?
 
  • Like
Reactions: vtqhtr413

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hey @struppigel thanks alot for the help if I got it right the genenrates it self by connecting to botnet server and the key should be inside one of the files the ransomware created, Or the ransomware generates the key inside the registry?
These are good starting points to search the key. Now you need to verify any assumptions you made.

> if I got it right the genenrates it self by connecting to botnet serve
Does it get the key from the server or
does it generate the key and afterwards contact the server to send the key to the server?
Do you know why keys might be sent to a server?

> the key should be inside one of the files the ransomware created
It is a valid assumption because some ransomware does save the key in generated files. So this can be one location to look for.
But I personally would start at the key generation algorithm because it comes first and has a high probability that the criminals did something wrong there. Only if this one does not help me (because it is made in a way that we cannot retrieve the key), I would go further down the chain and look at how the key is saved or transmitted after generation.

> Or the ransomware generates the key inside the registry
Also a good location to look for. Some ransomware saves keys in the registry. You might have luck to retrieve the key from the registry of an infected system if the key is not encrypted.
It does not generate keys there, though. The registry is only a place to put settings and data into it.
Since this part comes after key generation, I would put that aside for now. Concentrate on key generation first.
 

The_Hash

Level 1
Thread author
May 26, 2022
13
@struppigel wow thank you very much i'll try to focus on the key generation also. Also I saw that there is a piece of the code that its might be in C:\Users can you explain me this function please?
def __init__(self, key, parent_dir = 'C:\\Users'):
r"""get key and root dir to encrypt\decrypt"""
self.__parent_dir = parent_dir
self.__aes_encryption = AESCipher(key)
 
  • Like
Reactions: vtqhtr413

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
initpython.png

This is the constructor of a Python class named EncryptHD. Do you know how classes generally work?
The constructor builds one object of this class.

To be specific:

When the main code does this:
encryption_mgr = EncryptHD(key)
it will execute the __init__ function, passing the already generated key to it.
The key is saved in the object to be used for later calls on its functions like encrypt_hd and get_aes_encryption and so on.
parent_dir = 'C:\\Users' is a default value that will be used if no other value is present. This is the case here, so for any operations on parent_dir in the EncryptHD functions, it will do them on 'C:\\Users'. If you wanted to change this in the code, it would look like EncryptHD(key, 'C:\\MyNewPathToEncrypt')

Example:

Python:
# this encrypts C:\\Users and all subdirectories using key1
encryption_mgr1 = EncryptHD(key1)
encryption_mgr1.encrypt_hd()
# this encrypts 'C:\\MyNewPathToEncrypt' and all subdirectories using a different key now, namely key2
encryption_mgr2 = EncryptHD(key2, 'C:\\MyNewPathToEncrypt')
encryption_mgr2.encrypt_hd()
# this code now decrypts C:\\Users and all subdirectories using key1
encryption_mgr1.decrypt_hd()
# this code now decrypts 'C:\\MyNewPathToEncrypt' and all subdirectories using key2
encryption_mgr1.decrypt_hd()

You can imagine the constructor as something where you set your settings for all the operations later on that are done with that object (encryption_mgr1 is an object here and encryption_mgr2 is another object here).

Does this answer your question?
 
Last edited:

The_Hash

Level 1
Thread author
May 26, 2022
13
@struppigel ok after some research I found another thing that might be a clue. If got it right AES is also sha256 no?
' ' '
oid = b('\x06\t`\x86H\x01e\x03\x04\x02\x01')
digest_size = 32
block_size = 64
' ' '
 
  • Like
Reactions: vtqhtr413

The_Hash

Level 1
Thread author
May 26, 2022
13
@struppigel Hi,
I tried to search everywhere in the decompiled file but still didn't managed to get the the key can you help me to understand where I need to be focus on to get the answer?
Thank you and have a nice day.
 

The_Hash

Level 1
Thread author
May 26, 2022
13
its using md5 from the hash library I have a file that called _hashlib.pyd?, I tired to put the variable in the ransomware but nothing and I'm really trying to understand every piece in this code and I'm getting fail every time.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
You do not need to look at additional files.

The input is encoded in UTF-8. UTF-8 is a specific way to represent strings.
But what is actually the string? What is first encoded and then MD5 hashed?
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top