Advice Request Malware Analaysis - Encryption Key how can i find it?

[ChimiChanaga]

Hello,
Anyone knows how can i find the malware encryption key of a ransomware malware?
Here is the malware report:
www.joesandbox.com/analysis/239448/0/pdf
tried to search some guide lines in google ,
did not find any thing except explanations about how the encryption work.
From what i found the malware uses Microsoft CryptoAPI with AES hash from a python script file:
Crypto.Cipher._AES.pyd
thanks guys!

 

[Kongo]

Not sure if i get you right but on this site you can check what type of ransomware it is. Then you can look for a decryptor online:

Crypto Sheriff | The No More Ransom Project

To help us define the type of ransomware affecting your device, please fill in the form below. This will enable us to check whether there is a solution available. If there is, we will provide you with the link to download the decryption solution.

www.nomoreransom.org

 

[ChimiChanaga]

Not sure if i get you right but on this site you can check what type of ransomware it is. Then you can look for a decryptor online:

Crypto Sheriff | The No More Ransom Project

To help us define the type of ransomware affecting your device, please fill in the form below. This will enable us to check whether there is a solution available. If there is, we will provide you with the link to download the decryption solution.

www.nomoreransom.org

Maybe i didn't explain my self right,
I have a question from my college class:
What is the encryption key used in the malware?

So my guess it supposed to be a permanent key that the malware is using,
its a sample malware.
You have any idea how can i find the encryption key?

 

[struppigel]

Hi ChimiChanaga

Your link to joesandbox just goes to the start page. Can you please provide the hash (SHA256) of the file you are looking at?
There is no generic answer to your question, so I will need the file to give your some pointers. Every ransomware works differently. Crypto.Cipher._AES.pyd hints to a Python ransomware.

 

[ChimiChanaga]

Hi ChimiChanaga

Your link to joesandbox just goes to the start page. Can you please provide the hash (SHA256) of the file you are looking at?
There is no generic answer to your question, so I will need the file to give your some pointers. Every ransomware works differently. Crypto.Cipher._AES.pyd hints to a Python ransomware.

Yes ofcourse:

MD5
2b96c1985d2c9ce7e885b5732b54cb84
SHA-1
dae15ef417cf3700b8eeec47596dc4c0924d18a9
SHA-256
d8556ed1c94179defdc1b673a61829da14a3ac80ce1b9bf4eed149d30292cd3a

thanks for answering, yeah it is a Python ransomware.

 

[struppigel]

Yes ofcourse:

MD5
2b96c1985d2c9ce7e885b5732b54cb84
SHA-1
dae15ef417cf3700b8eeec47596dc4c0924d18a9
SHA-256
d8556ed1c94179defdc1b673a61829da14a3ac80ce1b9bf4eed149d30292cd3a

thanks for answering, yeah it is a Python ransomware.

Thanks, I got the file. Where exactly are you stuck at?
Were you able to extract and decompile the Python code?

Edit:
If you have issues extracting and decompiling, use this video as a guidance.
It's actually easier than in that video because using the latest pyinstxtractor you won't need to fix the header.

 

[ChimiChanaga]

Thanks, I got the file. Where exactly are you stuck at?
Were you able to extract and decompile the Python code?

Edit:
If you have issues extracting and decompiling, use this video as a guidance.
It's actually easier than in that video because using the latest pyinstxtractor you won't need to fix the header.

YOU ARE AMAZING!
Thank you so much!!!
Got it all extracted and decompilled and found a lot of answers for my questions.
Have a good week man!