Q&A Malware Analaysis - Encryption Key how can i find it?

ChimiChanaga

New Member
Sep 12, 2020
4
Hello,
Anyone knows how can i find the malware encryption key of a ransomware malware?
Here is the malware report:
www.joesandbox.com/analysis/239448/0/pdf
tried to search some guide lines in google ,
did not find any thing except explanations about how the encryption work.
From what i found the malware uses Microsoft CryptoAPI with AES hash from a python script file:
Crypto.Cipher._AES.pyd
thanks guys!
 

ChimiChanaga

New Member
Sep 12, 2020
4
Not sure if i get you right but on this site you can check what type of ransomware it is. Then you can look for a decryptor online:

Maybe i didn't explain my self right,
I have a question from my college class:
What is the encryption key used in the malware?

So my guess it supposed to be a permanent key that the malware is using,
its a sample malware.
You have any idea how can i find the encryption key?
 
  • Like
Reactions: Protomartyr

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
247
Hi ChimiChanaga

Your link to joesandbox just goes to the start page. Can you please provide the hash (SHA256) of the file you are looking at?
There is no generic answer to your question, so I will need the file to give your some pointers. Every ransomware works differently. Crypto.Cipher._AES.pyd hints to a Python ransomware.
 

ChimiChanaga

New Member
Sep 12, 2020
4
Hi ChimiChanaga

Your link to joesandbox just goes to the start page. Can you please provide the hash (SHA256) of the file you are looking at?
There is no generic answer to your question, so I will need the file to give your some pointers. Every ransomware works differently. Crypto.Cipher._AES.pyd hints to a Python ransomware.
Yes ofcourse:

MD5
2b96c1985d2c9ce7e885b5732b54cb84
SHA-1
dae15ef417cf3700b8eeec47596dc4c0924d18a9
SHA-256
d8556ed1c94179defdc1b673a61829da14a3ac80ce1b9bf4eed149d30292cd3a

thanks for answering, yeah it is a Python ransomware.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
247
Yes ofcourse:

MD5
2b96c1985d2c9ce7e885b5732b54cb84
SHA-1
dae15ef417cf3700b8eeec47596dc4c0924d18a9
SHA-256
d8556ed1c94179defdc1b673a61829da14a3ac80ce1b9bf4eed149d30292cd3a

thanks for answering, yeah it is a Python ransomware.

Thanks, I got the file. Where exactly are you stuck at?
Were you able to extract and decompile the Python code?

Edit:
If you have issues extracting and decompiling, use this video as a guidance.
It's actually easier than in that video because using the latest pyinstxtractor you won't need to fix the header.
 
Last edited:

ChimiChanaga

New Member
Sep 12, 2020
4
Thanks, I got the file. Where exactly are you stuck at?
Were you able to extract and decompile the Python code?

Edit:
If you have issues extracting and decompiling, use this video as a guidance.
It's actually easier than in that video because using the latest pyinstxtractor you won't need to fix the header.

YOU ARE AMAZING!
Thank you so much!!!
Got it all extracted and decompilled and found a lot of answers for my questions.
Have a good week man!
 
Top