/rapid_config.py
Created Aug 17, 2018
| """ | |
| Extract Rapid 2.0 ransomware config from encrypter or decrypter | |
| Author: @demonslay335 | |
| """ | |
| import os, sys, string, re, binascii, base64, argparse | |
| # https://stackoverflow.com/a/17197027/1301139 | |
| def strings(filename, min=4, max=10000): | |
| with open(filename, "rb") as f: # Python 2.x | |
| result = "" | |
| for c in f.read(): | |
| if c in string.printable: | |
| result += c | |
| continue | |
| if len(result) >= min and len(result) <= max: | |
| yield result | |
| result = "" | |
| if len(result) >= min and len(result) <= max: # catch result at EOF | |
| yield result | |
| # Double-check it is an executable | |
| def isexe(path): | |
| with open(path, 'rb') as f: | |
| return f.read()[:2] == 'MZ' | |
| def extract_config(path): | |
| if not isexe(path): | |
| raise "Not an executable" | |
| private = '' | |
| public = '' | |
| decrypter = False | |
| email = '' | |
| note_filename = '' | |
| for s in strings(path, 10): | |
| # Public key in base64 | |
| if 'BgIAAACkAAB' in s: | |
| public = s | |
| # Private key in base64 | |
| elif 'BwIAAACkAAB' in s: | |
| private = s | |
| # Decrypter string | |
| elif 'Decryptedd!' in s: | |
| decrypter = True | |
| # Email address | |
| elif re.match(r"[^@]+@[^@]+\.[^@]+", s): | |
| matches = re.findall(r'[\w\.-]+@[\w\.-]+', s) | |
| for match in matches: | |
| email = match | |
| # Note filename | |
| elif ('.txt' in s or '.html' in s) and 'recovery' not in s: | |
| note_filename = s | |
| return { | |
| 'private': binascii.hexlify(private.decode('base64')), | |
| 'public': binascii.hexlify(public.decode('base64')), | |
| 'decrypter': decrypter, | |
| 'email': email, | |
| 'note_filename': note_filename | |
| } | |
| # Setup argument parts | |
| parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter') | |
| parser.add_argument('file', help='executable path') | |
| # Parse arguments | |
| args = parser.parse_args() | |
| # Extract config for given binary | |
| config = extract_config(args.file) | |
| # Check for success | |
| if config == None: | |
| print "\n[-] Error extracting keys" | |
| else: | |
| # Decrypter config | |
| if config['decrypter']: | |
| print "\n[+] File is a decrypter\n" | |
| print "[+] Public key blob:\n%s\n" % config['public'] | |
| print "[+] Private key blob:\n%s\n" % config['private'] | |
| # Encrypter config | |
| else: | |
| print "\n[+] File is an encrypter\n" | |
| print "[+] Email: %s" % config['email'] | |
| print "[+] Ransom Note Filename: %s" % config['note_filename'] | |
| print "[+] Public key blob:\n%s\n" % config['public'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment