Skip to content

Instantly share code, notes, and snippets.

@Demonslay335
Created August 17, 2018 15:23
Show Gist options
  • Save Demonslay335/8f1518a54b503da02d7fe5152258a057 to your computer and use it in GitHub Desktop.
Save Demonslay335/8f1518a54b503da02d7fe5152258a057 to your computer and use it in GitHub Desktop.
"""
Extract Rapid 2.0 ransomware config from encrypter or decrypter
Author: @demonslay335
"""
import os, sys, string, re, binascii, base64, argparse
# https://stackoverflow.com/a/17197027/1301139
def strings(filename, min=4, max=10000):
with open(filename, "rb") as f: # Python 2.x
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min and len(result) <= max:
yield result
result = ""
if len(result) >= min and len(result) <= max: # catch result at EOF
yield result
# Double-check it is an executable
def isexe(path):
with open(path, 'rb') as f:
return f.read()[:2] == 'MZ'
def extract_config(path):
if not isexe(path):
raise "Not an executable"
private = ''
public = ''
decrypter = False
email = ''
note_filename = ''
for s in strings(path, 10):
# Public key in base64
if 'BgIAAACkAAB' in s:
public = s
# Private key in base64
elif 'BwIAAACkAAB' in s:
private = s
# Decrypter string
elif 'Decryptedd!' in s:
decrypter = True
# Email address
elif re.match(r"[^@]+@[^@]+\.[^@]+", s):
matches = re.findall(r'[\w\.-]+@[\w\.-]+', s)
for match in matches:
email = match
# Note filename
elif ('.txt' in s or '.html' in s) and 'recovery' not in s:
note_filename = s
return {
'private': binascii.hexlify(private.decode('base64')),
'public': binascii.hexlify(public.decode('base64')),
'decrypter': decrypter,
'email': email,
'note_filename': note_filename
}
# Setup argument parts
parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter')
parser.add_argument('file', help='executable path')
# Parse arguments
args = parser.parse_args()
# Extract config for given binary
config = extract_config(args.file)
# Check for success
if config == None:
print "\n[-] Error extracting keys"
else:
# Decrypter config
if config['decrypter']:
print "\n[+] File is a decrypter\n"
print "[+] Public key blob:\n%s\n" % config['public']
print "[+] Private key blob:\n%s\n" % config['private']
# Encrypter config
else:
print "\n[+] File is an encrypter\n"
print "[+] Email: %s" % config['email']
print "[+] Ransom Note Filename: %s" % config['note_filename']
print "[+] Public key blob:\n%s\n" % config['public']
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment