Demonslay335/rapid_config.py

## rapid_config.py
"""
Extract Rapid 2.0 ransomware config from encrypter or decrypter
Author: @demonslay335
"""

import os, sys, string, re, binascii, base64, argparse

# https://stackoverflow.com/a/17197027/1301139
def strings(filename, min=4, max=10000):
    with open(filename, "rb") as f:           # Python 2.x
        result = ""
        for c in f.read():
            if c in string.printable:
                result += c
                continue
            if len(result) >= min and len(result) <= max:
                yield result
            result = ""
        if len(result) >= min and len(result) <= max:  # catch result at EOF
            yield result

# Double-check it is an executable
def isexe(path):
	with open(path, 'rb') as f:
		return f.read()[:2] == 'MZ'

def extract_config(path):
	if not isexe(path):
		raise "Not an executable"

	private = ''
	public = ''
	decrypter = False
	email = ''
	note_filename = ''

	for s in strings(path, 10):
		# Public key in base64
		if 'BgIAAACkAAB' in s:
			public = s
		# Private key in base64
		elif 'BwIAAACkAAB' in s:
			private = s
		# Decrypter string
		elif 'Decryptedd!' in s:
			decrypter = True
		# Email address
		elif re.match(r"[^@]+@[^@]+\.[^@]+", s):
			matches = re.findall(r'[\w\.-]+@[\w\.-]+', s)
			for match in matches:
				email = match
		# Note filename
		elif ('.txt' in s or '.html' in s) and 'recovery' not in s:
			note_filename = s

	return {
		'private': binascii.hexlify(private.decode('base64')),
		'public': binascii.hexlify(public.decode('base64')),
		'decrypter': decrypter,
		'email': email,
		'note_filename': note_filename
	}

# Setup argument parts
parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter')
parser.add_argument('file', help='executable path')

# Parse arguments
args = parser.parse_args()

# Extract config for given binary
config = extract_config(args.file)

# Check for success
if config == None:
	print "\n[-] Error extracting keys"
else:
	# Decrypter config
	if config['decrypter']:
		print "\n[+] File is a decrypter\n"
		print "[+] Public key blob:\n%s\n" % config['public']
		print "[+] Private key blob:\n%s\n" % config['private']
	# Encrypter config
	else:
		print "\n[+] File is an encrypter\n"
		print "[+] Email: %s" % config['email']
		print "[+] Ransom Note Filename: %s" % config['note_filename']
		print "[+] Public key blob:\n%s\n" % config['public']
	"""
	Extract Rapid 2.0 ransomware config from encrypter or decrypter
	Author: @demonslay335
	"""

	import os, sys, string, re, binascii, base64, argparse

	# https://stackoverflow.com/a/17197027/1301139
	def strings(filename, min=4, max=10000):
	with open(filename, "rb") as f: # Python 2.x
	result = ""
	for c in f.read():
	if c in string.printable:
	result += c
	continue
	if len(result) >= min and len(result) <= max:
	yield result
	result = ""
	if len(result) >= min and len(result) <= max: # catch result at EOF
	yield result

	# Double-check it is an executable
	def isexe(path):
	with open(path, 'rb') as f:
	return f.read()[:2] == 'MZ'

	def extract_config(path):
	if not isexe(path):
	raise "Not an executable"

	private = ''
	public = ''
	decrypter = False
	email = ''
	note_filename = ''

	for s in strings(path, 10):
	# Public key in base64
	if 'BgIAAACkAAB' in s:
	public = s
	# Private key in base64
	elif 'BwIAAACkAAB' in s:
	private = s
	# Decrypter string
	elif 'Decryptedd!' in s:
	decrypter = True
	# Email address
	elif re.match(r"[^@]+@[^@]+\.[^@]+", s):
	matches = re.findall(r'[\w\.-]+@[\w\.-]+', s)
	for match in matches:
	email = match
	# Note filename
	elif ('.txt' in s or '.html' in s) and 'recovery' not in s:
	note_filename = s

	return {
	'private': binascii.hexlify(private.decode('base64')),
	'public': binascii.hexlify(public.decode('base64')),
	'decrypter': decrypter,
	'email': email,
	'note_filename': note_filename
	}

	# Setup argument parts
	parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter')
	parser.add_argument('file', help='executable path')

	# Parse arguments
	args = parser.parse_args()

	# Extract config for given binary
	config = extract_config(args.file)

	# Check for success
	if config == None:
	print "\n[-] Error extracting keys"
	else:
	# Decrypter config
	if config['decrypter']:
	print "\n[+] File is a decrypter\n"
	print "[+] Public key blob:\n%s\n" % config['public']
	print "[+] Private key blob:\n%s\n" % config['private']
	# Encrypter config
	else:
	print "\n[+] File is an encrypter\n"
	print "[+] Email: %s" % config['email']
	print "[+] Ransom Note Filename: %s" % config['note_filename']
	print "[+] Public key blob:\n%s\n" % config['public']