Skip to content

Instantly share code, notes, and snippets.

@sysopfb
Created Aug 2, 2021
Embed
What would you like to do?
Black Matter blob decoder
# Python2 just because
# Samples:
# 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
# c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
import pefile
import struct
import sys
def LCG(seed, lastseed):
newseed = lastseed * 0x8088405
newseed &= 0xffffffff
newseed += 1
ret_val = newseed * seed
ret_val = (ret_val>>32) & 0xffffffff
return((newseed,ret_val))
pe = pefile.PE(sys.argv[1])
blob = None
seed = 0
for s in pe.sections:
if '.data' in s.Name:
blob = s.get_data()
elif '.rsrc' in s.Name:
seed = struct.unpack_from('<I', s.get_data())[0]
decoded = []
if blob != None and seed != 0:
l = struct.unpack_from('<I', blob)[0]
while l != 0 and l > 0 and l < len(blob):
blob = blob[4:]
out = ""
lastseed = seed
for i in range(l/4):
v = LCG(seed,lastseed)
lastseed = v[0]
ttemp = struct.unpack_from('<I', blob[i*4:])[0]
ttemp ^= v[1]
out += struct.pack('<I', ttemp)
print(''.join(out.split('\x00')))
decoded.append(out)
blob = blob[l:]
l = struct.unpack_from('<I', blob)[0]
@sysopfb
Copy link
Author

sysopfb commented Aug 2, 2021

Decoded example:

BlackMatter Ransomware encrypted all your files!
To get your data back and keep your privacy safe,
you must find %s file
and follow the instructions!
"host_hostname":"%s",
"host_user":"%s",
"host_os":"%s",
"host_domain":"%s",
"host_arch":"%s",
"host_lang":"%s",
%s
{
"disk_name":"%s",
"disk_size":"%u",
"free_size":"%u"
}
"disks_info":[
%s
]
Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/587.38 (KHTML, like Gecko)
Chrome/91.0.4472.77
Safari/537.36
Edge/91.0.864.37
Firefox/89.0
Gecko/20100101

Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
{
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
%s

{
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"stat_all_files":"%u",
"stat_not_encrypted":"%u",
"stat_size":"%s",
"execution_time":"%u",
"start_time":"%u",
"stop_time":"%u"
SOFTWARE\Policies\Microsoft\Windows\OOBE
DisablePrivacyExperience
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon
DefaultUserName
DefaultDomainName
DefaultPassword
bcdedit /set {current} safeboot network
bcdedit /deletevalue {current} safeboot
bootcfg /raw /a /safeboot:network /id 1
bootcfg /raw /fastdetect /id
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment