Created
January 3, 2021 18:31
-
-
Save xen0bit/eb86a413eecd528d63f8d8eb24de2548 to your computer and use it in GitHub Desktop.
What algorithm is this?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RunSanDiskSecureAccess-Win.exe v1.1.19150 is configured using the password "test123" for the secure file vault. | |
| https://www.virustotal.com/gui/file/1822d68ef4f3276b785ee30f65bb3bac36f97685c81cc5b11837a34528c398e2/details | |
| A Zero-Byte file (MD5 Sum: d41d8cd98f00b204e9800998ecf8427e) is added to the vault. | |
| The resulting encrypted file is: | |
| MD5 Sum: e2d484fa4d7f5f457f6571a075a967d4 | |
| File: 30 4A 34 C4 D7 DB 20 86 12 01 42 5B 68 18 99 FB A3 D9 52 E6 28 63 89 92 F7 4D 10 E0 24 2A F3 1D | |
| Base64: MEo0xNfbIIYSAUJbaBiZ+6PZUuYoY4mS900Q4CQq8x0= | |
| File Length: 32 Bytes | |
| 2 more Zero-Byte files are added to the encrypted vault which result in identical files as shown above (the key never changes) | |
| ======== | |
| KNOWN: password used to derive key, plaintext file, encrypted file | |
| UNKNOWN: key derivation, cipher used | |
| ADDITIONAL DETAILS: | |
| Application claims to use "AES 128" encryption. A Zero-Byte file encrypted with a 128-bit key (16 Bytes) should result in a 16-byte file, not 32-byte as shown above. | |
| Application includes dll imports of MPR.dll, IPHLPAPI.DLL, WININET.dll, GDI32.dll, SHELL32.dll, KERNEL32.dll, WSOCK32.dll, ADVAPI32.dll, ole32.dll, SETUPAPI.dll, WS2_32.dll, USER32.dll | |
| RunSanDiskSecureAccess-Win.exe download: http://a.tmp.ninja/DdHvdzfPs0wd.zip | |
| dmBackup.dll download: http://a.tmp.ninja/FSaTUMsYpHgz.zip | |
| ======== | |
| Question: What cipher and mode do you believe is being used to encrypt the file? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment