Snake sample from VK https://twitter.com/VK_Intel/status/1214333066245812224
Strings are XOR encoded, decoding function looks pretty static except for the offsets and lengths
One of the first things decoded is an onboard public key which is common for ransomware that will use a public key to encrypt a symmetric key which is used to encrypt a file
Python>data1 = bytearray(GetManyBytes(0x608c5b, 0x1aa))
Python>data2 = bytearray(GetManyBytes(0x608e05, 0x1aa))
Python>for i in range(len(data1)):
Python> data1[i] ^= data2[i]
Python>
Python>data1
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON
ZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB
ujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD
Z9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U
aCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4
+6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB
-----END RSA PUBLIC KEY-----
Since the decoding function is pretty static we can regex it out and decode all the strings statically
import re
import sys
import pefile
import struct
import binascii
data = open(sys.argv[1], 'rb').read()
pe = pefile.PE(data=data)
base = pe.OPTIONAL_HEADER.ImageBase
memdata = pe.get_memory_mapped_image()
t = re.findall('''8d05......0089442404c7442408......00e8....eeff8b44240c.{34,70}89542404c7442408......00e8''', binascii.hexlify(data))
all = []
for val in t:
off1 = struct.unpack_from('<I', binascii.unhexlify(val)[2:])[0] - base
l = struct.unpack_from('<I', binascii.unhexlify(val)[14:])[0]
off2 = struct.unpack_from('<I', binascii.unhexlify(val)[-17:])[0] - base
d1 = bytearray(memdata[off1:off1+l])
d2 = bytearray(memdata[off2:off2+l])
for i in range(len(d1)):
d1[i] ^= d2[i]
all.append(str(d1))
print(d1)Decoded strings:
EKANS
kernel32.dll
CreateMutexW
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
already encrypted!
worker %s started job %s
error encrypting %v : %v
There can be only one
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON
ZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB
ujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD
Z9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U
aCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4
+6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB
-----END RSA PUBLIC KEY-----
bad pem
%v
%v
WbemScripting.SWbemLocator
%v
%v
ConnectServer
%v
ExecQuery
SELECT * FROM Win32_ShadowCopy
%v
Count
%v
ItemIndex
%v
ID
%v
Delete_
%v
\temp
total lengt: %v
.docx
.dll
.exe
.sys
.mui
.tmp
.lnk
.config
.manifest
.tlb
.olb
.blf
.ico
.regtrans-ms
.devicemetadata-ms
.settingcontent-ms
.bat
.cmd
.ps1
desktop.ini
iconcache.db
ntuser.dat
ntuser.ini
ntuser.dat.log1
ntuser.dat.log2
usrclass.dat
usrclass.dat.log1
usrclass.dat.log2
bootmgr
bootnxt
windir
SystemDrive
:\$Recycle.Bin
:\ProgramData
:\Users\All Users
:\Program Files
:\Local Settings
:\Boot
:\System Volume Information
:\Recovery
\AppData\
ntldr
NTDETECT.COM
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
ctfmon.exe
iconcache.db
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
.+\\Microsoft\\(User Account Pictures|Windows\\(Explorer|Caches)|Device Stage\\Device|Windows)\\
\
\
files: %v
priority files: %v
priorityFiles: %v
Toatal files: %v
--------------------------------------------
| What happened to your files?
--------------------------------------------
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more -
all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry!
You can still get those files back and be up and running again in no time.
---------------------------------------------
| How to contact us to get your files back?
---------------------------------------------
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with
better cyber security in mind. If you are interested in purchasing the decryption tool contact us at %s
-------------------------------------------------------
| How can you be certain we have the decryption tool?
-------------------------------------------------------
In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets).
We will send them back to you decrypted.
Fix-Your-Files.txt
public
systemdrive
pub: %v
root: %v
\Desktop\
\
Global\
ccflic0.exe
ccflic4.exe
healthservice.exe
ilicensesvc.exe
nimbus.exe
prlicensemgr.exe
certificateprovider.exe
proficypublisherservice.exe
proficysts.exe
erlsrv.exe
vmtoolsd.exe
managementagenthost.exe
vgauthservice.exe
epmd.exe
hasplmv.exe
spooler.exe
hdb.exe
ntservices.exe
n.exe
monitoringhost.exe
win32sysinfo.exe
inet_gethost.exe
taskhostw.exe
proficy administrator.exe
ntevl.exe
prproficymgr.exe
prrds.exe
prrouter.exe
prconfigmgr.exe
prgateway.exe
premailengine.exe
pralarmmgr.exe
prftpengine.exe
prcalculationmgr.exe
prprintserver.exe
prdatabasemgr.exe
preventmgr.exe
prreader.exe
prwriter.exe
prsummarymgr.exe
prstubber.exe
prschedulemgr.exe
cdm.exe
musnotificationux.exe
npmdagent.exe
client64.exe
keysvc.exe
server_eventlog.exe
proficyserver.exe
server_runtime.exe
config_api_service.exe
fnplicensingservice.exe
workflowresttest.exe
proficyclient.exe
vmacthlp.exe
msdtssrvr.exe
sqlservr.exe
msmdsrv.exe
reportingservicesservice.exe
dsmcsvc.exe
winvnc4.exe
client.exe
collwrap.exe
bluestripecollector.exe