-
Notifications
You must be signed in to change notification settings - Fork 10
/
readme
75 lines (51 loc) · 2.92 KB
/
readme
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
DarkSide & BlackMatter Config Extractor by ValthekOn & S2 (@sisoma2)
--------------------------------------
1.0:
- Added support for the BM version 3.0
0.9.1v:
- Fixed a bug with some samples.
0.9v:
- Added support for versions 1.9 and 2.0.
- Added a new field "PRINT_RANSOM_NOTE" as version 1.9>= will try print the ransom note with the available printer.
0.8v:
- Added some checks to avoid errors.
- Added the field "AES_KEY" with the AES key used to cipher the victim info to send to the C2.
- Added the field "BOT_MALWARE_VERSION" with the version of the sample. It´s get automatic the hardcoded value to get the version.
- Added the field "RSA_KEY" with the RSA key in the config.
- Added the field "SHA256_SAMPLE" with the sha256 hash from the sample.
- Changed some fields to have more accurate the config flags.
0.7v:
- Added the "RANSOM NOTE" field and decrypt the ransom note text.
- Removed unknow fields as they are not text, they are blacklisted names and extensions to avoid crypt them in a custom hash.
- Removed some don´t needed code to left more clean.
0.6v:
- Added support for the first version of BlackMatter except some field.
0.5v:
- Starts with BlackMatter support. Thanks to S2 (@sisoma2) for give the sample of BlackMatter very quickly and share ideas about it.
- Initial checks with one sample of BlackMatter. Early version.
0.4v:
- Add support for the version of DarkSide (2.1.7.3) from April 2021 as DLL and normal executable.
- Increased the speed of checks and searchs.
- Add more texts to report errors to the user.
- Add avoid, if the program have some crash error, that appear a message error to the user.
- Avoid checks files that not are pe executables and report it.
0.3v:
- Supports in execution the search of keys and config crypted and compressed. Don´t use anymore hardcode offsets and
keys as 0.2v.
- Supports increase a lot thanks to the dynamic search.
0.2v:
- Now supports any number of arguments in the prompt. Don´t use anymore the embbeded configuration.
- Improve the interaction with the user and add error messages and good messages.
- Support for the version of DarkSide compiled time "23-Dec-2020" and some samples of before "18-Feb-2021".
- Now dumps the JSON file with the same name of the sample with the extension ".json".
- Don´t have support yet for more versions and sanity checks. Use with caution.
- To not be disclosed yet.
0.1v:
- Initial version.
- Simple skeleton of the application that will extract a DarkSide´s configuration embedded (crypted and packed) in the binary.
- Output in a JSON file the configuration parsed to be more easy understand and read.
- 32bits application (as apLib official library have problems with 64bits).
- Support Windows XP.
Usage:
- Put any number of malware samples in the command line, the program will drop a JSON with the same name in the same folder of the
malware sample.