Reversing a simple Ransomeware
Reversing and decrypting a simple ransomeware
In this blog we will perform reverse engineering on a simple ransomeware and decrypting an encrypted excel file to get the password inside it. For this we will refer an example challenge from HackTheBox
Source Code Analysis
Challenge summary - "We received an email from Microsoft Support recommending that we apply a critical patch to our Windows servers. A system administrator downloaded the attachment from the email and ran it, and now all our company data is encrypted. Can you help us decrypt our files?"
First download and unzip the required files from the challenge
From the above files there is one exe and a xlsx file
It is said the windows_update.exe is malicious and xlsx is locked. We will open the exe in a reversing tool called Ghidra
Navigate to main() function from the left side of the plain
Due to the small text, I will paste the code snippet below
In the above code
The main() function will take an argument
If the no of argument is eq to 1 then it will set the directory location to - C:\\Users by default
Or else directory path can be defined in the second argument.
Moving towards encryption part, if we find the keyword "encrypt"
We found two functions -> encrypt, encryptfile. Taking a look at encryptfile function
The above code does the following
The encryptfile takes a filename as a parameter;param_1)
On line 6 the readfile will open the specified file.
The encrypt function will perform encryption on the file.
The writefile function will write an encrypted version of the file
Taking a look at the encrypt file
In the encrypt function there are three values. One of those is "0x4345535245505553". The for loop iterates then adds the value of file + the local_17,f&d then writes the result to new file. Then it repeats those steps again. The main method used here was addition. To perform decryption we will use subtraction method
If we take a look at the value of it in the assemble code section
There is string "CESREPUS". Another technique to get the key is to check xlsx file with strings utility
On line 22 it gave us the proper sequence for the key -> SUPERSECURE
Decrypting the file
Now we have the key we will decrypt the file on cyberchef
Upload the xlxs file
Then select the recipe as "SUB" then put the key -> SUPERSECURE
The file is now decrypted. Download and open the file
Here we got the flag
Last updated