advanced-threat-research/DarkSide-Config-Extract
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
DarkSide & BlackMatter Config Extractor by ValthekOn & S2 (@sisoma2) -------------------------------------- 1.0: - Added support for the BM version 3.0 0.9.1v: - Fixed a bug with some samples. 0.9v: - Added support for versions 1.9 and 2.0. - Added a new field "PRINT_RANSOM_NOTE" as version 1.9>= will try print the ransom note with the available printer. 0.8v: - Added some checks to avoid errors. - Added the field "AES_KEY" with the AES key used to cipher the victim info to send to the C2. - Added the field "BOT_MALWARE_VERSION" with the version of the sample. It´s get automatic the hardcoded value to get the version. - Added the field "RSA_KEY" with the RSA key in the config. - Added the field "SHA256_SAMPLE" with the sha256 hash from the sample. - Changed some fields to have more accurate the config flags. 0.7v: - Added the "RANSOM NOTE" field and decrypt the ransom note text. - Removed unknow fields as they are not text, they are blacklisted names and extensions to avoid crypt them in a custom hash. - Removed some don´t needed code to left more clean. 0.6v: - Added support for the first version of BlackMatter except some field. 0.5v: - Starts with BlackMatter support. Thanks to S2 (@sisoma2) for give the sample of BlackMatter very quickly and share ideas about it. - Initial checks with one sample of BlackMatter. Early version. 0.4v: - Add support for the version of DarkSide (2.1.7.3) from April 2021 as DLL and normal executable. - Increased the speed of checks and searchs. - Add more texts to report errors to the user. - Add avoid, if the program have some crash error, that appear a message error to the user. - Avoid checks files that not are pe executables and report it. 0.3v: - Supports in execution the search of keys and config crypted and compressed. Don´t use anymore hardcode offsets and keys as 0.2v. - Supports increase a lot thanks to the dynamic search. 0.2v: - Now supports any number of arguments in the prompt. Don´t use anymore the embbeded configuration. - Improve the interaction with the user and add error messages and good messages. - Support for the version of DarkSide compiled time "23-Dec-2020" and some samples of before "18-Feb-2021". - Now dumps the JSON file with the same name of the sample with the extension ".json". - Don´t have support yet for more versions and sanity checks. Use with caution. - To not be disclosed yet. 0.1v: - Initial version. - Simple skeleton of the application that will extract a DarkSide´s configuration embedded (crypted and packed) in the binary. - Output in a JSON file the configuration parsed to be more easy understand and read. - 32bits application (as apLib official library have problems with 64bits). - Support Windows XP. Usage: - Put any number of malware samples in the command line, the program will drop a JSON with the same name in the same folder of the malware sample.