Demonslay335 · February 29, 2020 00:52
diff --git a/notes.txt b/notes.txt
 Sample:
 fe52d906fa596e7ae16633074ff7178b3ac40e26a93f0009f1b33d5cbf219e91

 Strings and config encrypted with static AES-256 key:
 08 02 00 00 10 66 00 00 20 00 00 00 5D 1D E0 32 A9 6D E4 05 A5 5B 12 E1 1F B9 03 A1 CF 2D F8 5A 29 87 78 4D EC 28 61 C1 13 96 FA 15

 Decrypted RSA-1024 public key:
 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 F1 D1 12 AA DF 72 34 19 DC A4 6E 18 07 15 67 9F F2 6F 4F 03 A7 61 5B 97 C5 6C 20 13 21 A7 40 24 48 91 8D 47 32 81 9B 14 D4 82 0F AF 8A F8 EC 66 8E 87 26 CD 15 37 FC 03 8D 10 BB 90 6D 1D D0 A6 41 A4 B2 60 5F 60 46 45 4C 70 44 20 54 90 C0 D9 4D F6 B2 90 33 BF 78 51 AC E5 76 F6 EB 9C CF 83 A3 21 DD F8 B9 46 67 8B 7A 04 71 54 FD D7 1B 17 DE 39 7A 70 D6 04 AE AD AF 38 B8 1C B8 73 5D A6

 Targeted extensions:
 4dd;4dl;abs;abx;accdb;accdc;accde;adb;adf;ckp;db;db-journal;db-shm;db-wal;db2;db3;dbc;dbf;dbs;dbt;dbv;dcb;doc;docx;dp1;eco;edb;epim;fcd;gdb;mdb;mdf;ldf;myd;ndf;nwdb;nyf;sqlitedb;sqlite3;sqlite;xls;xlsx;xlsm;

 Terminates processes:
 msftesql.exe;sqlagent.exe;sqlbrowser.exe;sqlservr.exe;sqlwriter.exe;oracle.exe;ocssd.exe;dbsnmp.exe;synctime.exe;agntsvc.exe;mydesktopqos.exe;isqlplussvc.exe;xfssvccon.exe;mydesktopservice.exe;ocautoupds.exe;agntsvc.exe;agntsvc.exe;agntsvc.exe;encsvc.exe;firefoxconfig.exe;tbirdconfig.exe;ocomm.exe;mysqld.exe;mysqld-nt.exe;mysqld-opt.exe;dbeng50.exe;sqbcoreservice.exe;excel.exe;infopath.exe;msaccess.exe;mspub.exe;onenote.exe;outlook.exe;powerpnt.exe;steam.exe;thebat.exe;thebat64.exe;thunderbird.exe;visio.exe;winword.exe;wordpad.exe

 Extension Pattern:
 %s.[%X].[%s].%s

 Extension:
 .makop

 Victim ID based on ProductID (SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID)

 Generates new 0x20 AES-256 key and IV per file (CryptGenRandom, manually constructs a crypto blob for CryptImportKey)

 # Encrypted File Format
 0x00    | AES256(FileKey, IV, FileContents)
 ...     |
 0x04    | AES256(FileKey, NULL, Metadata)
 0x04    | DWORD - Length of encrypted metadata
 0x10    | IV
 0x80    | RSA1024(FileKey, PublicKey)

 ## Metadata Format
 0x10        | IV
 0x04        | Zero buffer
 0x04        | DWORD - Filename length
 FilenameLen | Original Filename
 ?           | Padding?
	Sample:
	fe52d906fa596e7ae16633074ff7178b3ac40e26a93f0009f1b33d5cbf219e91

	Strings and config encrypted with static AES-256 key:
	08 02 00 00 10 66 00 00 20 00 00 00 5D 1D E0 32 A9 6D E4 05 A5 5B 12 E1 1F B9 03 A1 CF 2D F8 5A 29 87 78 4D EC 28 61 C1 13 96 FA 15

	Decrypted RSA-1024 public key:
	06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 F1 D1 12 AA DF 72 34 19 DC A4 6E 18 07 15 67 9F F2 6F 4F 03 A7 61 5B 97 C5 6C 20 13 21 A7 40 24 48 91 8D 47 32 81 9B 14 D4 82 0F AF 8A F8 EC 66 8E 87 26 CD 15 37 FC 03 8D 10 BB 90 6D 1D D0 A6 41 A4 B2 60 5F 60 46 45 4C 70 44 20 54 90 C0 D9 4D F6 B2 90 33 BF 78 51 AC E5 76 F6 EB 9C CF 83 A3 21 DD F8 B9 46 67 8B 7A 04 71 54 FD D7 1B 17 DE 39 7A 70 D6 04 AE AD AF 38 B8 1C B8 73 5D A6

	Targeted extensions:
	4dd;4dl;abs;abx;accdb;accdc;accde;adb;adf;ckp;db;db-journal;db-shm;db-wal;db2;db3;dbc;dbf;dbs;dbt;dbv;dcb;doc;docx;dp1;eco;edb;epim;fcd;gdb;mdb;mdf;ldf;myd;ndf;nwdb;nyf;sqlitedb;sqlite3;sqlite;xls;xlsx;xlsm;

	Terminates processes:
	msftesql.exe;sqlagent.exe;sqlbrowser.exe;sqlservr.exe;sqlwriter.exe;oracle.exe;ocssd.exe;dbsnmp.exe;synctime.exe;agntsvc.exe;mydesktopqos.exe;isqlplussvc.exe;xfssvccon.exe;mydesktopservice.exe;ocautoupds.exe;agntsvc.exe;agntsvc.exe;agntsvc.exe;encsvc.exe;firefoxconfig.exe;tbirdconfig.exe;ocomm.exe;mysqld.exe;mysqld-nt.exe;mysqld-opt.exe;dbeng50.exe;sqbcoreservice.exe;excel.exe;infopath.exe;msaccess.exe;mspub.exe;onenote.exe;outlook.exe;powerpnt.exe;steam.exe;thebat.exe;thebat64.exe;thunderbird.exe;visio.exe;winword.exe;wordpad.exe

	Extension Pattern:
	%s.[%X].[%s].%s

	Extension:
	.makop

	Victim ID based on ProductID (SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID)

	Generates new 0x20 AES-256 key and IV per file (CryptGenRandom, manually constructs a crypto blob for CryptImportKey)

	# Encrypted File Format
	0x00 \| AES256(FileKey, IV, FileContents)
	... \|
	0x04 \| AES256(FileKey, NULL, Metadata)
	0x04 \| DWORD - Length of encrypted metadata
	0x10 \| IV
	0x80 \| RSA1024(FileKey, PublicKey)

	## Metadata Format
	0x10 \| IV
	0x04 \| Zero buffer
	0x04 \| DWORD - Filename length
	FilenameLen \| Original Filename
	? \| Padding?