Demonslay335 · August 17, 2018 15:23
diff --git a/rapid_config.py b/rapid_config.py
 """
 Extract Rapid 2.0 ransomware config from encrypter or decrypter
 Author: @demonslay335
 """

 import os, sys, string, re, binascii, base64, argparse

 # https://stackoverflow.com/a/17197027/1301139
 def strings(filename, min=4, max=10000):
    with open(filename, "rb") as f:           # Python 2.x
        result = ""
        for c in f.read():
            if c in string.printable:
                result += c
                continue
            if len(result) >= min and len(result) <= max:
                yield result
            result = ""
        if len(result) >= min and len(result) <= max:  # catch result at EOF
            yield result

 # Double-check it is an executable
 def isexe(path):
 	with open(path, 'rb') as f:
 		return f.read()[:2] == 'MZ'

 def extract_config(path):
 	if not isexe(path):
 		raise "Not an executable"
 	
 	private = ''
 	public = ''
 	decrypter = False
 	email = ''
 	note_filename = ''
 	
 	for s in strings(path, 10):
 		# Public key in base64
 		if 'BgIAAACkAAB' in s:
 			public = s
 		# Private key in base64
 		elif 'BwIAAACkAAB' in s:
 			private = s
 		# Decrypter string
 		elif 'Decryptedd!' in s:
 			decrypter = True
 		# Email address
 		elif re.match(r"[^@]+@[^@]+\.[^@]+", s):
 			matches = re.findall(r'[\w\.-]+@[\w\.-]+', s)
 			for match in matches:
 				email = match
 		# Note filename
 		elif ('.txt' in s or '.html' in s) and 'recovery' not in s:
 			note_filename = s
 	
 	return {
 		'private': binascii.hexlify(private.decode('base64')),
 		'public': binascii.hexlify(public.decode('base64')),
 		'decrypter': decrypter,
 		'email': email,
 		'note_filename': note_filename
 	}

 # Setup argument parts
 parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter')
 parser.add_argument('file', help='executable path')

 # Parse arguments
 args = parser.parse_args()

 # Extract config for given binary
 config = extract_config(args.file)

 # Check for success
 if config == None:
 	print "\n[-] Error extracting keys"
 else:
 	# Decrypter config
 	if config['decrypter']:
 		print "\n[+] File is a decrypter\n"
 		print "[+] Public key blob:\n%s\n" % config['public']
 		print "[+] Private key blob:\n%s\n" % config['private']
 	# Encrypter config
 	else:
 		print "\n[+] File is an encrypter\n"
 		print "[+] Email: %s" % config['email']
 		print "[+] Ransom Note Filename: %s" % config['note_filename']
 		print "[+] Public key blob:\n%s\n" % config['public']
	"""
	Extract Rapid 2.0 ransomware config from encrypter or decrypter
	Author: @demonslay335
	"""

	import os, sys, string, re, binascii, base64, argparse

	# https://stackoverflow.com/a/17197027/1301139
	def strings(filename, min=4, max=10000):
	with open(filename, "rb") as f: # Python 2.x
	result = ""
	for c in f.read():
	if c in string.printable:
	result += c
	continue
	if len(result) >= min and len(result) <= max:
	yield result
	result = ""
	if len(result) >= min and len(result) <= max: # catch result at EOF
	yield result

	# Double-check it is an executable
	def isexe(path):
	with open(path, 'rb') as f:
	return f.read()[:2] == 'MZ'

	def extract_config(path):
	if not isexe(path):
	raise "Not an executable"

	private = ''
	public = ''
	decrypter = False
	email = ''
	note_filename = ''

	for s in strings(path, 10):
	# Public key in base64
	if 'BgIAAACkAAB' in s:
	public = s
	# Private key in base64
	elif 'BwIAAACkAAB' in s:
	private = s
	# Decrypter string
	elif 'Decryptedd!' in s:
	decrypter = True
	# Email address
	elif re.match(r"[^@]+@[^@]+\.[^@]+", s):
	matches = re.findall(r'[\w\.-]+@[\w\.-]+', s)
	for match in matches:
	email = match
	# Note filename
	elif ('.txt' in s or '.html' in s) and 'recovery' not in s:
	note_filename = s

	return {
	'private': binascii.hexlify(private.decode('base64')),
	'public': binascii.hexlify(public.decode('base64')),
	'decrypter': decrypter,
	'email': email,
	'note_filename': note_filename
	}

	# Setup argument parts
	parser = argparse.ArgumentParser(description='Extract config from Rapid Ransomware decrypter')
	parser.add_argument('file', help='executable path')

	# Parse arguments
	args = parser.parse_args()

	# Extract config for given binary
	config = extract_config(args.file)

	# Check for success
	if config == None:
	print "\n[-] Error extracting keys"
	else:
	# Decrypter config
	if config['decrypter']:
	print "\n[+] File is a decrypter\n"
	print "[+] Public key blob:\n%s\n" % config['public']
	print "[+] Private key blob:\n%s\n" % config['private']
	# Encrypter config
	else:
	print "\n[+] File is an encrypter\n"
	print "[+] Email: %s" % config['email']
	print "[+] Ransom Note Filename: %s" % config['note_filename']
	print "[+] Public key blob:\n%s\n" % config['public']