Alexander Hanel alexander-hanel

RYUK STRING DECODER NOTES

Recent variants of Ryuk have had their code cleaned up. They removed non-referenced strings that are relics from the HERMES source code days. One interesting part of the code clean-up is a new string decoder. The string decoder is the first MD5 brute forcer that I have observed in malware. It's an interesting technique because it is a computational attack that delays execution of Ryuk before the strings are decoded in memory. The decoding of strings happens in two phases. The first phase uses a hardcoded lookup table that is to decode API names. Once the API names are decrypted, they are dynamically imported and then used to recover the original string from an MD5 hash. After the original string is discovered, each byte of the string is hashed and then the hash is MD5ed, then the hexdigest contents are appended to a string. Each byte within the appended MD5 strings is used to create a second lookup table which is then used to decrypt strings.

Example Python code of the MD5 Brutef

Computer Architecture

Crash Course Computer Science
- Start here.

Assembly Language

Check out the first two books but download the Intel Software Manuals and use as references.

Assembly Language Step by Step
- Easy introduction to Assembly Language
Assembly Language for X86 Processors by Kip Irvine

	def get_to_xrefs(ea):
	xref_set = set([])
	for xref in idautils.XrefsTo(ea, 1):
	xref_set.add(xref)
	return xref_set

	def get_from_xrefs(ea):
	xref_set = set([])
	for xref in idautils.XrefsTo(ea, 1):
	xref_set.add(xref)

	import idautils

	JMPS = [idaapi.NN_jmp, idaapi.NN_jmpfi, idaapi.NN_jmpni]
	CALLS = [idaapi.NN_call, idaapi.NN_callfi, idaapi.NN_callni]

	DEBUG = True
	COMMENT = True

	class CSP():
	pass

	import base64
	from Crypto.Cipher import ARC4

	def str_decrypt(enc_data):
	key = 'fuckav\x00'
	cipher = ARC4.new(key)
	try:
	enc_data = base64.b64decode(enc_data)
	except:
	return enc_data

	import idautils
	import operator

	JMPS = [eval("idaapi."+name) for name in dir(idaapi) if "NN_j" in name]

	def get_riat_func():
	gpa = idc.get_name_ea_simple("GetProcAddress")
	func_gpa = {}
	for tt in idautils.XrefsTo(gpa, 0):
	if tt.type != 3: # Data_Read:

	import idautils
	comments = {}
	for func in idautils.Functions():
	flags = idc.get_func_attr(func, FUNCATTR_FLAGS) # skip library & thunk functions
	if flags & FUNC_LIB or flags & FUNC_THUNK:
	continue
	dism_addr = list(idautils.FuncItems(func))
	for ea in dism_addr:
	temp = idc.get_cmt(ea, 0)
	if temp:

	def rrename():
	func = idaapi.get_func(here()).startEA
	idc.set_name(func, idc.get_cmt(idc.get_operand_value(here(),1), True) + "_", SN_CHECK)

	def hexdump(src, length=16):
	FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)])
	lines = []
	for c in xrange(0, len(src), length):
	chars = src[c:c+length]
	hex = ' '.join(["%02x" % ord(x) for x in chars])
	printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars])
	lines.append("%04x %-s %s\n" % (c, length3, hex, printable))
	return ''.join(lines)

	@echo off
	(
	echo -----BEGIN CERTIFICATE-----
	echo 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAA
	echo AQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD/////////////////////
	echo ////////////////////////////////////////////////////////////////
	echo ////////////////////////////////////////////////////////////////
	echo ////////////////////////////////////////////////////////////////
	echo ////////////////////////////////////////////////////////////////
	echo ////////////////////////////////////////////////////////////////