Sample FilesThe files that are available for download here are usually malware, please treat these files accordingly. Malicious samples are packed as zip or 7zip archives with the password infected.
[email@example.com /tmp/2021/malremote/tag4/]$ cat exercise10.md
Again, consider the sample with the following SHA-256 hash: ``` 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39 ``` At this point, you should have: * deobfuscated strings * JSON config extracted * resolved Windows API functions You can now take on the task to reverse engineer REvil as you would any ordinary piece of malware. This is a lot of work. In this exercise we start with that. 1. What command line switches is the malware able to process? Tip 1: Look at the deobfuscated strings. Tip 2: Start at the `GetCommandLineW` API function. 2. What is the meaning of the string containing `BlackLivesMatter`? Derive a host-based indicator of compromise (IoC) from it if possible. 3. Identify the embedded cryptographic algorithms. It is common for ransomware to generate temporary keys for a symmetric encryption scheme which are then encrypted with an asymetric algorithm. To generate those keys, REvil uses `CryptGenRandom`. If you don't know where to start, here are a few (literal) pointers: * `FUN_00405fc4` * `FUN_00408a5a` * `FUN_0040863a` * `FUN_004072de` * `FUN_00407198` * `FUN_00406fd0` (this is on the harder side) Fun Fact: The constant `0x1010101` is often used by compilers as a performance optimization in `memset`.