Sample Files

The files that are available for download here are usually malware, please treat these files accordingly. Malicious samples are packed as zip or 7zip archives with the password infected.
[ /tmp/2021/malremote/tag4/]$ cat
Again, consider the sample with the following SHA-256 hash: ``` 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39 ``` At this point, you should have: * deobfuscated strings * JSON config extracted * resolved Windows API functions You can now take on the task to reverse engineer REvil as you would any ordinary piece of malware. This is a lot of work. In this exercise we start with that. 1. What command line switches is the malware able to process? Tip 1: Look at the deobfuscated strings. Tip 2: Start at the `GetCommandLineW` API function. 2. What is the meaning of the string containing `BlackLivesMatter`? Derive a host-based indicator of compromise (IoC) from it if possible. 3. Identify the embedded cryptographic algorithms. It is common for ransomware to generate temporary keys for a symmetric encryption scheme which are then encrypted with an asymetric algorithm. To generate those keys, REvil uses `CryptGenRandom`. If you don't know where to start, here are a few (literal) pointers: * `FUN_00405fc4` * `FUN_00408a5a` * `FUN_0040863a` * `FUN_004072de` * `FUN_00407198` * `FUN_00406fd0` (this is on the harder side) Fun Fact: The constant `0x1010101` is often used by compilers as a performance optimization in `memset`.