Code Monkey home page Code Monkey logo

gandcrab_string_decryptor's Introduction

GandCrab String Decryptor

Ida C script for string decryption.

Tested with GandCrab v 5.1 (DLL) and GandCrab v 5.2 (exe) and 5.3 (exe)

Testing samples SHA265:

  • 6aa3f17e5f62b715908b5cb3ea462bfa6cecfd3f4d70078eabd418291a5a7b83
  • 017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6
  • 1791e9d01451f953e74249019654609cd33c2ab66e97f2ed7a609e99f9ce8320
  • d01fd7176d48d8210fe85923ff383d87dab7d2e2b37e9da58c7e075a1aae153c

How it works

This script will try to identify the string decrypt function, which should be the heavily used function and it should be short. String decryption function takes one argument and extracts from it the key, length of encrypted data and encrypted data itself. Encryption is RC4, as we can see below:

String decryption function

RC4 decryption

Then, this script finds the calls to the string decryption and reconstructs its argument from "mov" instructions which manipulate with the local variables (see picture below). After the extraction of the parameters for RC4 it is possible to decrypt string and perform check if it is ASCII or Unicode string. Finaly, this script makes the comments with decrypted values:

RC4 decryption

RC4 decryption

gandcrab_string_decryptor's People

Contributors

lacike avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

csirt-sk sallychang trietptm-on-coding-algorithms whots

gandcrab_string_decryptor's Issues

How to use this script? Is it for decryption of files encrypted by GandCrab?

Hello, forgive me for this silly questions but a colleague of mine got infected by GrandCrab 5.2 and I was eager to help him.

This is what I did:

Downloaded IDA64 for Mac, opened an infected file (extension .qxaamcgv) it asks me to choose an entry point but I have no idea what to choose. From the File menu, I've imported the .idc script from your repository in the snippet list and when I run it I just get "=====GandCrab String Decryptor=====" in the Output window.

Am I completely getting wrong the nature of your script?

Any help would be very appreciated, even just to point me in the right direction!

Cheers,
Giuseppe

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.