Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      Big Data

      Reverse Engineering Ransomware

      Recommended Posts

      Hidden Content

        Give reaction to this post to see the hidden content.

       

      Description
      ـــــــــــــــــــــــــ
      The aim of this course is to provide a practical approach to analyzing ransomware. Working with real world samples of increasing difficulty, we will:

      Deep dive into identifying the encryption techniques,

      Navigate through various evasion tricks used by malware writers,

      Have fun discovering flaws in their logic or the implementation and

      Work out automated ways to recover the affected files.

      If you're already familiar with the basics and want to dive straight into advanced samples, navigate anti-virtualisation and anti-analysis tricks, and write C and Python decryptors for custom crypto algorithms,  please check out our Advanced Reverse Engineering Ransomware course!

      Requirements
      ــــــــــــــــــــــــــــــــ
      -Basic programming knowledge
      -A computer that can run a Windows virtual machine.
      -An interest in disassembling things and understanding how they work!
      -Patience and perseverance to “try harder”.


      Who this course is for:
      ــــــــــــــــــــــــــــــــــــــــــــــــــــ
      -Security testers
      -Malware analysts
      -Forensics investigators
      -System administrators
      -Information security students
      -Anyone interested in ransomware and malware analysis

      Hidden Content

        Give reaction to this post to see the hidden content.

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. In this project I created a Ransomware with Python. I used advanced VM evasion techniques, combined with a very strong encryption.
          Getting Administrator Privileges
          This program uses UAC bypass to get administrator privileges if the user won't give the program the necessary privileges.
          Evading Detection
              Checking for Physics components like: Fans, CPU cores...
              Checking for Registry keys and certain files.
              Checking for certain MAC addresses.
              Checking for running services and tasks.
          Encryption
          I used AES-RSA with a 512 bits key, (Decrypting 256 key would approximatly take 2.29 * 10^32 years).
          How the Ransomware works
          First the program checks if it has admin privileges, if no use the UAC bypass to get the necessary privileges.
          Then it checks for a testing environment, if it finds one, it will delete itself from the system, else it checks if it already run before. If yes then it checks if currently running on safe mode: No, enter safe mode, yes, Start encrypting.
          If it didn't run before then the program writes it self to the registry, reboots into safe mode, and auto starts.
          Other explanation:
              Do I have admin privileges?
                  YES, Am I running on some testing environment?
                      YES, Delete itself from the system
                  No, Have I run before?
                      YES, Am I inside safe mode?
                          YES, start the ransomware
                          NO, restart into safe mode
                      NO, Write myself to the registry and restart into safe mode
              NO, Use UAC bypass and start all over again
          Disclaimer
          Use this project for educational purposes only.
          This is a very harmful project with no option to retrieve the data once executed.
          I am NOT responsible for anything that you do with this project.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. A small reverse shell for Linux & Windows.
          Features
          Windows
          Usage:
          └ Shared Commands:  !exit
            !upload <src> <dst>
             * uploads a file to the target
            !download <src> <dst>
             * downloads a file from the target
            !lfwd <localport> <remoteaddr> <remoteport>
             * local portforwarding (like ssh -L)
            !rfwd <remoteport> <localaddr> <localport>
             * remote portforwarding (like ssh -R)
            !lsfwd
             * lists active forwards
            !rmfwd <index>
             * removes forward by index
            !plugins
             * lists available plugins
            !plugin <plugin>
             * execute a plugin
            !spawn <port>
             * spawns another client on the specified port
            !shell
             * runs /bin/sh
            !runas <username> <password> <domain>
             * restart xc with the specified user
            !met <port>
             * connects to a x64/meterpreter/reverse_tcp listener
          └ OS Specific Commands:
            !powershell
              * starts powershell with AMSI Bypass
            !rc <port>
              * connects to a local bind shell and restarts this client over it
            !runasps <username> <password> <domain>
              * restart xc with the specified user using powershell
            !vulns
              * checks for common vulnerabilities
          Linux
          Usage:
          └ Shared Commands:  !exit
            !upload <src> <dst>
             * uploads a file to the target
            !download <src> <dst>
             * downloads a file from the target
            !lfwd <localport> <remoteaddr> <remoteport>
             * local portforwarding (like ssh -L)
            !rfwd <remoteport> <localaddr> <localport>
             * remote portforwarding (like ssh -R)
            !lsfwd
             * lists active forwards
            !rmfwd <index>
             * removes forward by index
            !plugins
             * lists available plugins
            !plugin <plugin>
             * execute a plugin
            !spawn <port>
             * spawns another client on the specified port
            !shell
             * runs /bin/sh
            !runas <username> <password> <domain>
             * restart xc with the specified user
            !met <port>
             * connects to a x64/meterpreter/reverse_tcp listener
          └ OS Specific Commands:
           !ssh <port>
             * starts sshd with the configured keys on the specified port

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. A Hex Editor for Reverse Engineers, Programmers, and people that value their eyesight when working at 3 AM.
          Features
              Featureful hex view
                  Byte patching
                  Patch management
                  Copy bytes as feature
                      Bytes
                      Hex string
                      C, C++, C#, Rust, Python, Java & JavaScript array
                      ASCII-Art hex view
                      HTML self-contained div
                  String and hex search
                  Colorful highlighting
                  Goto from start, end, and current cursor position
              Custom C++-like pattern language for parsing highlighting a file’s content
                  Automatic loading based on MIME-type
                  arrays, pointers, structs, unions, enums, bitfields, using declarations, litte and big-endian support
                  Useful error messages, syntax highlighting, and error marking
              Data importing
                  Base64 files
                  IPS and IPS32 patches
              Data exporting
                  IPS and IPS32 patches
              Data Exporting
              Data inspector allowing interpretation of data as many different types (little and big-endian)
              Huge file support with fast and efficient loading
              Strings search
                  Copying of strings
                  Copying of detangled strings
              File hashing support
                  CRC16 and CRC32 with custom initial values and polynomials
                  MD4, MD5
                  SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
              Disassembler supporting many different architectures
                  ARM32 (ARM, Thumb, Cortex-M, aarch32)
                  ARM64
                  MIPS (MIPS32, MIPS64, MIPS32R6, Micro)
                  x86 (16 bit, 32 bit, 64 bit)
                  PowerPC (32 bit, 64 bit)
                  Sparc
                  SystemZ
                  XCore
                  M68K
                  TMS320C64X
                  M680X
                  Ethereum
              Bookmarks
                  Region highlighting
                  Comments
              Data Analyzer
                  File magic-based file parser and MIME type database
                  Byte distribution graph
                  Entropy graph
                  Highest and avarage entropy
                  Encrypted / Compressed file detection
              Helpful tools
                  Itanium and MSVC demangler
                  ASCII table
                  Regex replacer
                  Mathematical expression evaluator (Calculator)
                  Hexadecimal Color picker
              Built-in cheat sheet for pattern language and Math evaluator
              Doesn’t burn out your retinas when used in late-night sessions
          Changelog v1.11.1
          Bug fixes
              Fixed window being undecorated on all platforms while it should only be undecorated on Windows.
                  This caused the window to be unmovable and unresizable on platforms other than Windows
              Fixed crash on Windows when launching ImHex without a terminal window on Windows

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. rpcfirewall: Open Source Ransomware Kill Switch Tool
          Why should I care?
          RPC is the underlying mechanism which is used for numerous lateral movement techniques, reconnaissance, relay attacks, or simply to exploit vulnerable RPC services.
          DCSync attack? over RPC. Remote DCOM? over RPC. WMIC? over RPC. SharpHound? over RPC. PetitPotam? over RPC. PsExec? over RPC. ZeroLogon? over RPC… well, you get the idea 🙂
          What is it used for?
          Research
          Install the RPC Firewall and configure it to audit all remote RPC calls. Once executing any remote attack tools, you will see which RPC UUIDs and Opnums were called remotely.
          Remote RPC Attacks Detection
          When the RPC Firewall is configured to audit, it writes events to the Windows Event Log.
          Forward this log to your SIEM, and use it to create baselines of remote RPC traffic for your servers.
          Once an abnormal RPC call is audited, use it to trigger an alert for your SOC team.
          Remote RPC Attacks Protection
          The RPC Firewall can be configured to block & audit only potentially malicious RPC calls. All other RPC calls are not audited to reduce noise and improve performance.
          Once a potentially malicious RPC call is detected, it is blocked and audited. This could be used to alert your SOC team, while keeping your servers protected.
          What are the RPC Firewall Components?
          It is made up of 3 components:
              RpcFwManager.exe – In charge of managing the RPC Firewall.
              RpcFirewall.dll – Injected DLL which performs the audit & filtering of RPC calls.
              RpcMessages.dll – A common library for sharing functions, and logic that writes data into Windows Event Viewer.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.
          Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, …
          radare2 is portable.
          The main tool of the whole framework. It uses the core of the hexadecimal editor and debugger. radare2 allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.
          It implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, and visualizing. It can be scripted with a variety of languages, including Python, Ruby, JavaScript, Lua, and Perl.
              Architectures:
                  6502, 8051, CRIS, H8/300, LH5801, T8200, arc, arm, avr, bf, blackfin, xap, dalvik, dcpu16, gameboy, i386, i4004, i8080, m68k, malbolge, mips, msil, msp430, nios II, powerpc, rar, sh, snes, sparc, tms320 (c54x c55x c55+), V810, x86-64, zimg, risc-v.
              File Formats:
                  ELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, OMF, TE, XBE, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executable, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), WASM (WebAssembly binary), Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs, various filesystems.
              Operating Systems:
                  Windows (since XP), GNU/Linux, OS X, [Net|Free|Open]BSD, Android, iOS, OSX, QNX, Solaris, Haiku, FirefoxOS
              Bindings:
                  Vala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, php5, newlisp, Ruby, Java, OCaml, …
          radare2 v5.5 has been released.
          Changelog
              New IOBanks APis and commands replacing skyline and making io faster (2-10x) @condret
              Faster analysis, type matching, binary parsing (2-4x) @trufae
              [] and =[] esil operations has been removed (size is mandatory) @condret
              Lots of important bugs fixed in bin parsers and disassemblers @Lazula
              Add support for the latest iOS15 dyld4 Atlas-style cache formats @mrmacete
              Autorename signature matching collisions and faster search @swoops
              Add assembler for riscv and disassemblers for PDP11, Alpha64 and armv7.v35 @trufae
              Improved integration with r2frida remote filesystems @as0ler
              Cleaning debugger for windows (32 and 64) and macOS makes it more reliable and stable @trufae
              Add seven segment printing (?ea for ascii-art text titles) @trufae
              Improved xrefs visualization with new axfm and axtm commands @trufae
              Add avg command to manage global variables @trufae
              The sixref plugin is now easier to use to find xrefs on arm64 code @hot3eed
              Improved multibin (select all bins or one) and multidex support in apk:// @trufae
              Better build scripts for Windows (add asan and w32 profiles) @trufae
              Added armv7.v35 and improves esil emulation with the arm64.v35 @aemmitt-ns
              Add more help messages and set scr.prompt.tabhelp true by default @trufae
              AES key wrap algorithm support in rahash2 @sylvainpelissier
              Fix var serialization issues in debugger reloading (ood) and projects saving (Ps) @RHL120
              Add Amiga and MSX rom/bin parser plugin and test @romerojoseant @trufae
              Visual slides (r2s) allow interactive content to be used within r2 @trufae
              Print and convert ternary values back and forth @trufae

          Hidden Content
          Give reaction to this post to see the hidden content.