New Java STRRAT ships with .crimson ransomware module

Deobfuscating STRRAT and its configuration

To combat string encryption by Allatori I used ‘Deobfuscator’ by Github user ‘Java Deobfuscator’. Deobfuscator has a variety of options to choose from. I applied Allatori.StringEncryptionTransformer which successfully decrypted the strings.

In a resource of the malware I found an encrypted configuration file. The malware code shows it is encrypted with AES using the password “strgoi”. I made a quick and dirty decrypter by copying the decompiled code for the decryption method and repairing it, so the double names are not causing compile errors. Then I added a few lines to read and write the config. My configuration decryption code is listed below.

import java.io.File; import java.nio.ByteBuffer; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; public class ConfigDecrypter { public static void main(String[] args) throws Exception { File config = new File(“config.txt”); byte[] configBytes = Files.readAllBytes(config.toPath()); byte[] decryptedConfig = decryptConfig(“strigoi”, configBytes); Path output = Paths.get(“config_decrypted.txt”); Files.write(output, decryptedConfig); } public static byte[] decryptConfig(String password, byte[] data) throws Exception { int var2; ByteBuffer a; if ((var2 = (a = ByteBuffer.wrap(data)).getInt()) >= 12 && var2 <= 16) { byte[] var6 = new byte[var2]; a.get(var6); SecretKey var3 = createKey(password, var6); ByteBuffer var10001 = a; byte[] var8 = new byte[a.remaining()]; data = var8; var10001.get(var8); Cipher var4 = Cipher.getInstance("AES/CBC/PKCS5PADDING"); IvParameterSpec var7 = new IvParameterSpec(var6); var4.init(2, var3, var7); return var4.doFinal(data); } else { throw new IllegalArgumentException("Nonce size is incorrect. Make sure that the incoming data is an AES encrypted file."); } } public static SecretKey createKey(String password, byte[] data) throws Exception { PBEKeySpec a = new PBEKeySpec(password.toCharArray(), data, 65536, 128); byte[] d = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(a).getEncoded(); return new SecretKeySpec(d, "AES"); } }

The resulting plain text configuration of our sample is in the picture below. It reveals, among others, the C2C server.

Continue reading

This post was originally published on this site