Playing with Ransomware crypto
Sample : https://www.virustotal.com/gui/file/ae43de989c9f0dc03437866457fb378487d773e03caa39d3968369fd4fe01c92 In this post we will see how to use a ransomware’s own methods to encrypt and decrypt given strings. For this task, firstly we will check whether this ransomware method is easy to locate, looking at the Smali produced: As we can see, there’s a reference to a method named decrypt coming from class DU, receiving a String as argument. Although we might think that this method alone will prove sufficient, it will not. We need to be able to reproduce the whole thing, and in this case we will need to convert a string to a Bytearray, so there must be other methods… Luckily for us, after decompiling the dex file, we see a class named DU and that’s the first logical place to look at. Voilà! This is quite interesting, we can see a whole class along with its methods… Still, there’s a visible error in the generated .java file. static final { DU.strDefaultKey = "national"; } Thi