5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Metadata

SHA256: 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
Difficulty: medium
Platform: Windows
Tags: ransomware string deobfuscation revil
Likes: 1
Views: 3
Submitter: larsborn

Analysis

Goal

Find and analyze the string decryption/deobfuscation function. Determine the cryptographic algorithm being used and the memory layout of the encrypted data and key material. Try to emulate it with your tooling of choice, Binary Refinery is a good recommendation.

Description

the function in question is FUN_00404e03 (i.e. at offset 0x404e03).
the algorithm in question is RC4

Recommended Tools

ghidra

Solutions

Defeating Sodinokibi/REvil String-Obfuscation in Ghidra Reference by larsborn

Sample