![]() ![]() However, we still didn’t know which encryption algorithm and block cipher mode it was using.īut luckily we have a sandbox! The nice thing about the sandbox is that it executes the malware, but also has the ability to trace virtually anything. The next thing we did was open the executable in a decompiler, where we saw that the same obfuscation method was used as described in the post. And indeed, just as we thought, it was another CoinVault sample. There was obviously no time for “hardcore” reverse engineering, so the first thing we did was run the malware sample to see what it was doing. And, most importantly, what malware are dealing with?.Which block cipher mode was being used?.Which encryption algorithm was being used?.To build the decryption tool we needed to know the following: ![]() We also created a website and started a communications campaign to notify victims that it might be possible to get their data back without paying. So when were contacted recently by the National High Tech Crime Unit (NHTCU) of the Netherlands’ police and the Netherlands’ National Prosecutors Office, who had obtained a database from a CoinVault command & control server (containing IVs, Keys and private Bitcoin wallets), we were able to put our accumulated insight to good use and accelerate the creation of a decryption tool. In that post we explained how we tore the malware apart in order to get to its original code and not the obfuscated one. Some months ago we wrote a blog post about CoinVault. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |