{"id":13509602,"url":"https://github.com/f0wl/REconfig-linux","last_synced_at":"2025-03-30T13:32:32.032Z","repository":{"id":144508468,"uuid":"382959707","full_name":"f0wl/REconfig-linux","owner":"f0wl","description":"Configuration Extractor for the Linux variant of REvil Ransomware","archived":false,"fork":false,"pushed_at":"2021-07-05T09:12:27.000Z","size":210,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-01T09:34:56.795Z","etag":null,"topics":["config-extractor","malware-analysis","ransomware"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f0wl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-04T22:26:27.000Z","updated_at":"2024-01-19T17:33:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"e4632747-e89d-41c2-a35b-b7e2a8ea18de","html_url":"https://github.com/f0wl/REconfig-linux","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f0wl%2FREconfig-linux","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f0wl%2FREconfig-linux/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f0wl%2FREconfig-linux/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f0wl%2FREconfig-linux/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f0wl","download_url":"https://codeload.github.com/f0wl/REconfig-linux/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246324158,"owners_count":20759089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["config-extractor","malware-analysis","ransomware"],"created_at":"2024-08-01T02:01:10.184Z","updated_at":"2025-03-30T13:32:32.019Z","avatar_url":"https://github.com/f0wl.png","language":"Go","funding_links":[],"categories":["Go","malware-analysis"],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/f0wl/REconfig-linux)](https://goreportcard.com/report/github.com/f0wl/REconfig-linux)\n\n# REconfig-linux\n\nREconfig-linux is a configuration extractor for the Linux variant of REvil Ransomware. It is capable of extracting the json config from the ELF file and decoding the ransomnote within it. By default the script will write the results to files in the current working directory, but you can also choose to print the config to stdout only by using the `-print` flag.\n\nMy Yara rule for the REvil Linux Ransomware can be found [here](https://github.com/f0wl/yara_rules/blob/main/linux/revil-linux.yar).\n\nA writeup by AT\u0026T Alien Labs about this Ransomware variant can be found [here](https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version).\n\n## Usage\n\n```shell\ngo run reconfig-linux.go [-print] path/to/sample.elf\n```\n\n## Screenshots\n\n### Non-verbose Mode\n\n![Non-verbose Mode](img/screenshot-file.png)\n\n### Verbose Mode\n\n![Verbose Mode](img/screenshot-verbose.png)\n\n\n## Configuration contents\n\nThe table below shows the keys used in the JSON configuration of REvil Linux Ransomware. \n\n| Key | Value / Purpose |\n| :-------------------------: | :-----------------------------------------------------: |\n| pk | Base64 encoded Public Key |\n| pid | Affiliate identifier (BCrypt Hash) |\n| sub | Campaign identifier |\n| dbg | Debug / Development Mode |\n| nbody | Base64 encoded Ransomnote |\n| nname | Filename of the Ransomnote |\n| rdmcnt | Currently unknown integer (RandomCount?) |\n| ext | File Extension (5 characters) |\n\n## Testing\n\nThis configuration extractor has been tested successfully with the following samples:\n\n| SHA-256 | Sample |\n| :--------------------------------------------------------------: | :-----------------------------------------------------: |\n| ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4 | [Malshare](https://malshare.com/sample.php?action=detail\u0026hash=395249d3e6dae1caff6b5b2e1f75bacd) |\n| 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d | [Malshare](https://malshare.com/sample.php?action=detail\u0026hash=96a157e4c0bef22e0cea1299f88d4745) |\n| 796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4 | [Malshare](https://malshare.com/sample.php?action=detail\u0026hash=ab3229656f73505a3c53f7d2e95efd0e) |\n| d6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763 | [Malshare](https://malshare.com/sample.php?action=detail\u0026hash=e199f02ffcf1b1769c8aeb580f627267) |\n\nIf you encounter an error with REconfig-linux please file a bug report via an issue. Contributions are always welcome :)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff0wl%2FREconfig-linux","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff0wl%2FREconfig-linux","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff0wl%2FREconfig-linux/lists"}