https://github.com/f0wl/configwalker
Netwalker Ransomware Config Extractor
https://github.com/f0wl/configwalker
config-extractor golang malware-analysis ransomware
Last synced: 5 months ago
JSON representation
Netwalker Ransomware Config Extractor
- Host: GitHub
- URL: https://github.com/f0wl/configwalker
- Owner: f0wl
- License: gpl-3.0
- Created: 2020-10-26T23:19:25.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2020-11-05T12:14:22.000Z (over 5 years ago)
- Last Synced: 2024-06-19T03:13:22.052Z (about 2 years ago)
- Topics: config-extractor, golang, malware-analysis, ransomware
- Language: Go
- Homepage: https://dissectingmalwa.re
- Size: 711 KB
- Stars: 9
- Watchers: 2
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# configwalker
Configwalker is a configuration extractor for Netwalker Ransomware. It is capable of decrypting the RC4 encrypted
Resource File and extracting the Ransomnote template. By default it will dump the results to disk, but you can also
choose to print the config to stdout only by using the `-print` flag.
## Usage
```shell
go run cfgwalker.go [-print] path/to/sample.exe
```
## Screenshots
## Configuration contents
The table below shows the keys used in the JSON configuration of Netwalker Ransomware.
| Key | Value / Purpose |
| :-------------------------: | :-----------------------------------------------------: |
| mpk | Base64 encoded Public Key |
| mode | Presumably related to the encryption process |
| spsz | Chunk size for encryption |
| thr | Threading limit |
| namesz | Length of the random name for the persistent executable |
| idsz | Length of the random file extension |
| pers | Presumably related to target / victim type |
| mail | Contact e-Mail addresses |
| onion1 | Main TOR site |
| onion2 | Backup TOR site |
| lfile | Template string for the ransomnote filename |
| lend | Base64 encoded ransomnote template |
| white{path[ ]} | Whitelist for system directories |
| white{file[ ]} | Whitelist for system files |
| white{ext[ ]} | Whitelist for file extensions |
| kill{use:bool} | Switch to kill specified processes or not |
| kill{prc[ ]} | List of process names to be terminated |
| kill{svc[ ]} | List of services to be terminated |
| kill{svcwait:int} | Timeout before terminating a service |
| kill{task[ ]} | Task after successful encryption |
| net{use:bool} | Switch encryption of mapped (network) drives on/off |
| net{ignore{use:bool}} | Use of Whitelists for drive Encryption |
| net{ignore{disk:bool}} | Encrypt mounted disks |
| net{ignore{share[ ]}} | Whitelisted shares |
| unlocker{use:bool} | Presumably enables decryption capabilities |
| unlocker{ignore{use:bool}} | Use Ignorelist during decryption |
| unlocker{ignore{pspath[ ]}} | Process Paths to ignore |
| unlocker{ignore{prc[ ]}} | Processes to ignore |
## Background Info
Not all samples of Netwalker Ransomware will contain a full configuration file. Below you can see two screenshots of
Resource Hacker, one with an long encrypted config and one with a short plaintext config. This tool only works for
the former format.
The first 4 Bytes of the resource ("1337/31337/0") contain the length of the RC4 Key. This value changes from sample
to sample. With this information it is easy to extract the key and decrypt the rest of the resource.
## Testing
The tool has been confirmed to successfully extract the configuration from the following samples identifiable by
their SHA-256 hashsums. If you encounter an error with configwalker please file a bug report via an issue. On some
occasions the Netwalker config files contain malformed json objects. In this case the extracted and decrypted JSON will
not be beautified and written to disk as a textfile.
| SHA-256 Hashsums | Sample |
| :----------------------------------------------------------------: | :---------------------------------------------------------------------------------------------------------------: |
| `1707f8647515bc7a686e7aed380ab06dd6b853b908ae98252c1e8eefa1e1d540` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1707f8647515bc7a686e7aed380ab06dd6b853b908ae98252c1e8eefa1e1d540/) |
| `5d869c0e077596bf0834f08dce062af1477bf09c8f6aa0a45d6a080478e45512` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5d869c0e077596bf0834f08dce062af1477bf09c8f6aa0a45d6a080478e45512/) |
| `46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/46dbb7709411b1429233e0d8d33a02cccd54005a2b4015dcfa8a890252177df9/) |
| `4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60/) |
| `27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5/) |