Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to recover the data encrypted by MaMoCrypt blackmail software". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to recover the data encrypted by MaMoCrypt blackmail software".

Words written in the front

MaMoCrypt is a notorious ransomware that has been active since December last year and has affected countless users. So in this article, we will show you how to recover and decrypt data encrypted by MaMoCrypt blackmail software.

MaMoCrypt is a very unusual ransomware, which is developed by Delphi and encapsulated with mpress. It is a variant of MZRevenge.

Blackmail software behavior

MaMoCrypt can delete Windows shadow (ShadowVolume) and disable firewall and UAC services. These features are not uncommon in the malware world, so we won't discuss them any further here.

It uses Delphi's random generator (based on linear congruence generator) and time-based DWORD seeds (using QueryPerformanceCounter or GetTickCount), where two buffers are generated, in which the data is encoded using Base64 and MZRKEYPUBLIC / MZRKEYPRIVATE strings are added.

Based on the above two keys and a mask, the ransomware will generate two encryption keys for each file, which will then be used for file encryption. It first uses AES 128 CBC to encrypt the contents of the file, and then uses Twofish 128 NOFB to encrypt it again. The remaining 16% of the AES encryption process will be encrypted using AES 128 CFB, and a ".MZ173801" will be added to the suffix name of all encrypted files.

After the encryption is completed, the malware will enumerate all the encrypted directories again and store the extortion information separately, and the blackmail information will also contain the corresponding two MZR keys.

Although the MZR key does not change during key generation or encryption, the mask is constantly updated. Their generation is based on a mixture of SHA1, SHA512, and some custom algorithms. Each AES and Twofish key also uses SHA512 for 16 calculations and byte XOR.

Mask and key generation

* (int*) mask_in = offset; for (int I = 0; I

< 0x800; ++i) { SHA1(mask_in, 0x84, mask_out); *(int*)mask_in = i + 1 + offset; *(mask_in + 3 + (i & 0x7F) + 1) ^= mask_out[0]; mask[i] = mask_out[1]; } offset += 0x800; aes_key = generate_key(mask, mzrkey_private.c_str(), 0x800, mzrkey_private.size()); for (int i = 0; i < 0x200; ++i) { SHA1(mask_in, 0x84, mask_out); *(int*)mask_in = i + 1 + offset; *(mask_in + 3 + (i & 0x7F) + 1) ^= mask_out[0]; mask[i] = mask_out[1]; } offset += 0x200; twofish_key = generate_key(mask, mzrkey_public.c_str(), 0x200, mzrkey_public.size()); generate_key: int mzrkey_size_bswap = _byteswap_ulong(mzrkey_len); int mask_size_bswap = _byteswap_ulong(mask_len); for (int i = 0; i < key_SIZE; ++i) { ((int*)in)[0] = _byteswap_ulong(i); for (int j = 0; j < i; ++j) in[j + 4] = key[j]; *((int*)(in + 4 + i)) = _byteswap_ulong(1); *((int*)(in + 8 + i)) = mask_size_bswap; memcpy(in + 3 * sizeof(int) + i, mask, mask_len); memcpy(in + 3 * sizeof(int) + mask_len + i, &mzrkey_size_bswap, 4); memcpy(in + 3 * sizeof(int) + mask_len + 4 + i, mzrkey, mzrkey_len); SHA512(in, mask_len + mzrkey_len + 4 * sizeof(int) + i, out); for (int j = 0; j < SHA512_DIGEST_LENGTH; ++j) key[i] ^= out[j]; } AES CBC的IV将使用AES 128 ECB生成，位置在一个16字节缓冲区内。类似的，Twofish NOFB的IV将使用Twofish 128 ECB生成，位置同样在一个16字节缓冲区内。掩码的初始内容生成如下： memset(mask_in, MASK_IN_SZ, 0); memset(mask_out, MASK_OUT_SZ, 0); for (int i = 0; i < 0x80; ++i) { SHA1(mask_in, 0x84, mask_out); *(int*)mask_in = i + 1; *(mask_in + 3 + i + 1) = mask_out[0]; } 实际上，这种加密机制我们此前从未在其他勒索软件中见到过，而且恶意代码还会对整个文件系统进行加密，该勒索软件的硬编码文件和驱动器列表如下： C:\Program Files\Steam C:\Program Files (x86)\Steam [DRIVES A-Z, WITHOUT C] C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\ C:\Users\%user%\Pictures C:\Users\%user%\Music C:\Users\%user%\Videos C:\Users\%user%\Documents C:\Users\Public\Documents C:\Users\Public\Videos C:\Users\Public\Music C:\Users\Public\Pictures C:\Users\%user%\Downloads C:\Users\%user%\Favorites ::{645FF040-5081-101B-9F08-00AA002F954E} (Recycle Bin) C:\Users\Administrator C:\Users\Public C:\Users\Default C:\Users\%user%\Desktop C:\Users\Public\Desktop C:\Users\%user%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu C:\ProgramData\Microsoft\Windows\Start Menu\ 由于掩码/密钥生成使用了一个偏移量来代表每一个文件的递增，那么解密的过程将依赖于文件的加密文件夹。 这款勒索软件支持的文件加密类型如下： .cs;.lnk;.mp3;.jpg;.jpeg;.raw;.tif;.gif;.png;.bmp;.3dm;.max;.accdb;.db;.dbf;.mdb;.pdb;.sql;.dwg;.dxf;.c;.cpp;.cs;.h;.php;.asp;.rb;.java;.jar;.class;.py;.js;.aaf;.aep;.aepx; .plb;.prel;.prproj;.aet;.ppj;.psd;.indd;.indl;.indt;.indb;.inx;.idml;.pmd;.xqx;.xqx;.ai;.eps;.ps;.svg;.swf;.fla;.as3;.as;.txt;.doc;.dot;.docx;.docm;.dotx;.dotm;.docb;.rtf;.wpd; .wps;.msg;.pdf;.xls;.xlt;.xlm;.xlsx;.xlsm;.xltx;.xltm;.xlsb;.xla;.xlam;.xll;.xlw;.ppt;.pot;.pps;.pptx;.pptm;.potx;.potm;.ppam;.ppsx;.ppsm;.sldx;.sldm;.wav;.aif;.iff;.m3u;.m4u; .mid;.mpa;.wma;.ra;.avi;.mov;.mp4;.3gp;.mpeg;.3g2;.asf;.asx;.flv;.mpg;.wmv;.vob;.m3u8;.mkv;.dat;.csv;.efx;.sdf;.vcf;.xml;.ses;.rar;.zip;.7zip;.dtb;.bat;.apk;.vb;.sln;.csproj; .vbproj;.hpp;.asm;.lua;.ibank;.design;.aspx;.bak;.obj;.sqlite;.sqlite3;.sqlitedb;.back;.backup;.one;.pst;.url;.onetoc2;.m4a;.m4v;.ogg;.hwp;.HWP;.OGG;.M4V;.M4A;.ONETOC2; .URL;.PST;.ONE;.BACKUP;.BACK;.SQLITEDB;.SQLITE3;.SQLITE;.OBJ;.BAK;.ASPX;.DESIGN;.IBANK;.LUA;.ASM;.HPP;.VBPROJ;.CSPROJ;.SLN;.CS;.VB;.LNK;.JPG;.JPEG;.RAW;.TIF;.GIF; .PNG;.BMP;.3DM;.MAX;.ACCDB;.DB;.DBF;.MDB;.PDB;.SQL;.DWG;.DXF;.C;.CPP;.CS;.H;.PHP;.ASP;.RB;.JAVA;.JAR;.CLASS;.PY;.JS;.AAF;.AEP;.AEPX;.PLB;.PREL;.PRPROJ;.AET;.PPJ;.PSD; .INDD;.INDL;.INDT;.INDB;.INX;.IDML;.PMD;.XQX;.XQX;.AI;.EPS;.PS;.SVG;.SWF;.FLA;.AS3;.AS;.TXT;.DOC;.DOT;.DOCX;.DOCM;.DOTX;.DOTM;.DOCB;.RTF;.WPD;.WPS;.MSG;.PDF;.XLS; .XLT;.XLM;.XLSX;.XLSM;.XLTX;.XLTM;.XLSB;.XLA;.XLAM;.XLL;.XLW;.PPT;.POT;.PPS;.PPTX;.PPTM;.POTX;.POTM;.PPAM;.PPSX;.PPSM;.SLDX;.SLDM;.WAV;.MP3;.AIF;.IFF;.M3U;.M4U;.MID; .MPA;.WMA;.RA;.AVI;.MOV;.MP4;.3GP;.MPEG;.3G2;.ASF;.ASX;.FLV;.MPG;.WMV;.VOB;.M3U8;.MKV;.DAT;.CSV;.EFX;.SDF;.VCF;.XML;.SES;.RAR;.ZIP;.7ZIP;.DTB;.BAT;.APK; 加密成功之后，该勒索软件将枚举全部加密目录，并一一存放勒索信息，勒索文本文件名为"How Do I Recover My Files (Readme).txt"：

How to decrypt

Step 1: first click [here] to download the decryption tool and store it in the local device.

Step 2: double-click the downloaded BDMaMoDecryptTool.exe application file, and then click "Yes" in the pop-up UAC prompt:

Step 3: read and accept the end user license agreement:

Step 4: considering the particularity of this blackmail software family, the tool will scan the system in a specific order and will not allow users to specify folders or file data to be decrypted, so we strongly recommend that users choose the "backup files" option.

Step 5: click the "Start Tool" button and leave the rest to the decryption tool. If you select the backup option, both encrypted and decrypted files will appear at the same time, and you can also see the log records of the decryption process in the% temp%\ BDRemovalTool directory.

Thank you for your reading, the above is the content of "how to restore the data encrypted by MaMoCrypt blackmail software". After the study of this article, I believe you have a deeper understanding of how to restore the data encrypted by MaMoCrypt blackmail software, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.