Thursday, May 9, 2013

RedKit payload decryption

I have got a few questions regarding decrypting RedKit payloads after I posted the RedKit analysis.

As it was not part of the analysis I thought it was no need to publish it, and I had not seen it published elsewhere. A couple of days ago I saw that the details was published over at malwageddon.blogspot.com and now it is added here.

Decypting RedKit payload files

For the sample I looked into in my previous blog the keys where in the class Mancir. This will change, so be prepared to look for the information needed, Luckily it seem RK is not changing keys that often :)




OK so we got the information needed. AES with no padding, IV bcd2... and KEY 8a61...

All we need to do now is to grab our fvourite decryption tool(openssl?) and decrypt our file.


PS: the IV and Key has changed according to the malwageddon post so verify that you got the right ones.




Happy decrypting RedKit Exploit Kit encrypted files :)


No comments:

Post a Comment