├── .DS_Store ├── old ├── DarkSideExtractorConsole.exe └── DarkGroupExtractorConsole.exe ├── DarkGroupConfigurationExtractor.exe ├── readme └── blackmatter_config_example.json /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/advanced-threat-research/DarkSide-Config-Extract/HEAD/.DS_Store -------------------------------------------------------------------------------- /old/DarkSideExtractorConsole.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/advanced-threat-research/DarkSide-Config-Extract/HEAD/old/DarkSideExtractorConsole.exe -------------------------------------------------------------------------------- /old/DarkGroupExtractorConsole.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/advanced-threat-research/DarkSide-Config-Extract/HEAD/old/DarkGroupExtractorConsole.exe -------------------------------------------------------------------------------- /DarkGroupConfigurationExtractor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/advanced-threat-research/DarkSide-Config-Extract/HEAD/DarkGroupConfigurationExtractor.exe -------------------------------------------------------------------------------- /readme: -------------------------------------------------------------------------------- 1 | DarkSide & BlackMatter Config Extractor by ValthekOn & S2 (@sisoma2) 2 | -------------------------------------- 3 | 4 | 1.0: 5 | 6 | - Added support for the BM version 3.0 7 | 8 | 0.9.1v: 9 | 10 | - Fixed a bug with some samples. 11 | 12 | 0.9v: 13 | 14 | - Added support for versions 1.9 and 2.0. 15 | - Added a new field "PRINT_RANSOM_NOTE" as version 1.9>= will try print the ransom note with the available printer. 16 | 17 | 0.8v: 18 | 19 | - Added some checks to avoid errors. 20 | - Added the field "AES_KEY" with the AES key used to cipher the victim info to send to the C2. 21 | - Added the field "BOT_MALWARE_VERSION" with the version of the sample. It´s get automatic the hardcoded value to get the version. 22 | - Added the field "RSA_KEY" with the RSA key in the config. 23 | - Added the field "SHA256_SAMPLE" with the sha256 hash from the sample. 24 | - Changed some fields to have more accurate the config flags. 25 | 26 | 0.7v: 27 | 28 | - Added the "RANSOM NOTE" field and decrypt the ransom note text. 29 | - Removed unknow fields as they are not text, they are blacklisted names and extensions to avoid crypt them in a custom hash. 30 | - Removed some don´t needed code to left more clean. 31 | 32 | 0.6v: 33 | 34 | - Added support for the first version of BlackMatter except some field. 35 | 36 | 0.5v: 37 | 38 | - Starts with BlackMatter support. Thanks to S2 (@sisoma2) for give the sample of BlackMatter very quickly and share ideas about it. 39 | - Initial checks with one sample of BlackMatter. Early version. 40 | 41 | 0.4v: 42 | 43 | - Add support for the version of DarkSide (2.1.7.3) from April 2021 as DLL and normal executable. 44 | - Increased the speed of checks and searchs. 45 | - Add more texts to report errors to the user. 46 | - Add avoid, if the program have some crash error, that appear a message error to the user. 47 | - Avoid checks files that not are pe executables and report it. 48 | 49 | 0.3v: 50 | 51 | - Supports in execution the search of keys and config crypted and compressed. Don´t use anymore hardcode offsets and 52 | keys as 0.2v. 53 | - Supports increase a lot thanks to the dynamic search. 54 | 55 | 0.2v: 56 | 57 | - Now supports any number of arguments in the prompt. Don´t use anymore the embbeded configuration. 58 | - Improve the interaction with the user and add error messages and good messages. 59 | - Support for the version of DarkSide compiled time "23-Dec-2020" and some samples of before "18-Feb-2021". 60 | - Now dumps the JSON file with the same name of the sample with the extension ".json". 61 | - Don´t have support yet for more versions and sanity checks. Use with caution. 62 | - To not be disclosed yet. 63 | 64 | 0.1v: 65 | 66 | - Initial version. 67 | - Simple skeleton of the application that will extract a DarkSide´s configuration embedded (crypted and packed) in the binary. 68 | - Output in a JSON file the configuration parsed to be more easy understand and read. 69 | - 32bits application (as apLib official library have problems with 64bits). 70 | - Support Windows XP. 71 | 72 | Usage: 73 | 74 | - Put any number of malware samples in the command line, the program will drop a JSON with the same name in the same folder of the 75 | malware sample. 76 | -------------------------------------------------------------------------------- /blackmatter_config_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "VICTIM_ID": "0x51, 0x24, 0x78, 0xC0, 0x8D, 0xAD, 0xA2, 0xAF, 0x19, 0xE4, 0x98, 0x08, 0xFB, 0xDA, 0x5B, 0x0B, 0xA6, 0xF3, 0x30, 0xB0, 0x9C, 0xD4, 0x7B, 0x4F, 0xB9, 0x21, 0x4F, 0x78, 0x36, 0xAA, 0x46, 0xAD", 3 | "NEED_MAKE_LOGON": "true", 4 | "CRYPT_UNITS": "true", 5 | "DESTROY_SHADOW_VOLUMES": "true", 6 | "KILL_PROCESSES": "true", 7 | "KILL_SERVICES": "true", 8 | "CREATE_MUTEX": "true", 9 | "PREPARE_VICTIM_DATA": "true", 10 | "PROCESS_TO_KILL": [{ 11 | "": "encsvc" 12 | }, { 13 | "": "thebat" 14 | }, { 15 | "": "mydesktopqos" 16 | }, { 17 | "": "xfssvccon" 18 | }, { 19 | "": "firefox" 20 | }, { 21 | "": "infopath" 22 | }, { 23 | "": "winword" 24 | }, { 25 | "": "steam" 26 | }, { 27 | "": "synctime" 28 | }, { 29 | "": "notepad" 30 | }, { 31 | "": "ocomm" 32 | }, { 33 | "": "onenote" 34 | }, { 35 | "": "mspub" 36 | }, { 37 | "": "thunderbird" 38 | }, { 39 | "": "agntsvc" 40 | }, { 41 | "": "sql" 42 | }, { 43 | "": "excel" 44 | }, { 45 | "": "powerpnt" 46 | }, { 47 | "": "outlook" 48 | }, { 49 | "": "wordpad" 50 | }, { 51 | "": "dbeng50" 52 | }, { 53 | "": "isqlplussvc" 54 | }, { 55 | "": "sqbcoreservice" 56 | }, { 57 | "": "oracle" 58 | }, { 59 | "": "ocautoupds" 60 | }, { 61 | "": "dbsnmp" 62 | }, { 63 | "": "msaccess" 64 | }, { 65 | "": "tbirdconfig" 66 | }, { 67 | "": "ocssd" 68 | }, { 69 | "": "mydesktopservice" 70 | }, { 71 | "": "visio" 72 | }], 73 | "SERVICES_TO_KILL": [{ 74 | "": "mepocs" 75 | }, { 76 | "": "memtas" 77 | }, { 78 | "": "veeam" 79 | }, { 80 | "": "svc$" 81 | }, { 82 | "": "backup" 83 | }, { 84 | "": "sql" 85 | }, { 86 | "": "vss" 87 | }], 88 | "C2_URLS": [{ 89 | "": "https://paymenthacks.com" 90 | }, { 91 | "": "http://paymenthacks.com" 92 | }, { 93 | "": "https://mojobiden.com" 94 | }, { 95 | "": "http://mojobiden.com" 96 | }], 97 | "LOGON_USERS_INFORMATION": [{ 98 | "": "XXXXXXXXXXX:XXXXXXX" 99 | }, { 100 | "": "XXXXXXXXXXX:XXXXXXX" 101 | }, { 102 | "": "XXXXXXXXXXX:XXXXXXX" 103 | }], 104 | "RANSOM_NOTE": [{ 105 | "": " ~+ \r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o - \r\n '=/_ \\ | \r\n * | '=._ | \r\n \\ `=./`, ' \r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\n\r\n>>> What happens?\r\n Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.\r\n We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.\r\n\r\n>>> What guarantees? \r\n We are not a politically motivated group and we do not need anything other than your money. \r\n If you pay, we will provide you the programs for decryption and we will delete your data. \r\n If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. \r\n We always keep our promises.\r\n\r\n>> Data leak includes\r\n1. Full emloyeers personal data\r\n2. Network information\r\n3. Schemes of buildings, active project information, architect details and contracts, \r\n4. Finance info\r\n\r\n\r\n>>> How to contact with us? \r\n 1. Download and install TOR Browser (https://www.torproject.org/).\r\n 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.\r\n \r\n>>> Warning! Recovery recommendations. \r\n We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them." 106 | }] 107 | } 108 | --------------------------------------------------------------------------------