Non ho il tempo di eseguire completamente il reverse-engineer su ciò che questo script fa, ma sembra collegare a diversi .jpg
file che in realtà non sono immagini ma testo, e quindi fa riferimento a alcuni file .au3
, suggerendo che in realtà salva quei file .jpg
sotto quell'estensione.
Quei file .au3
sembrano corrispondere all'estensione di AutoIt e in effetti assomigliano a script AutoIt validi. Ecco una parte di uno, ekl.jpg
:
Func _crypt_startup()
If __crypt_refcount() = 0 Then
Local $hadvapi32 = DllOpen("Advapi32.dll")
If $hadvapi32 = -1 Then Return SetError(1, 0, False)
__crypt_dllhandleset($hadvapi32)
Local $iproviderid = $prov_rsa_aes
Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext)
If @error OR NOT $aret[0] Then
Local $ierror = @error + 10, $iextended = @extended
DllClose(__crypt_dllhandle())
Return SetError($ierror, $iextended, False)
Else
__crypt_contextset($aret[1])
EndIf
EndIf
__crypt_refcountinc()
Return True
EndFunc
Func _crypt_shutdown()
__crypt_refcountdec()
If __crypt_refcount() = 0 Then
DllCall(__crypt_dllhandle(), "bool", "CryptReleaseContext", "handle", __crypt_context(), "dword", 0)
DllClose(__crypt_dllhandle())
EndIf
EndFunc
Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5)
Local $aret = 0, $hbuff = 0, $hcrypthash = 0, $ierror = 0, $iextended = 0, $vreturn = 0
_crypt_startup()
Do
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 10
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$hcrypthash = $aret[5]
$hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]")
DllStructSetData($hbuff, 1, $vpassword)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
If @error OR NOT $aret[0] Then
$ierror = @error + 20
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 30
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$vreturn = $aret[5]
Until True
If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
Return SetError($ierror, $iextended, $vreturn)
EndFunc
Func _crypt_destroykey($hcryptkey)
Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDestroyKey", "handle", $hcryptkey)
Local $ierror = @error, $iextended = @extended
_crypt_shutdown()
If $ierror OR NOT $aret[0] Then
Return SetError($ierror + 10, $iextended, False)
Else
Return True
EndIf
EndFunc
Func _crypt_encryptdata($vdata, $vcryptkey, $ialg_id, $bfinal = True)
Local $ireqbuffsize = 0, $aret = 0, $hbuff = 0, $ierror = 0, $iextended = 0, $vreturn = 0
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = @error + 100
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 20
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$ireqbuffsize = $aret[6]
$hbuff = DllStructCreate("byte[" & $ireqbuffsize & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata), "dword", DllStructGetSize($hbuff))
If @error OR NOT $aret[0] Then
$ierror = @error + 30
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$vreturn = DllStructGetData($hbuff, 1)
Until True
If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
_crypt_shutdown()
Return SetError($ierror, $iextended, $vreturn)
EndFunc
Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $bfinal = True)
Local $aret = 0, $hbuff = 0, $htempstruct = 0, $ierror = 0, $iextended = 0, $iplaintextsize = 0, $vreturn = 0
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = @error + 100
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
EndIf
$hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata))
If @error OR NOT $aret[0] Then
$ierror = @error + 20
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$iplaintextsize = $aret[6]
$htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPtr($hbuff))
$vreturn = DllStructGetData($htempstruct, 1)
Until True
If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
_crypt_shutdown()
Return SetError($ierror, $iextended, $vreturn)
EndFunc
Func _crypt_hashdata($vdata, $ialg_id, $bfinal = True, $hcrypthash = 0)
Local $aret = 0, $hbuff = 0, $ierror = 0, $iextended = 0, $ihashsize = 0, $vreturn = 0
_crypt_startup()
Do
If $hcrypthash = 0 Then
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ialg_id, "ptr", 0, "dword", 0, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 10
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$hcrypthash = $aret[5]
EndIf
$hbuff = DllStructCreate("byte[" & BinaryLen($vdata) & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
If @error OR NOT $aret[0] Then
$ierror = @error + 20
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
If $bfinal Then
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashsize, "dword*", 0, "dword*", 4, "dword", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 30
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$ihashsize = $aret[3]
$hbuff = DllStructCreate("byte[" & $ihashsize & "]")
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashval, "struct*", $hbuff, "dword*", DllStructGetSize($hbuff), "dword", 0)
If @error OR NOT $aret[0] Then
$ierror = @error + 40
$iextended = @extended
$vreturn = -1
ExitLoop
EndIf
$vreturn = DllStructGetData($hbuff, 1)
Else
$vreturn = $hcrypthash
EndIf
Until True
If $hcrypthash <> 0 AND $bfinal Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
_crypt_shutdown()
Return SetError($ierror, $iextended, $vreturn)
EndFunc
Func _crypt_hashfile($sfile, $ialg_id)
Local $btempdata = 0, $hfile = 0, $hhashobject = 0, $ierror = 0, $iextended = 0, $vreturn = 0
_crypt_startup()
Do
$hfile = FileOpen($sfile, $fo_binary)
If $hfile = -1 Then
$ierror = 1
$vreturn = -1
ExitLoop
EndIf
Do
$btempdata = FileRead($hfile, 512 * 1024)
If @error Then
$vreturn = _crypt_hashdata($btempdata, $ialg_id, True, $hhashobject)
If @error Then
$ierror = @error
$iextended = @extended
$vreturn = -1
ExitLoop 2
EndIf
ExitLoop 2
Else
$hhashobject = _crypt_hashdata($btempdata, $ialg_id, False, $hhashobject)
If @error Then
$ierror = @error + 100
$iextended = @extended
$vreturn = -1
ExitLoop 2
EndIf
EndIf
Until False
Until True
_crypt_shutdown()
If $hfile <> -1 Then FileClose($hfile)
Return SetError($ierror, $iextended, $vreturn)
EndFunc
Func _crypt_encryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialg_id)
Local $btempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = @error
$iextended = @extended
$breturn = False
ExitLoop
EndIf
EndIf
$hinfile = FileOpen($ssourcefile, $fo_binary)
If @error Then
$ierror = 2
$breturn = False
ExitLoop
EndIf
$houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary)
If @error Then
$ierror = 3
$breturn = False
ExitLoop
EndIf
Do
$btempdata = FileRead($hinfile, 1024 * 1024)
$iread += BinaryLen($btempdata)
If $iread = $ifilesize Then
$btempdata = _crypt_encryptdata($btempdata, $vcryptkey, $calg_userkey, True)
If @error Then
$ierror = @error + 400
$iextended = @extended
$breturn = False
EndIf
FileWrite($houtfile, $btempdata)
ExitLoop 2
Else
$btempdata = _crypt_encryptdata($btempdata, $vcryptkey, $calg_userkey, False)
If @error Then
$ierror = @error + 500
$iextended = @extended
$breturn = False
ExitLoop 2
EndIf
FileWrite($houtfile, $btempdata)
EndIf
Until False
Until True
If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
_crypt_shutdown()
If $hinfile <> -1 Then FileClose($hinfile)
If $houtfile <> -1 Then FileClose($houtfile)
Return SetError($ierror, $iextended, $breturn)
EndFunc
Func _crypt_decryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialg_id)
Local $btempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = @error
$iextended = @extended
$breturn = False
ExitLoop
EndIf
EndIf
$hinfile = FileOpen($ssourcefile, $fo_binary)
If @error Then
$ierror = 2
$breturn = False
ExitLoop
EndIf
$houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary)
If @error Then
$ierror = 3
$breturn = False
ExitLoop
EndIf
Do
$btempdata = FileRead($hinfile, 1024 * 1024)
$iread += BinaryLen($btempdata)
If $iread = $ifilesize Then
$btempdata = _crypt_decryptdata($btempdata, $vcryptkey, $calg_userkey, True)
If @error Then
$ierror = @error + 400
$iextended = @extended
$breturn = False
EndIf
FileWrite($houtfile, $btempdata)
ExitLoop 2
Else
$btempdata = _crypt_decryptdata($btempdata, $vcryptkey, $calg_userkey, False)
If @error Then
$ierror = @error + 500
$iextended = @extended
$breturn = False
ExitLoop 2
EndIf
FileWrite($houtfile, $btempdata)
EndIf
Until False
Until True
If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
_crypt_shutdown()
If $hinfile <> -1 Then FileClose($hinfile)
If $houtfile <> -1 Then FileClose($houtfile)
Return SetError($ierror, $iextended, $breturn)
EndFunc
Func _crypt_genrandom($pbuffer, $isize)
_crypt_startup()
Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGenRandom", "handle", __crypt_context(), "dword", $isize, "struct*", $pbuffer)
Local $ierror = @error + 10, $iextended = @extended
_crypt_shutdown()
If $ierror OR (NOT $aret[0]) Then
Return SetError($ierror, $iextended, False)
Else
Return True
EndIf
EndFunc
Func __crypt_refcount()
Return $__g_acryptinternaldata[0]
EndFunc
Func __crypt_refcountinc()
$__g_acryptinternaldata[0] += 1
EndFunc
Func __crypt_refcountdec()
If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1
EndFunc
Func __crypt_dllhandle()
Return $__g_acryptinternaldata[1]
EndFunc
Func __crypt_dllhandleset($hadvapi32)
$__g_acryptinternaldata[1] = $hadvapi32
EndFunc
Func __crypt_context()
Return $__g_acryptinternaldata[2]
EndFunc
Func __crypt_contextset($hcryptcontext)
$__g_acryptinternaldata[2] = $hcryptcontext
EndFunc
Come puoi vedere, esiste un codice criptato che suggerisce che si tratta di un ransomware (piuttosto scadente e amatoriale). Sentiti libero di decodificare tutto il resto.