In this video, we dynamically analyze the Linux Black Basta ransomware family. We use strace to determine the required directories and trigger both the encryption and decryption behavior.
---
Timestamps:
00:00 Intro
00:44 Analysis Enviroment
02:13 Starting Dynamic Analysis
03:19 Decryptors
04:26 Trigging Encryptor
06:21 Strace
08:00 VMWare ESXi
09:39 VMFS Test
12:30 Ransom Note
15:07 Strace Encryptor Output
15:50 Multithreading
17:48 Triggering Decryptor
19:38 Dumped key?
20:58 Decryptor Round 2
22:58 Successful Decryption!
23:27 Recap
---
Software Links Mentioned in Video:
strace manpage:
https://www.man7.org/linux/man-pages/man1/strace.1.html
---
Malware Examined in the video (BlackBasta):
Decryptor:
sha256:96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
Encryptor:
sha256:0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef
---
laurieWIRED Twitter:
https://twitter.com/lauriewired
laurieWIRED Website:
http://lauriewired.com
laurieWIRED Github:
https://github.com/LaurieWired
laurieWIRED HN:
https://news.ycombinator.com/user?id=lauriewired
laurieWIRED Reddit:
https://www.reddit.com/user/LaurieWired