RansomCoinPublic : A DFIR Tool To Extract Cryptocoin Addresses

RansomCoinPublic is a DFIR tool to extract cryptocoin addresses and other indicators of compromise from binaries. Extracting metadata and hardcoded Indicators of Compromise from ransomware, in a scalable, efficient, way with cuckoo integrations.

Ideally, is it run during cuckoo dynamic analysis, but can also be used for static analysis on large collections of ransomware. Designed to be fast, with low false positive for cryptocurrency addresses. Limited false positives for emails, urls, onions, and domains (which is pretty hard to make perfect).

In short, this is fast and easy initial triage if you only want monetisation vectors.

Installation

Please ensure you have Python3 installed.

In a Linux Virtual Machine

It is advisable to download and install a virtualizer such as VirtualBox. Install your desired Linux virtual machine (i.e. Lubuntu, Kali Linux, etc) then follow the instructions below.

From the tools folder:

sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python-dev python3-tlsh

python3 -m pip install -r requirements.txt

Note: If you get an error saying No module named pip, try running

sudo apt-get install python3-pip

Also Read – HuskyCI : Performing Security Tests Inside Your CI

Usage

A tutorial video is available:

The following commands can be run from the “Tools” folder to analyse malware samples located in this directory. This will run the code across all files in the directoy and provide feedback on the estimated time to completion via TQDM. You will need write access for a file called Ransomware.csv in the directory you are working in (which contains the results). It should be possible to run the code across read only malware files though, so only Ransomware.csv need write access.

Coinlector.py

After running coinlector.py the results are output to a file in the same directory called Ransomware.csv

python3 coinlector.py

View the results by running

less Ransomware.csv

Currently we are testing for:

  • Bitcoin Addresses (BTC)
  • Bitcoin Cash Addresses (BCH)
  • Monero Addresses (XMR)
  • Bitcoin Private Keys
  • Ethereum addresses (ETH)
  • Ripple addresses (XRP)
  • LTC addresses (LTC)
  • DOGECOIN addresses (DOGE)
  • NEO addresses (NEO)
  • DASH addresses (DASH)
  • Domains (Address)
  • Email Addresses (Email)
  • Onion Addresses (Address)

View URLs, email addresses, and cryptocurrency addresses by running the following grep commands.

less Ransomware.csv | grep URL

less Ransomware.csv | grep Email

less Ransomware.csv | grep Address

Grep for Monero addresses by running

less Ransomware.csv | grep XMR

The same command can be used to search for other cryptocurrencies using the abbreviations in the list above.

Tempuscoin.py

tempuscoin.py outputs a list of timestamped ransom transactions. The file TemporalRansoms.csv is created showing the sending and receiving Bitcoin addresses, the amount in BTC and its equivalent value in EUR, USD at the time of the transaction.

python3 tempuscoin.py

View the results by running.

less TemporalRansoms.csv

Eventcoin.py

This code will probably need to be altered to be made usable with your own MISP instance. It uses PyMISP to create events from the Ransomware.csv file, and groups of events share the same name. The default is to create events that are not published, and then to add details by hand before publishing. YMMV.

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

2 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago