{
	"id": "a8852212-17fd-4ab2-aa17-8275346da498",
	"created_at": "2026-04-06T00:19:31.459447Z",
	"updated_at": "2026-04-10T03:21:08.001249Z",
	"deleted_at": null,
	"sha1_hash": "0bfdaf5ad35839c86e3fcd6318ce585be5bf83ef",
	"title": "D-Link DNS-320 NAS Cr1ptT0r Ransomware ARM Dynamic Analysis - QEMU and Raspberry PI VM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 162099,
	"plain_text": "D-Link DNS-320 NAS Cr1ptT0r Ransomware ARM Dynamic\r\nAnalysis - QEMU and Raspberry PI VM\r\nArchived: 2026-04-05 21:28:03 UTC\r\nHi Everybody,\r\na few days ago I saw a tweet from @Amigo_A_ asking for help about a new ransomware which was affecting a\r\nD-Link 320 NAS.\r\nThe first thought was directed to the historical disabling of dlink to make sufficiently secure firmware and their\r\nwillingness not to support updates. Those facts made me to think about an attack conducted over the net targetting\r\nall the devices exposed on internet itself.\r\nApparently was the right hypothesis. \r\nAll the users with D-Link 320XX are nowdays are at very high risk. \r\nTURN OFF THE DEVICE AND DISCONNECT IT FROM WAN.On BleepingComputer's forum I asked to\r\nthe affected users to check their own firmwares and trying to grab the malware. Someone did and shared the ELF\r\non VirusTotal.\r\nThanks to Michael Gillespie @demonslay335 I was able to have a copy of that sample.\r\nHash: 9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1\r\n(very few) years ago I had experience on some router exploiting and reversing (Italian ISP company named\r\nTelecom Italia and their ADSL routers), they were based on MIPS with a very good OS (Jungo OpenRG) always\r\ntrivial to exploit. But this is another story, I'lve spent a lot of time on those devices learning some useful stuffs\r\nwhich today apparently become a good knowlege.\r\nSince the fact that this ransomware is stripped (with removed debugging informations!) and statically compiled,\r\nthe static analysis is very hard to do since the fact that any calls appear to be just a sub_XXXXX because of the\r\nstripped ELF. \r\nBecause of this, we have few options to make our life less complicated:\r\n1) do a dynamic analysis\r\n2) create IDA pro FLIRT signatures\r\nStarting from the first point we faced a new problem: where to run the ARM malware?\r\n2 opportunities: the first on a QEMU VM, the second on a D-Link device (of course lol).\r\nI do not buy D-Link stuffs, so I had only one opportunity: QEMU.\r\nhttps://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html\r\nPage 1 of 4\n\nSince I'm lazy (and the executable is statically linked), I decided to try with my Kali x64 VM and qemu-static-arm\r\nwith -g parameter which enable the gdb debugger.\r\nI really dont know why, but something go wrong bringing ida pro to crash. LOL 😔\r\nIt was a fail, so I've started to look at a new easy path and I thought about raspberry pi.\r\nOn Sourceforge there is a nice prebuild, preconfigured QEMU Raspberry emulator:\r\nhttps://sourceforge.net/projects/rpiqemuwindows/\r\nOn the run.bat file I've added a parameter to be able in order to upload with FileZilla over sftp protocol the\r\nmalware and the remote debug server, and then killing the sshd, I've used the same port to connect with IDA.\r\nSmart lazyness😀\r\nqemu-system-arm.exe -M versatilepb -cpu arm1176 -hda 2012-07-15-wheezy-raspbian.img -redir tcp:2200::22  -\r\nkernel kernel-qemu -m 192 -append \"root=/dev/sda2\"\r\nStarting again the IDA Pro remote debugging, the following stuffs comes up!!!!! YEAH IT WORKS!!!! 😍😍\r\nSo far we know few things about such ransomware which are:\r\nhttps://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html\r\nPage 2 of 4\n\nin addition, the strings shows up that he also use crypto routines from Libsodium library\r\nhttps://libsodium.gitbook.io/doc/\r\nLike I said before, the - hardest - next step is to create a IDA FLIRT signature, by cross compiling some example\r\nfrom Libsodium repo (hoping that it will use the same functions as the malware), extract the signatures by using\r\nFireEye idb2pat tool https://www.fireeye.com/blog/threat-research/2015/01/flare_ida_pro_script.html to have an\r\nunderstandable static analysis to MAYBE retrive the private key and decrypt the files, or at least have a reduced\r\nkeyspace to make possible a brute force attack.\r\nFollow me on Twitter and I'll keep you updated.\r\nCheers\r\nRE Solver\r\n \r\nhttps://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html\r\nPage 3 of 4\n\nSource: https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html\r\nhttps://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html"
	],
	"report_names": [
		"d-link-dns-320-nas-cr1ptt0r-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0bfdaf5ad35839c86e3fcd6318ce585be5bf83ef.pdf",
		"text": "https://archive.orkl.eu/0bfdaf5ad35839c86e3fcd6318ce585be5bf83ef.txt",
		"img": "https://archive.orkl.eu/0bfdaf5ad35839c86e3fcd6318ce585be5bf83ef.jpg"
	}
}