{
	"id": "34fdb5e9-d189-40d5-aa5c-d5f2a3166a63",
	"created_at": "2026-04-06T00:13:11.624124Z",
	"updated_at": "2026-04-10T13:13:03.807578Z",
	"deleted_at": null,
	"sha1_hash": "fb9c51bff67279640afc7f0cbb80742308abb787",
	"title": "BlackMatter Ransomware v2.0",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2502085,
	"plain_text": "BlackMatter Ransomware v2.0\r\nBy Chuong Dong\r\nPublished: 2021-09-05 · Archived: 2026-04-05 21:03:40 UTC\r\nReverse Engineering  · 05 Sep 2021\r\nContents\r\nBlackMatter Ransomware v2.0\r\nContents\r\nOverview\r\nIOCS\r\nRansom Note\r\nStatic Code Analysis\r\nAnti-Analysis: Dynamic API Resolving\r\nAnti-Analysis: String Encryption\r\nAnti-Analysis: String Comparison\r\nConfiguration\r\nCommand-line Arguments\r\nPre-Encryption Setup\r\nUAC Bypass\r\nGenerate Encrypted Extension\r\nRetrieving Token To Impersonate With Process Injection\r\nParsing Login Credentials\r\nCryptographic Keys Setup\r\nSafe Mode Reboot\r\nChecking Computer Name\r\nAuto Logon Credential\r\nRunOnce Registry Persistence\r\nSafe Boot Command Execution\r\nSetting Ransom Wallpaper\r\nRansom Note Printing\r\nRun-Once Mutex\r\nWiping Recycle Bins\r\nShadow Copies Deletion Through WMI\r\nTerminating Services through Service Control Manager\r\nTerminating Processes\r\nFile Encryption\r\nMultithreading: Parent Thread\r\nMultithreading: Parent Thread Communication\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 1 of 80\n\nFile Owner Termination\r\nCheck If File Is Already Encrypted\r\nChecking Large File\r\nThread Shared Structure\r\nMultithreading: Child Threads Encryption\r\nI. State 0: Reading File\r\nII. State 1. Encrypt and Write File\r\nBlackMatter Custom ChaCha20\r\nIII. State 2. Write File Footer\r\nIV. State 3. Clean Up\r\nChild Thread Communication\r\nExchange Mailbox Traversal\r\nLogical Drives Traversal\r\nNetwork Shares Traversal\r\nNetwork Communication\r\nWeird Threading Stuff\r\nReferences\r\nOverview\r\nThis is my analysis for the BlackMatter Ransomware version 2.0.\r\nIn this analysis, I only cover BlackMatter’s ransomware functionalities and leave out details about the anti-analysis and obfuscation stuff. The main reason for this is because I’m just really lazy.\r\nBlackMatter uses a hybrid-cryptography scheme of RSA-1024 and modified ChaCha20 similar to encrypt files\r\nand protect its ChaCha20 matrix.\r\nLike Darkside, its configuration is encrypted and aPLib-compressed in memory.\r\nWhen servers’ URLs are provided in the configuration, the malware encrypts informations about the victim’s\r\nmachine and encryption stats using a hard-coded AES key and sends them to the remote servers.\r\nSimilar to REvil, BlackMatter’s child threads use a shared structure to divide the work into multiple states while\r\nencrypting a file.\r\nBy basing its multithreading architecture on REvil’s, BlackMatter’s encryption is relatively fast.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 2 of 80\n\nFigure 1: BlackMatter leak site.\r\nIOCS\r\nThis sample is a 32-bit Windows executable.\r\nMD5: 50c4970003a84cab1bf2634631fe39d7\r\nSHA256: 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57\r\nSample:\r\nhttps://bazaar.abuse.ch/sample/520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57/\r\nFigure 2: BlackMatter victim portal.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 3 of 80\n\nRansom Note\r\nThe content of the ransom note is encrypted in BlackMatter’s configuration, and it’s dynamically decrypted and\r\nwritten to the ransom note file in every directory.\r\nThe ransom note filename is in the form of **.README.txt**.\r\nFigure 3: BlackMatter ransom note.\r\nStatic Code Analysis\r\nAnti-Analysis: Dynamic API Resolving\r\nSince BlackMatter is a combination between LockBit, Darkside, and REvil, it’s not suprising that the ransomware\r\nobfuscates its API calls from static analysis.\r\nThe obfuscation is pretty cool, but I won’t analyze it here. I highly suggest fellow analysts to check out how it\r\nworks if they have time!\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 4 of 80\n\nFigure 3: Dynamic API resolve.\r\nCheck out my IDAPython scripts dll_exports.py and revil_api_resolve.py if you want to automate resolving these\r\nAPIs in IDA Pro and speed up your analysis.\r\nThese scripts are inspired by the REVil scripts from this OALabs’s Youtube video.\r\nJan G. has a really good blog post explaining the BlackMatter’s API hashing and obfuscation through trampoline\r\npointers. If you’re interested in the technical analysis of this, feel free to check their work out.\r\nAnti-Analysis: String Encryption\r\nLike with other major ransomware out there, most strings in BlackMatter are encrypted and resolved during run-time.\r\nThe strings that are not encrypted are stored on the stack as stack strings. For each encrypted ones, the encrypted\r\nbytes/DWORDs are pushed on the stack and decrypted by XOR-ing with a constant.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 5 of 80\n\nThis implementation is really similar to that of Conti ransomware, and there is probably a good way to automate\r\nresolving these with an IDAPython script.\r\nSince I’m lazy during my analysis, I just use x32dbg to execute and resolve these stack strings dynamically.\r\nFigure 5: Stack string decryption.\r\nAnti-Analysis: String Comparison\r\nIn ransomware specifically, string comparison is crucial for tasks such as checking the name of processes and\r\nservices to terminate, files and folders to avoid encrypting, searching for names of DLLs and Windows APIs, etc.\r\nAs a result, it helps tremendously if analysts can look at the strings being compared to quickly identify certain\r\nfunctionalities of the ransomware.\r\nBlackMatter obfuscates this with a one-way hash function and only compares the strings’ hashes instead of the\r\nstrings themselves. The hash of a string is just the summation of each byte rotated right by 13 with an initial seed.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 6 of 80\n\nFigure 6: String hashing algorithm.\r\nThe summation makes it impossible to work backward from the hash to produce a string, so resolving these\r\nhashes requires heuristic analysis, cracking dictionary, and bruteforcing.\r\nI use and contribute this tool by @sisoma2 to look up the hashes that BlackMatter uses! His tool has a great\r\ndictionary to crack the hashes, so make sure to use it to aid your analysis!\r\nBelow is the list of hashes used by BlackMatter v2 and their strings.\r\n0xd3801b00 -\u003e hlp\r\n0x5366e694 -\u003e perflogs\r\n0xe7681bc0 -\u003e rom\r\n0xdd481cc0 -\u003e msi\r\n0xd9c81940 -\u003e key\r\n0xef3a37b3 -\u003e default\r\n0xd57818c0 -\u003e ico\r\n0x67b00e00 -\u003e 386\r\n0xcd2e9b7a -\u003e theme\r\n0x6b66f975 -\u003e intel\r\n0xdd081c00 -\u003e mpa\r\n0xdd101900 -\u003e mdb\r\n0xe9981a00 -\u003e shs\r\n0x267078f5 -\u003e $windows.~bt\r\n0xcd101900 -\u003e edb\r\n0xc6ce6958 -\u003e appdata\r\n0xeb869d00 -\u003e http\r\n0x85aa57e4 -\u003e ntuser.dat.log\r\n0x4a6bb7db -\u003e msstyles\r\n0x4cca7837 -\u003e nomedia\r\n0x49164931 -\u003e accdb\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 7 of 80\n\n0xc9101840 -\u003e cab\r\n0xe1c018c0 -\u003e ocx\r\n0xdb301900 -\u003e ldf\r\n0x12018c0 -\u003e c$\r\n0xfcc8ab56 -\u003e bootsect.bak\r\n0xdf981b00 -\u003e nls\r\n0xe99018c0 -\u003e scr\r\n0xa6f2d1a7 -\u003e application data\r\n0x4c4b25d4 -\u003e tor browser\r\n0xe7801d00 -\u003e rtp\r\n0xdd201bc0 -\u003e mod\r\n0xf00cae96 -\u003e bootfont.bin\r\n0x846bec00 -\u003e iconcache.db\r\n0xd4aaebb2 -\u003e admin$\r\n0xc7a01840 -\u003e bat\r\n0xc8cef7d1 -\u003e thumbs.db\r\n0xdd301900 -\u003e mdf\r\n0xf1c01c00 -\u003e wpx\r\n0xe1a63bc0 -\u003e boot\r\n0xcbb01c80 -\u003e drv\r\n0xc5481b80 -\u003e ani\r\n0xcbe2aa35 -\u003e ntuser.ini\r\n0x2e75e394 -\u003e programdata\r\n0x4ae29631 -\u003e diagcfg\r\n0xba22623b -\u003e all users\r\n0x4aba94f1 -\u003e diagcab\r\n0xd5c01900 -\u003e idx\r\n0xdd801cc0 -\u003e msp\r\n0xdd181cc0 -\u003e msc\r\n0xeb9f5c34 -\u003e https\r\n0x3907099b -\u003e boot.ini\r\n0x64e29771 -\u003e diagpkg\r\n0x86ccaa15 -\u003e autorun.inf\r\n0xb7e02438 -\u003e svchost.exe\r\n0xe3301c80 -\u003e prf\r\n0xe9601c00 -\u003e spl\r\n0xc5b01900 -\u003e adv\r\n0x452f4997 -\u003e -safe\r\n0xe1881cc0 -\u003e ps1\r\n0xaf16c593 -\u003e themepack\r\n0xe3101900 -\u003e pdb\r\n0xd59818c0 -\u003e ics\r\n0xdb975937 -\u003e ntldr\r\n0xc23aa6f5 -\u003e ntuser.dat\r\n0x3eb272e6 -\u003e explorer.exe\r\n0xb7ea3892 -\u003e msocache\r\n0xe15ed8c0 -\u003e lock\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 8 of 80\n\n0xcb601b00 -\u003e dll\r\n0xe3426cd7 -\u003e windows\r\n0xc7701a40 -\u003e bin\r\n0xc9601c00 -\u003e cpl\r\n0x5cde3a7b -\u003e public\r\n0xc99eab80 -\u003e icns\r\n0xdf301900 -\u003e ndf\r\n0xd3081d00 -\u003e hta\r\n0x7f07935 -\u003e windows.old\r\n0x45678b17 -\u003e -wall\r\n0xdda81cc0 -\u003e msu\r\n0xe9981e40 -\u003e sys\r\n0x30a212d -\u003e $recycle.bin\r\n0x45471d17 -\u003e -path\r\n0x52cb0b38 -\u003e google\r\n0xdccab8dd -\u003e mozilla\r\n0xc9201b40 -\u003e cmd\r\n0xa1fccbfe -\u003e deskthemepack\r\n0x26687e35 -\u003e $windows.~ws\r\n0xc9901d40 -\u003e cur\r\n0xae018eae -\u003e system volume information\r\n0xdb581b80 -\u003e lnk\r\n0xcd281e00 -\u003e exe\r\n0x82d2a252 -\u003e desktop.ini\r\n0x8cf281cd -\u003e config.msi\r\n0xfe9e7c10 -\u003e runonce.exe\r\n0x36004e4e -\u003e program files\r\n0xd56018c0 -\u003e icl\r\n0xab086595 -\u003e program files (x86)\r\n0xc9681bc0 -\u003e com\r\nConfiguration\r\nThe configuration of BlackMatter samples is encrypted and compressed in memory similar to that of Darkside.\r\nDuring my analysis, I dynamically execute to decrypt it using x32dbg and decompress the configuration using\r\naPLib in Python.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 9 of 80\n\nFigure 7: BlackMatter config extraction.\r\nBelow is the list of configuration fields that BlackMatter supports and their description.\r\nRSA_PUBLIC_KEY (128 bytes): RSA key to encrypt ChaCha20 Key.\r\nCOMPANY_VICTIM_ID (16 bytes): Company ID used in data being sent back to remote server to\r\nidentify victim.\r\nAES_KEY (16 bytes): AES key to encrypt data being sent to remote servers.\r\nENCRYPT_LARGE_FILE_FLAG (1 byte): Enable chunking to encrypt large files.\r\nATTEMPT_LOGON_FLAG (1 byte): Enable attempting to log in using user credentials given in the\r\nconfiguration.\r\nMOUNT_VOL_AND_ENCRYPT_FLAG (1 byte): Enable encrypting Exchange mailbox, mounting all\r\nvolumes, and encrypting them.\r\nNETWORK_ENCRYPT_FLAG (1 byte): Enable retrieving DNS host names and encrypting their\r\nnetwork shares\r\nTERMINATE_PROCESSES_FLAG (1 byte): Enable terminating processes specified by the\r\nPROCESSES_TO_KILL config field.\r\nSTOP_SERVICES_AND_DELETE_FLAG (1 byte): Enable stopping and deleting services specified by\r\nthe SERVICES_TO_KILL config field.\r\nCREATE_MUTEX_FLAG (1 byte): Enable creating and checking RunOnce mutex.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 10 of 80\n\nPRINTER_PRINT_RANSOM_NOTE_FLAG (1 byte): Enable printing ransom note using the local\r\nuser’s default printer\r\nSEND_DATA_TO_SERVER_FLAG (1 byte): Enable sending victim’s info and encrypting stats to\r\nremote servers specified by the REMOTE_SERVER_URLS config field.\r\nFOLDER_HASHES_TO_AVOID: Base64-encoded list of 4-byte hashes of folder names to avoid\r\nencrypting.\r\nFILE_HASHES_TO_AVOID: Base64-encoded list of 4-byte hashes of filenames to avoid encrypting.\r\nEXTENSION_HASHES_TO_AVOID: Base64-encoded list of 4-byte hashes of extensions to avoid\r\nencrypting.\r\nCOMPUTERNAMES_TO_AVOID: Base64-encoded list of computer names to avoid encrypting (not\r\nused in this sample).\r\nPROCESSES_TO_KILL: Base64-encoded list of processe to kill.\r\nSERVICES_TO_KILL: Base64-encoded list of services to kill.\r\nREMOTE_SERVER_URLS: Base64-encoded list of remote servers to contact.\r\nLOGIN_CREDENTIALS: List of credentials to try logging into the machine (not used in this sample).\r\nRANSOM_NOTE_CONTENT: Base64-encoded and encrypted content of the ransom note.\r\nRANSOM_NOTE_CONTENT_HASH: Checksum of ransom note content.\r\nHere is the configuration of this v2 sample in JSON form. I generate this using this auto config extracting tool and\r\nfix up the configuration field names according to my analysis. Huge shoutout to the guys at McAfee Advanced\r\nThreat Research for this!\r\n{\r\n \"RSA_PUBLIC_KEY\": \"4FDB27F0D5F8A0741EBE1A8C08E5B98ABECE2C281166A7FFDCF239A8A77FD2A4FC6B8828A5F3F9F5FA4B245CC9\r\n \"COMPANY_VICTIM_ID\": \"24483508BCCFE72E63B26A1233058170\",\r\n \"AES_KEY\": \"196387BAD88422E3F08474FA8F7E796E\",\r\n \"ENCRYPT_LARGE_FILE_FLAG\": \"false\",\r\n \"ATTEMPT_LOGON_FLAG\": \"false\",\r\n \"MOUNT_VOL_AND_ENCRYPT_FLAG\": \"true\",\r\n \"NETWORK_ENCRYPT_FLAG\": \"true\",\r\n \"TERMINATE_PROCESSES_FLAG\": \"true\",\r\n \"STOP_SERVICES_AND_DELETE_FLAG\": \"true\",\r\n \"CREATE_MUTEX_FLAG\": \"true\",\r\n \"SEND_DATA_TO_SERVER_FLAG\": \"true\",\r\n \"PRINTER_PRINT_RANSOM_NOTE_FLAG\": \"true\",\r\n \"PROCESSES_TO_KILL\": [{\r\n \"\": \"encsvc\"\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 11 of 80\n\n}, {\r\n \"\": \"thebat\"\r\n }, {\r\n \"\": \"mydesktopqos\"\r\n }, {\r\n \"\": \"xfssvccon\"\r\n }, {\r\n \"\": \"firefox\"\r\n }, {\r\n \"\": \"infopath\"\r\n }, {\r\n \"\": \"winword\"\r\n }, {\r\n \"\": \"steam\"\r\n }, {\r\n \"\": \"synctime\"\r\n }, {\r\n \"\": \"notepad\"\r\n }, {\r\n \"\": \"ocomm\"\r\n }, {\r\n \"\": \"onenote\"\r\n }, {\r\n \"\": \"mspub\"\r\n }, {\r\n \"\": \"thunderbird\"\r\n }, {\r\n \"\": \"agntsvc\"\r\n }, {\r\n \"\": \"sql\"\r\n }, {\r\n \"\": \"excel\"\r\n }, {\r\n \"\": \"powerpnt\"\r\n }, {\r\n \"\": \"outlook\"\r\n }, {\r\n \"\": \"wordpad\"\r\n }, {\r\n \"\": \"dbeng50\"\r\n }, {\r\n \"\": \"isqlplussvc\"\r\n }, {\r\n \"\": \"sqbcoreservice\"\r\n }, {\r\n \"\": \"oracle\"\r\n }, {\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 12 of 80\n\n\"\": \"ocautoupds\"\r\n }, {\r\n \"\": \"dbsnmp\"\r\n }, {\r\n \"\": \"msaccess\"\r\n }, {\r\n \"\": \"tbirdconfig\"\r\n }, {\r\n \"\": \"ocssd\"\r\n }, {\r\n \"\": \"mydesktopservice\"\r\n }, {\r\n \"\": \"visio\"\r\n }],\r\n \"SERVICES_TO_KILL\": [{\r\n \"\": \"mepocs\"\r\n }, {\r\n \"\": \"memtas\"\r\n }, {\r\n \"\": \"veeam\"\r\n }, {\r\n \"\": \"svc$\"\r\n }, {\r\n \"\": \"backup\"\r\n }, {\r\n \"\": \"sql\"\r\n }, {\r\n \"\": \"vss\"\r\n }, {\r\n \"\": \"msexchange\"\r\n }],\r\n \"REMOTE_SERVER_URLS\": [{\r\n \"\": \"hxxps://mojobiden[.]com\"\r\n }, {\r\n \"\": \"hxxp://mojobiden[.]com\"\r\n }],\r\n \"RANSOM_NOTE_CONTENT\": [{\r\n \"\": \" ~+\r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o -\r\n '=/_ \\\\ |\r\n * | '=._ |\r\n \\\\ `=./`, '\r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 13 of 80\n\n\u003e\u003e\u003e What happens?\r\n Your network is encrypted, and currently not operational.\r\n We need only money, after payment we will give you a decryptor for the entire network and you will rest\r\n \r\n \u003e\u003e\u003e What guarantees?\r\n We are not a politically motivated group and we do not need anything other than your money.\r\n If you pay, we will provide you the programs for decryption and we will delete your data.\r\n If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this\r\n We always keep our promises.\r\n \r\n \u003e\u003e\u003e How to contact with us?\r\n 1. Download and install TOR Browser (hxxps://www[.]torproject[.]org/).\r\n 2. Open hxxp://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/\u003cREDACTED\u003e\r\n \r\n \u003e\u003e\u003e Warning! Recovery recommendations.\r\n We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.\"\r\n }],\r\n \"RANSOM_NOTE_CONTENT_HASH\": \"38E73655\"\r\n}\r\nCommand-line Arguments\r\nBlackMatter can run with or without command-line arguments.\r\nBelow is the list of arguments that can be supplied by the operator.\r\nArgument Description\r\n-path \u003ctarget\u003e Path to a directory to be encrypted specifically\r\n\u003ctarget\u003e Path to a directory to be encrypted specifically\r\n-safe Enable safe mode reboot\r\n-wall Sets up wallpaper and print ransom note\r\nPre-Encryption Setup\r\nUAC Bypass\r\nDuring setup, BlackMatter checks if it currently runs with Admin credentials.\r\nFirst, it calls SHTestTokenMembership to check if its process’s token is a member of the administrators’ group\r\nin the built-in domain.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 14 of 80\n\nFigure 8: Checking token membership.\r\nNext, after querying the system’s OS version from the PEB, the ransomware checks if the current OS is Windows\r\n7 and above.\r\nFigure 9: Checking OS version.\r\nFinally, it checks the current process’s token belongs to the built-in system domain groups used for administration.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 15 of 80\n\nFigure 10: Checking token authority.\r\nIf the checks pass and the process has admin privilege, the malware does not attempt UAC bypass.\r\nFor UAC bypass, using LdrEnumerateLoadedModules, it registers “dllhost.exe” in System32 as the\r\nImagePathName and CommandLine field in the ProcessParameters field of the process’s PEB. This initial\r\nsetup allows it to host and execute COM Objects as “dllhost.exe”.\r\nFigure 11: Setup execution as dllhost.exe.\r\nBlackMatter then calls CoGetObject with the object name below to retrieve the COM interface ICMLuaUtil,\r\nwhich is commonly used for UAC bypass.\r\n Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\nThe malware then executes the ShellExec function from the ICMLuaUtil interface to relaunch itself with its\r\noriginal command-line arguments, which elevates the new process to a higher privilege.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 16 of 80\n\nFigure 12: UAC bypass and relaunch.\r\nFinally, it terminates itself by calling NtTerminateProcess.\r\nGenerate Encrypted Extension\r\nThe encrypted extension is dynamically generated using the victim’s machine GUID, which makes it unique on\r\nevery system.\r\nFirst, BlackMatter queries the value of the registry key below to get the machine GUID.\r\n HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nNext, the malware puts the machine GUID through 3 rounds of hashing, byte swaps, and Base64-encode the final\r\nhash to generate the encrypted extension.\r\nBecause the ASCII characters ’+’, ‘/’, and ‘=’ in a Base64 string does not work really well in a file extension,\r\nBlackMatter replaces ’+’ with ‘x’, ’/’ with ‘i’, and ’=’ with ‘z’.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 17 of 80\n\nFigure 13: Generating encrypted file extension.\r\nThe malware reuses this file extension as the ransom note name by appending it in front of “.README.txt”.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 18 of 80\n\nFigure 14: Generating ransom note filename.\r\nRetrieving Token To Impersonate With Process Injection\r\nBlackMatter attempts to retrieve and duplicate the token of an elevated process running on the system. The\r\nmalware later launches threads and has them impersonate the target process using this token.\r\nFirst, it checks if the current process’s user is LocalSystem, a special account used by the operating system. Then,\r\nit calls NtQueryInformationToken to query the token user information and checks if the first sub authority of the\r\nprocess’s SID is SECURITY_LOCAL_SYSTEM_RID.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 19 of 80\n\nFigure 15: Checking for LocalSystem.\r\nIf the process is running as LocalSystem, BlackMatter uses the current user’s token as its elevated token.\r\nIf not, the malware calls NtQuerySystemInformation to query information about processes on the system. For\r\neach process entry, it checks if the process’s name is explorer.exe and retrieves its unique process ID.\r\nFigure 16: Retrieving Explorer’s process ID.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 20 of 80\n\nNext, it calls NtOpenProcess with the process ID to get the process’s handle and retrieves the process’s token\r\nwith NtOpenProcessToken.\r\nFinally, BlackMatter calls NtDuplicateToken to duplicate the Explorer’s token.\r\nIf this fails but the current process’s token is a member of the administrators’ group in the built-in domain,\r\nBlackMatter pulls some process injection shenaningans to retrieve a token of a svchost.exe process.\r\nFirst, it uses the same trick in Figure 16 to retrieve the process ID and handle of a svchost.exe process.\r\nFigure 17: Retrieving svchost.exe process ID and handle.\r\nNext, it checks if the svchost.exe process is running as a 64-bit process.\r\nIf it is 64-bit, the malware decrypts two different shellcodes in memory. The raw shellcodes can be found here.\r\nAfter allocating memory in the svchost.exe process using NtAllocateVirtualMemory, BlackMatter writes the\r\nfirst shellcode into the memory region of the second shellcode before setting up and executing the second\r\nshellcode.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 21 of 80\n\nFigure 18: Injecting 64-bit shellcodes into Svchost.\r\nAfter being injected, the second shellcode allocates virtual memory in the svchost process using\r\nNtAllocateVirtualMemory, writes the first shellcode in using NtWriteVirtualMemory, and create a new thread\r\nto execute the first shellcode using NtCreateThreadEx.\r\nFigure 19: Second shellcode launching first shellcode As Svchost.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 22 of 80\n\nThe first shellcode calls WTSQueryUserToken to obtain the primary access token of the logged-on user and calls\r\nNtDuplicateObject to duplicate that token. This token is passed back into the main ransomware thread.\r\nFigure 20: First shellcode retrieving the primary access token of the logged-on user.\r\nIf the svchost process is running as a 32-bit process instead, the malware decrypts the third shellcode and\r\nmanually creates a remote thread using CreateRemoteThread to launch it. This shellcode is basically just the 32-\r\nbit version of the first shellcode.\r\nFigure 20: Launching the third shellcode.\r\nParsing Login Credentials\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 23 of 80\n\nIf the ATTEMPT_LOGON_FLAG is true and LOGIN_CREDENTIALS are provided in the configuration, the\r\nmalware parses those credential data before attempting authentication.\r\nThe LOGIN_CREDENTIALS field is a Base64-encoded and encrypted buffer of strings, and each credential\r\nstring is in the form below.\r\n\u003cusername\u003e@\u003cdomain\u003e:password\r\nSince this v2 sample doesn’t have this field in its configuration, I just base the analysis on its code and others’\r\nreports for BlackMatter v1.\r\nAfter decoding and decrypting the credentials, the malware iterates through each credential’s username and\r\npassword and calls LogonUserW to log in the local machine.\r\nIf the logging in is successful, BlackMatter allocates heap buffers and stores the valid credential’s username,\r\npassword, and domain name in there for later usage.\r\nFigure 22: Parsing credentials.\r\nNext, it calls NtQueryInformationToken to query the authentication token’s group information and checks if the\r\ntoken belongs to the DOMAIN_ADMINS group.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 24 of 80\n\nFigure 23: Check if account is in domain admins.\r\nIf the token belongs to the DOMAIN_ADMINS group, the malware calls SHTestTokenMembership to check if\r\nthe token has DOMAIN_ALIAS_RID_ADMINS privilege.\r\nIf it does not have enough privilege, BlackMatter frees all the heap buffers storing the credential and does not\r\nuser it later.\r\nFigure 24: Skip if credential doesn’t have proper privilege.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 25 of 80\n\nCryptographic Keys Setup\r\nBlackMatter has multiple key buffers to use depending on the size of the file being encrypted.\r\nBelow is the layout of these buffers.\r\nstruct KeyBuffer {\r\n DWORD RSA_encrypted_ChaCha20_matrix_Checksum;\r\n BYTE RSA_encrypted_ChaCha20_matrix[128];\r\n BYTE ChaCha20_Matrix[124];\r\n}\r\nTo populate each of these, BlackMatter first randomly generates the ChaCha20 matrix.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 26 of 80\n\nFigure 25: ChaCha20 matrix generation.\r\nFor BlackMatter v2, the matrix is 124-byte or 31-DWORD in length. The first 29 DWORDs in the buffer is\r\nrandomly generated using assembly instructions cpuid, rdrand, rdseed, and __rdtsc. The 30th DWORD is the\r\nfirst 4 bytes in the RSA Public Key from the configuration, and the last DWORD contains 3 randomly generated\r\nbytes.\r\nThe raw matrix is copied to the last 124 bytes of the RSA_encrypted_ChaCha20_matrix buffer, and\r\nBlackMatter puts the encryption skipped size in the first DWORD of this buffer (0 if chunking is not enabled).\r\nThis buffer is then encrypted by the RSA public key from the configuration, and the malware generates and writes\r\nthe encrypted result to the RSA_encrypted_ChaCha20_matrix field. It also generates the checksum of this\r\nencrypted buffer and writes it in the RSA_encrypted_ChaCha20_matrix_Checksum field.\r\nFigure 26: Key buffer generation.\r\nBlackMatter randomly generates 11 different key buffers that are used depending on the size of the file to be\r\nencrypted.\r\nBelow is the list of skipped sizes BlackMatter uses.\r\n0x0\r\n0x200000\r\n0x400000\r\n0x800000\r\n0x1000000\r\n0x2000000\r\n0x4000000\r\n0x8000000\r\n0x10000000\r\n0x20000000\r\n0x40000000\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 27 of 80\n\nFigure 27: Key buffer generation 2.\r\nSafe Mode Reboot\r\nIf the command-line argument -safe is provided and the process’s token belongs to\r\nDOMAIN_ALIAS_RID_ADMINS, BlackMatter attempts to force the system to reboot into safe mode in order\r\nto gain more privilege to execute itself.\r\nChecking Computer Name\r\nThe malware gets the computer name with GetComputerNameW and compares its hash with the list of hashes\r\nfrom the COMPUTERNAMES_TO_AVOID field in the configuration. If the hash is in the list, BlackMatter\r\nskips this operation.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 28 of 80\n\nFigure 28: Checking computer name.\r\nAuto Logon Credential\r\nPrior to activating safe mode, BlackMatter retrieves proper user credentials to modify the Winlogon registry key.\r\nFirst, if ATTEMPT_LOGON_FLAG is true and the username, password, and domain name are properly parsed\r\nfrom the configuration, then the malware just uses those credentials.\r\nIf not, it calls NetUserEnum with a filter for normal accounts. BlackMatter iterates through user information\r\nentries until it finds one with the user ID of 500, which is the ID for normal users. If the account corresponding to\r\nthis entry is disabled, the malware enables it manually by setting the flags in the user information entry.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 29 of 80\n\nFigure 29: Enumerating for normal user account.\r\nNext, BlackMatter generates a new password for this account. The format of the password string is 3 random\r\nuppercase letters, 1 random character of ’#’ or ‘\u0026’, 3 random numbers, 1 random character of ’#’ or ‘\u0026’, and 4\r\nrandom lowercase letters.\r\nThe malware updates the user account entry with this new password and calls NetUserSetInfo to udate the user\r\naccount with the updated entry.\r\nFigure 30: Generating new password and updating account.\r\nNext, BlackMatter sets the following registry keys to these values.\r\n- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AutoAdminLogon: \"1\"\r\n- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultUserName: Account username\r\n- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultDomainName: Account domain name\r\n- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultPassword: Account password\r\nThis sets the default credentials to the account that BlackMatter has control over (with the password from\r\nconfiguration or the newly generated password) and enables automatic admin logon upon reboot.\r\nIt also calls LsaStorePrivateData to store and protect the account’s password locally.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 30 of 80\n\nFigure 31: Setting logon credentials and enabling auto admin logon.\r\nRunOnce Registry Persistence\r\nBlackMatter sets the value of the registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce to\r\nits own executable path to automatically launch itself upon reboot in safe mode.\r\nThe registry key name is randomly generated in the format of 3 random uppercase letters, 3 random numbers, and\r\n3 random lowercase letters.\r\nFigure 32: Persistence through registry.\r\nSafe Boot Command Execution\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 31 of 80\n\nPrior to executing commands to enable safe boot, BlackMatter sets up wallpaper operations that are documented\r\nhere without calling SystemParametersInfoW to change the wallpaper.\r\nIf the enable flag being passed as a parameter is true, BlackMatter executes one of these commands with\r\nWinExec based on the OS version to enable safe mode reboot.\r\n- Below Windows Vista: bootcfg /raw /a /safeboot:network /id 1\r\n- Windows Vista and above: bcdedit /set {current} safeboot network\r\nIf the enable flag being passed as a parameter is false, BlackMatter executes one of these commands with\r\nWinExec based on the OS version to disable safe mode reboot.\r\n- Below Windows Vista: bootcfg /raw /fastdetect /id 1\r\n- Windows Vista and above: bcdedit /deletevalue {current} safeboot\r\nFinally, it calls NtShutdownSystem to reboot the system.\r\nFigure 33: Configuring system to boot into Safe Mode.\r\nSetting Ransom Wallpaper\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 32 of 80\n\nIf the command-line argument -wall is provided, BlackMatter generates a Bitmap file and sets it as the wallpaper\r\non the victim’s computer.\r\nFirst, using NtQuerySystemInformation, it queries all processes’ information on the system and terminates all\r\nRun Once Wrapper Utility processes with the image name runonce.exe using NtTerminateProcess.\r\nFigure 34: Terminating runonce.exe.\r\nNext, the malware calls GetShellWindow(if the OS is Windows Vista or above) or GetDesktopWindow to\r\nretrieve a handle to the desktop window. It continues to do this until it gets a valid handle and the window is\r\ncurrently visible.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 33 of 80\n\nFigure 35: Retrieving desktop window.\r\nFinally, BlackMatter sets up the wallpaper to display the ransom instruction.\r\nThe malware sets the following registry keys.\r\n- HKLM\\SOFTWARE\\\u003cENCRYPTED_EXTENSION\u003e\\hScreen: Window screen height\r\n- HKLM\\SOFTWARE\\\u003cENCRYPTED_EXTENSION\u003e\\wScreen: Window screen width\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 34 of 80\n\nFigure 36: Setting window screen registry Keys.\r\nNext, it creates a handle to the Times New Roman font and writes the ransom instruction using the font into a\r\nBitmap.\r\nThe content of the ransom instruction is documented below.\r\nBlackMatter Ransomware encrypted all your files!\r\nTo get your data back and keep your privacy safe,\r\nyou must find \u003cRansom note filenam\u003e file\r\nand follow the instructions!\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 35 of 80\n\nFigure 37: Generating ransom wallpaper.\r\nAfter creating the Bitmap in memory, the malware writes it to disk at the path below.\r\n\u003cspecial folder path\u003e/\u003cencrypted extension\u003e.bmp\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 36 of 80\n\nFigure 38: Writing bitmap content to disk.\r\nUsing the elevated token it has, BlackMatter retrieves the token’s process’s SID and create the following registry\r\nkey.\r\n- HKU\\\u003cProcess SID\u003e\\Control Panel\\Desktop\r\nIt sets the following registry key.\r\n- HKU\\\u003cProcess SID\u003e\\Control Panel\\Desktop\\WallPaper: Bitmap file path\r\n- HKU\\\u003cProcess SID\u003e\\Control Panel\\Desktop\\WallpaperStyle: \"10\"\r\nTo set the victim’s machine’s wallpaper to the generated Bitmap, BlackMatter calls SystemParametersInfoW to\r\nset SPI_SETDESKWALLPAPER to the Bitmap disk path if the enable flag from the function’s parameter is\r\ntrue.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 37 of 80\n\nFigure 39: Setting ransom wallpaper.\r\nRansom Note Printing\r\nWhen the command-line argument -wall is provided, BlackMatter also prints the ransom note using the system’s\r\ndefault printer.\r\nIf the PRINTER_PRINT_RANSOMNOTE_FLAG in the configuration is 1, the malware retrieves the current\r\ndirectory of the ransomware executable with GetCurrentDirectoryW and drops a ransom note file in there.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 38 of 80\n\nFigure 40: Function to drop ransom note file.\r\nThen, it calls GetDefaultPrinterW to retrieve the system’s default printer and calls ShellExecuteW to execute\r\nthe print command to print the ransom note.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 39 of 80\n\nFigure 41: Function to print ransom note file.\r\nRun-Once Mutex\r\nIf the CREATE_MUTEX_FLAG in the configuration is 1, the malware checks if there is another instance of\r\nitself running by checking if the mutex below already exists using CreateMutex.\r\n- Global\\\u003cMD4 hash of machine GUID\u003e\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 40 of 80\n\nFigure 42: Generating mutex name.\r\nIf there is another instance, the malware returns immediately and does not encrypt anything.\r\nFigure 43: Existing when mutex can’t be opened.\r\nIf there is no other instance running, BlackMatter keeps the mutex opened until it finishes encrypting to prevent\r\nany other instance of itself from running.\r\nWiping Recycle Bins\r\nPrior to file encryption, BlackMatter wipes the recycle bin folder of every drive on the system.\r\nFor each drive, the malware manually iterates through folders in the first layer of the drive and stops when it finds\r\nthe first folder with “recycle” in the name.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 41 of 80\n\nFigure 44: Finding Recycle Bin in drives.\r\nAfterward, it uses FindFirstFileEx and FindNextFileW to iterate through the Recycle Bin folder and looks for\r\nall folders that begins with “S-“. Once found, the folders and their contents are recursively deleted using\r\nDeleteFileW.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 42 of 80\n\nFigure 45: Wiping Recycle Bin.\r\nThis function to wipe Recycle Bin is called on every fixed and removable logical drives on the system.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 43 of 80\n\nFigure 46: Wiping all Recycle Bins.\r\nShadow Copies Deletion Through WMI\r\nThe malware calls CoCreateInstance to create an IWbemLocator object using the IID {DC12A687-737F-11CF-884D-00AA004B2E24} and CLSID {CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}.\r\nIt then calls CoCreateInstance to create an IWbemContext object using the CLSID {674B6698-EE92-11D0-\r\nAD71-00C04FD8FDFF}.\r\nIf the system architecture is x64, it calls the IWbemContext::SetValue function to set the value of\r\n“__ProviderArchitecture” to 64.\r\nBlackMatter calls the IWbemLocator::ConnectServer method to connect with the local ROOT\\CIMV2\r\nnamespace and obtain the pointer to an IWbemServices object.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 44 of 80\n\nFigure 47: Connecting to ROOT\\CIMV2 for IWbemServices Object.\r\nNext, it calls IWbemServices::ExecQuery to execute the WQL query below to get the\r\nIEnumWbemClassObject object for querying shadow copies.\r\nSELECT * FROM Win32_ShadowCopy\r\nThe malware calls IEnumWbemClassObject::Next to enumerate through all shadow copies on the system,\r\nIEnumWbemClassObject::Get to get the ID of each shadow copies, and IWbemServices::DeleteInstance to\r\ndelete them.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 45 of 80\n\nFigure 48: Deleting shadow copies through WMI.\r\nTerminating Services through Service Control Manager\r\nIf the STOP_SERVICES_AND_DELETE_FLAG field is set to true in the configuration, BlackMatter\r\nterminates and deletes all services whose name’s hash is in the SERVICES_TO_KILL list in the configuration.\r\nFirst, the malware calls OpenSCManagerW to get a service control manager handle for active services.\r\nIt then calls EnumServicesStatusExW to enumerate the name of all Win32 services. If the hash of the service\r\nname is in the list, the malware terminates it by calling ControlService to send the\r\nSERVICE_CONTROL_STOP control code to the service handle.\r\nThen, it calls DeleteService to completely delete the service.\r\nFigure 49: Enumerating and deleting services.\r\nTerminating Processes\r\nIf the TERMINATE_PROCESSES_FLAG field is set to true in the configuration, BlackMatter terminates all\r\nprocesses whose name’s hash is in the PROCESSES_TO_KILL list in the configuration.\r\nThe malware calls NtQuerySystemInformation to query and enumerate through all system’s processes.\r\nIf the hash of the process’s name is in the list, BlackMatter terminates it by calling NtOpenProcess using the\r\nprocess’s ID to retrieve the process handle and NtTerminateProcess to terminate it.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 46 of 80\n\nFigure 50: Terminating target processes.\r\nFile Encryption\r\nLike REvil and Darkside, BlackMatter uses multithreading with I/O completion port to communicate between a\r\nparent thread- (check and send files) and the child threads (encrypt files) to speed up encryption.\r\nMultithreading: Parent Thread\r\nIn BlackMatter multithreading setup, the parent thread is spawned after the child threads.\r\nThis parent thread function receives a parameter of a file/directory path. It first checks if this path is a directory or\r\nnot.\r\nIf the path is a directory, the malware escalates the parent thread’s base priority level to\r\nTHREAD_PRIORITY_HIGHEST.\r\nNext, it allocates memory for an array to store sub-directories inside of the target directory to encrypt.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 47 of 80\n\nFigure 51: Parent thread: Processing directory.\r\nThe parent thread proceeds to drop a ransom note in the target directory and begins enumerating through the\r\ndirectory using FindFirstFileExW and FindNextFileW.\r\nIt avoids all files and sub-directories with names ”.” and ”.” and with the attributes\r\nFILE_ATTRIBUTE_REPARSE_POINT and FILE_ATTRIBUTE_SYSTEM.\r\nFigure 52: Parent thread: Processing sub-files and sub-directories.\r\nIf BlackMatter finds a sub-directory, it checks if the hash of the name of the directory is in the\r\nFOLDER_HASHES_TO_AVOID list or if the name is “windows.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 48 of 80\n\nFigure 53: Parent thread: Checking directory names.\r\nBelow is the list of folder names whose hash is in FOLDER_HASHES_TO_AVOID.\r\nsystem volume information\r\nintel\r\n$windows.~ws\r\napplication data\r\n$recycle.bin\r\nmozilla\r\nprogram files (x86)\r\nprogram files\r\n$windows.~bt\r\npublic\r\nmsocache\r\nwindows\r\ndefault\r\nall users\r\ntor browser\r\nprogramdata\r\nboot\r\nconfig.msi\r\ngoogle\r\nperflogs\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 49 of 80\n\nappdata\r\nwindows.old\r\nIf the sub-directory is valid to encrypt, BlackMatter adds it to the back of the directory array.\r\nAfter finish enumerating the target directory, BlackMatter walks through the directory array and enumerates the\r\ndirectories listed in there. This allows multilayered traversal through directories without using recursion, which\r\nsignificantly improves performance by eliminating the stack overhead from recursive calls.\r\nFigure 54: Parent Thread: Multilayered directory traversal.\r\nIf it finds a file, the filename is checked against the FILE_HASHES_TO_AVOID list and the file extension is\r\nchecked against the EXTENSION_HASHES_TO_AVOID list.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 50 of 80\n\nFigure 55: Parent Thread: Checking filenames and extensions.\r\nBelow is the list of filenames whose hash is in the FILE_HASHES_TO_AVOID list.\r\ndesktop.ini\r\nautorun.inf\r\nntldr\r\nbootsect.bak\r\nthumbs.db\r\nboot.ini\r\nntuser.dat\r\niconcache.db\r\nbootfont.bin\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 51 of 80\n\nntuser.ini\r\nntuser.dat.log\r\nBelow is the list of extensions whose hash is in the EXTENSION_HASHES_TO_AVOID list.\r\nthemepack\r\nnls\r\ndiagpkg\r\nmsi\r\nlnk\r\nexe\r\ncab\r\nscr\r\nbat\r\ndrv\r\nrtp\r\nmsp\r\nprf\r\nmsc\r\nico\r\nkey\r\nocx\r\ndiagcab\r\ndiagcfg\r\npdb\r\nwpx\r\nhlp\r\nicns\r\nrom\r\ndll\r\nmsstyles\r\nmod\r\nps1\r\nics\r\nhta\r\nbin\r\ncmd\r\nani\r\n386\r\nlock\r\ncur\r\nidx\r\nsys\r\ncom\r\ndeskthemepack\r\nshs\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 52 of 80\n\nldf\r\ntheme\r\nmpa\r\nnomedia\r\nspl\r\ncpl\r\nadv\r\nicl\r\nmsu\r\nIf the file passes these checks, the parent thread will send it to the child threads to be encrypted.\r\nIf the file is a link with .lnk extension, BlackMatter manually resolves the link to get the full path to the file\r\nbefore encrypting it.\r\nFirst, using the LinkCLSID of {00021401-0000-0000-C000-000000000046} and the IShellLinkW RIID of\r\n{000214F9-0000-0000-C000-000000000046}, the malware retrieves an IShellLinkW interface.\r\nUsing the QueryInterface function of the IShellLinkW interface with the IPersistFile RIID {0000010b-0000-\r\n0000-C000-000000000046}, the malware retrieves the IPersistFile interface.\r\nIt calls the IPersistFile-\u003eLoad function to load the link file to read.\r\nAfter loading, BlackMatter calls IShellLinkW-\u003eGetPath to retrieves the full file path from the link.\r\nFigure 56: Resolving full path from link.\r\nMultithreading: Parent Thread Communication\r\nFile Owner Termination\r\nBefore sending a file to child threads to be encrypted, the parent thread terminates all processes/services that are\r\ncurrently accessing the file using the Windows Restart Manager.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 53 of 80\n\nBlackMatter first calls RmStartSession to start a new Restart Manager session, RmRegisterResources to\r\nregister the target file with the Restart Manager as a resource, and RmGetList to get a list of all applications and\r\nservices that are currently using it.\r\nFigure 57: Parent thread: Registering file with Restart Manager.\r\nIt iterates through the list of processes and services and terminates all whose application type is not RmCritical\r\nand RmExplorer\r\nFigure 58: Parent thread: Iterating and terminating file owners.\r\nTo terminate a service, BlackMatter calls OpenSCManagerW to establishes a connection to the service control\r\nmanager, OpenServiceW to obtain a handle to the target service, ControlService to send the control stop code to\r\nthe service to stop it, and DeleteService to delete it.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 54 of 80\n\nFigure 59: Service deletion.\r\nTo terminate a process, BlackMatter calls NtOpenProcess to obtain a handle to the target process and\r\nNtTerminateProcess to terminate it.\r\nFigure 60: Process termination.\r\nCheck If File Is Already Encrypted\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 55 of 80\n\nAt the end of the encryption, the RSA_encrypted_ChaCha20_matrix_Checksum and\r\nRSA_encrypted_ChaCha20_matrix fields in the KeyBuffer structure from Cryptographic Keys Setup are\r\nappended to the file footer.\r\nWhen BlackMatter needs to check if a file is encrypted, it extracts the memory buffer where the\r\nRSA_encrypted_ChaCha20_matrix field is supposed to be, generates its checksum, and compares it to the value\r\nat where the RSA_encrypted_ChaCha20_matrix_Checksum field is supposed to be.\r\nFigure 61: Check if file is already encrypted.\r\nChecking Large File\r\nA feature to process large files is added to BlackMatter v2.0.\r\nWhen the ENCRYPT_LARGE_FILE_FLAG is true in the configuration, the malware checks if the file is a\r\nlarge file through its extension.\r\nIf the file’s extension is in the list below, then the file is classified as large.\r\nmdf\r\nndf\r\nedb\r\nmdb\r\naccdb\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 56 of 80\n\nThe lengths of these are quite short and predictable, so I just bruteforce them with a Python script.\r\nFigure 62: Check if file is large.\r\nThread Shared Structure\r\nPrior to populating the shared structure between parent and child threads, the malware appends the encrypted\r\nextension to the file path and calls MoveFileExW to move the original file’s content to this new filename.\r\nIn the case where the new filename already exists, the malware manually adds -[number] to the filename before\r\nthe extension where number is incremented from 0 until the filename does not exist in the folder.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 57 of 80\n\nFigure 63: Create file with encrypted extension.\r\nThe shared structure is used by threads to communicate with each other.\r\nBelow is my rough recreation of this structure based on the offset of the fields.\r\nstruct BlackmatterFileStruct\r\n{\r\n LONGLONG errorCode;\r\n DWORD originalfilePointerLow;\r\n DWORD originalfilePointerHigh;\r\n int padding;\r\n DWORD filePointerLow;\r\n DWORD filePointerHigh;\r\n DWORD skippedBytesLow;\r\n DWORD skippedBytesHigh;\r\n HANDLE fileHandle;\r\n DWORD threadCurrentState;\r\n BYTE rawChaCha20Matrix[124];\r\n DWORD fileSize;\r\n BYTE padding2[368];\r\n BYTE fileFooter[132];\r\n DWORD *bytesToRead;\r\n BYTE *bufferToReadData;\r\n};\r\nFirst, the parent thread checks the file size to populate the bytesToRead field. If the file size is 0x100000 bytes or\r\nmore, the bytesToRead value is maxed out at 0x100000. This means file data is read and encrypted in 0x100000-\r\nbyte chunks.\r\nFigure 64: Setting encrypting size.\r\nBlackMatter then populates the rawChaCha20Matrix and fileFooter field with the buffers generated in\r\nCryptographic Keys Setup.\r\nEach of these buffers is dedicated to a specific skipped size between chunks.\r\nBelow is the conversion between the file size the skipped size between chunks.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 58 of 80\n\nFile Type File Size Skipped Size\r\nSmall Any size 0 byte\r\nLarge Less than 0x8000000 bytes 0x200000 bytes\r\nLarge Between 0x8000000 and 0x20000000 - 1 bytes 0x400000 bytes\r\nLarge Between 0x20000000 and 0x80000000 - 1 bytes 0x800000 bytes\r\nLarge Between 0x80000000 and 0x200000000 - 1 bytes 0x1000000 bytes\r\nLarge Between 0x200000000 and 0x800000000 - 1 bytes 0x2000000 bytes\r\nLarge Between 0x800000000 and 0x2000000000 - 1 bytes 0x4000000 bytes\r\nLarge Between 0x2000000000 and 0x8000000000 - 1 bytes 0x8000000 bytes\r\nLarge Between 0x8000000000 and 0x20000000000 - 1 bytes 0x10000000 bytes\r\nLarge Between 0x20000000000 and 0x80000000000 - 1 bytes 0x20000000 bytes\r\nLarge Equal or greater than 0x80000000000 0x40000000 bytes\r\nFrom looking up the size of the file on the table above, BlackMatter chooses the appropriate ChaCha20 matrix\r\nused to encrypt files.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 59 of 80\n\nFigure 65: Populating Encryption Fields In Shared Structure.\r\nFinally, the parent thread registers the target file handle with the global I/O completion port using\r\nCreateIoCompletionPort, sets the fileHandle field in the structure to the file handle and the\r\nthreadCurrentState field to the initial state, and sends the shared structure to child threads using\r\nPostQueuedCompletionStatus to begin encryption.\r\nFigure 66: Sending shared structure to child threads.\r\nMultithreading: Child Threads Encryption\r\nChild threads communicate with each other and the main thread using GetQueuedCompletionStatus and\r\nPostQueuedCompletionStatus.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 60 of 80\n\nEach thread constantly polls for an I/O completion packet from the global I/O completion port. The packet\r\nreceived from GetQueuedCompletionStatus contains an file’s BlackmatterFileStruct structure to be processed.\r\nFigure 67: Sending shared structure to child threads.\r\nThe encryption process is divided into four states. The file’s current state is recorded in the threadCurrentState\r\nof the shared structure.\r\nI. State 0: Reading File\r\nThe first state reads a number of bytes specified by the bytesToRead field into the buffer at the\r\nbufferToReadData field using ReadFile.\r\nIf ReadFile throws the error ERROR_IO_PENDING, the malware enters an infinite loop of sleeping for 100ms\r\nand calling ReadFile until it succeeds.\r\nIf ReadFile throws the error ERROR_HANDLE_EOF, the malware sets the encryption state to 2, else the\r\nencryption state is set to 1.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 61 of 80\n\nFigure 68: State 0: Reading file.\r\nII. State 1. Encrypt and Write File\r\nThe second state encrypts the buffer at the bufferToReadData field using its modified ChaCha20\r\nimplementation.\r\nAfter the encryption, the malware calls WriteFile to write the encrypted data back into the file.\r\nIf ReadFile throws the error ERROR_IO_PENDING, the malware enters an infinite loop of sleeping for 100ms\r\nand calling WriteFile until it succeeds.\r\nIf the skipped size is not zero, BlackMatter moves the file pointer ahead to the next chunk by adding that skipped\r\nsize to the current pointer.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 62 of 80\n\nFigure 69: State 1: Encrypting and writing file.\r\nIf the skipped size is zero, the malware stops encrypting after the first 0x100000 bytes and moves to state 2.\r\nBlackMatter Custom ChaCha20\r\nI want to discuss a bit about the customized ChaCha20 implementation of BlackMatter, instead of just glancing\r\nover it and calling it “customized”.\r\nFull credit of this section goes to Michael Gillespie for figuring out this crypto implementation and helping me\r\nunderstand it!\r\nIt seems like the implementation of BlackMatter v2 is the modified version of CryptoPP’s ChaCha20\r\nimplementation that can be found here.\r\nUnlike a lot of ChaCha implementation, this one utilizes the __m128i type to store the states in xmm regiters.\r\nDespite allocating 124 bytes for the “matrix”, BlackMater only uses the first 64 bytes and turns it into a 128-byte\r\nstate by mirroring the first 64 bytes with the last 64 bytes.\r\nAfter performing 20 rounds of flipping and rotating using that state, the malware generates a 128-byte stream to\r\nencrypt the data coming in.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 63 of 80\n\nFigure 69: Custom ChaCha20 implementation.\r\nThis state is executed only when the file encryption is complete.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 64 of 80\n\nFigure 70: State 2: Write file footer.\r\nThe malware calls WriteFile to write the 132-byte buffer from the fileFooter field in the shared structure to the\r\nend of the file.\r\nThis buffer contains the RSA_encrypted_ChaCha20_matrix_Checksum and the\r\nRSA_encrypted_ChaCha20_matrix fields in the structure from Cryptographic Keys Setup, which are used to\r\ncheck if a file is encrypted and to decrypt it.\r\nAfter this state, the malware moves to state 3.\r\nIV. State 3. Clean Up\r\nThis is the last state in the file encryption process.\r\nIn this state, BlackMatter calls NtClose to close the file handle, calls RtlFreeHeap to free the shared structure\r\nbuffer from memory, and increments the global TOTAL_NUM_FILE_ENCRYPTED value.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 65 of 80\n\nFigure 71: State 3: Clean up.\r\nChild Thread Communication\r\nIn BlackMatter’s multithreading setup, each child thread only handles one state in the encryption process.\r\nAfter each state (beside the final state), the malware calls PostQueuedCompletionStatus to post the shared\r\nstructure to the global I/O completion port with the updated encryption state. The next thread who receives it then\r\nprocesses that state before moving it forward.\r\nFigure 72: Child thread communication.\r\nExchange Mailbox Traversal\r\nIf the MOUNT_VOL_AND_ENCRYPT_FLAG in the configuration is set to true, BlackMatter encrypts the\r\nExchange mailbox of the local user.\r\nFirst, it calls GetEnvironmentVariableW to retrieve the Exchange installation path.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 66 of 80\n\nFigure 73: Retrieving Exchange installation path.\r\nAfter retrieving the path, the malware checks to make sure it is in the Program Files directory (64-bit Exchange\r\ninstallation) and append /Mailbox to the path.\r\nFigure 74: Building full Exchange mailbox path.\r\nFinally, BlackMatter spawns threads to encrypt this path using the encryption scheme described above.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 67 of 80\n\nFigure 75: Traversing and encrypting Exchange mailbox path.\r\nLogical Drives Traversal\r\nIf the MOUNT_VOL_AND_ENCRYPT_FLAG in the configuration is set to true, BlackMatter mounts and\r\nencrypts all logical drives.\r\nFirst, the malware enumerates through all volumes on the computer using FindFirstVolumeW and\r\nFindNextVolumeW. It calls GetVolumePathNamesForVolumeNameW to retrieve the path of the volume and\r\nprocesses the drive at that path.\r\nFigure 76: Volume enumeration.\r\nIt only processes and encrypts drives with type DRIVE_FIXED or DRIVE_REMOVABLE.\r\nIf the current OS is Windows 7 or above, the malware calls DeviceIoControl to get the partition information of\r\nthe target drive.\r\nIf the partition type of the drive is PARTITION_STYLE_GPT, BlackMatter sets some check with the partition\r\ntype data and calls SetVolumeMountPointW to mount it.\r\nIf the partition type of the drive is PARTITION_STYLE_MBR, BlackMatter calls SetVolumeMountPointW\r\nto mount it.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 68 of 80\n\nFigure 77: Mounting drives.\r\nIf the current OS is earlier than Windows 7, the malware appends /bootmgr to the end of the drive path and calls\r\nSetVolumeMountPointW to mount it.\r\nFigure 78: Mounting bootmgr.\r\nNext, BlackMatter calls GetLogicalDriveStringsW to get the list of all logical drives on the system.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 69 of 80\n\nFor each of these drives that are DRIVE_REMOTE, DRIVE_FIXED, or DRIVE_REMOVABLE, the malware\r\nspawns threads to encrypt this path using the encryption scheme described above.\r\nIf the drive type is DRIVE_REMOTE, BlackMatter impersonates the parent thread with the obtained token.\r\nFigure 79: Traversing and encrypting logical drives.\r\nNetwork Shares Traversal\r\nIf the NETWORK_ENCRYPT_FLAG in the configuration is set to true, BlackMatter encrypts all network\r\nshares.\r\nFirst, it retrieves the list of all DNS hostnames on the network through domain controllers.\r\nBlackMatter calls DsGetDcNameW to obtain the domain controller information and DsGetDcOpenW to open a\r\nnew domain controller enumeration operation.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 70 of 80\n\nFigure 80: Open domain controller enumeration operation.\r\nBy calling DsGetDcNextW, the malware enumerates through all domain controller on the network and adds it to\r\nan array.\r\nFigure 81: Enumerating domain controllers.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 71 of 80\n\nNext, for each domain controller, BlackMatter calls ADsOpenObject(“LDAP://rootDSE”, 0, 0, 1u,\r\n“{FD8256D0-FD15-11CE-ABC4-02608C9E7553}”, \u0026IADs_object) to retrieve the IADs COM interface.\r\nUsing the Get function of the IADs interface, it gets the default naming context of the domain.\r\nFigure 82: Get domain default naming context.\r\nWith the default naming context, BlackMatter builds the string “LDAP://CN=Computers,[default naming\r\ncontext]” and calls ADsOpenObject to retrieve an IADsContainer interface.\r\nUsing that interface, it calls ADsBuildEnumerator to create an enumerator object for the specified ADSI\r\ncontainer object. Finally, using the enumerator, the malware calls ADsEnumerateNext to enumerate through all\r\nDNS hostnames from the domain controller.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 72 of 80\n\nFigure 83: Enumerating DNS hostnames.\r\nWith a list of DNS hostnames on the network, the malware calls NetShareEnum to start enumerating through\r\neach of them.\r\nIf the network share type is not special share reserved for interprocess communication (IPC$) or remote\r\nadministration of the server (ADMIN$), the malware skips it and does not add it to the share list to encrypt.\r\nFigure 84: Checking network share type.\r\nIf the network share type is special, the malware performs an additional check and skips the share if the network\r\nname is “admin$“ or ”$c”.\r\nFigure 85: Checking network name.\r\nFinally, BlackMatter fixes up the network paths and spawns threads to encrypt these paths using the encryption\r\nscheme described above.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 73 of 80\n\nFigure 86: Traversing and encrypting network share.\r\nNetwork Communication\r\nIf the SEND_DATA_TO_SERVER_FLAG in the configuration is set to true, BlackMatter sends data twice to\r\nremote servers, once prior to the encryption and once after the encryption.\r\nPrior to the encryption, the malware sends information about the victim’s machine to the servers.\r\nIt extracts information about the host and different disks on the system and builds the string using the format\r\nbelow.\r\n{\r\n \"bot_version\":\"%s\",\r\n \"bot_id\":\"%s\",\r\n \"bot_company\":\"%.8x%.8x%.8x%.8x%\",\r\n \"host_hostname\":\"%s\",\r\n \"host_user\":\"%s\",\r\n \"host_os\":\"%s\",\r\n \"host_domain\":\"%s\",\r\n \"host_arch\":\"%s\",\r\n \"host_lang\":\"%s\",\r\n \"disks_info\":[\r\n {\r\n \"disk_name\":\"%s\", // for each disk\r\n \"disk_size\":\"%u\",\r\n \"free_size\":\"%u\"\r\n }\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 74 of 80\n\n]\r\n}\r\nBelow is an example of the payload generated on my VM.\r\n{\r\n \"bot_version\":\"2.0\",\r\n \"bot_id\":\"e6175d544e3816664c0c6297cf8bcb18\",\r\n \"bot_company\":\"00000000000000000000000000000000\",\r\n \"host_hostname\":\"MSEDGEWIN10\",\r\n \"host_user\":\"IEUser\",\r\n \"host_os\":\"Windows 10 Enterprise Evaluation\",\r\n \"host_domain\":\"WORKGROUP\",\r\n \"host_arch\":\"x64\",\r\n \"host_lang\":\"en-US\",\r\n \"disks_info\":[\r\n {\r\n \"disk_name\":\"C\",\r\n \"disk_size\":\"40957\",\r\n \"free_size\":\"17290\"\r\n },\r\n {\r\n \"disk_name\":\"Z\",\r\n \"disk_size\":\"487290\",\r\n \"free_size\":\"304117\"\r\n }\r\n ]\r\n}\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 75 of 80\n\nFigure 87: Host format string.\r\nThis buffer is encrypted and sent to remote servers specified in the REMOTE_SERVER_URLS field in the\r\nconfiguration.\r\nAfter the file encryption, the malware sends encryption stats to the servers.\r\nThe information about encryption stats is built into a string using the format below.\r\n{\r\n \"bot_version\":\"%s\",\r\n \"bot_id\":\"%s\",\r\n \"bot_company\":\"%.8x%.8x%.8x%.8x%\",\r\n \"stat_all_files\":\"%u\",\r\n \"stat_not_encrypted\":\"%u\",\r\n \"stat_size\":\"%s\",\r\n \"execution_time\":\"%u\",\r\n \"start_time\":\"%u\",\r\n \"stop_time\":\"%u\"\r\n}\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 76 of 80\n\nFigure 88: Encryption stats format string.\r\nWhen sending these data to remote servers, BlackMatter first encrypts it using the AES key from the\r\nconfiguration and Base64-encodes it.\r\nFigure 89: Data encryption and encoding.\r\nNext, it randomly generates HTTP object names and POST request data.\r\nBlackMatter uses the following user agent.\r\nAppleWebKit/587.38 (KHTML, like Gecko)\r\nIt also decrypts and uses this POST request header.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 77 of 80\n\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: text/plain\r\nFinally, the malware uses the typical HTTP WinAPI calls such as InternetOpenW to obtain an internet handle,\r\nInternetConnectW to obtain a connection handle with a target URL, HttpOpenRequestW to open a POST\r\nrequest, and HttpSendRequestW to send the encrypted data.\r\nFigure 90: Sending data to remote servers.\r\nWeird Threading Stuff\r\nI want to dedicate a section to talk about this because it annoys the hell out of me.\r\nIt seems like BlackMatter loves to use this one trick to spawn a single thread to execute a single WinAPI call.\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 78 of 80\n\nFigure 91: Single threading with extra steps.\r\nI must admit that this does work, and I can definitely see the reason behind this. The malware wants to make API\r\ncalls while impersonating as a different process using the token it gets from here to be stealthier.\r\nSo why am I annoyed? It’s just really extra.\r\nThis whole part of code can be reduced to a single GetUserNameW call, which is why it is so inefficient.\r\nMoreover, they have a ransomware running that encrypts a system in less than a minute. Trying to be stealthy to\r\ncall things like GetUserNameW and GetDriveTypeW might just be an overkill.\r\nOr maybe this method is fine and I’m just grumpy cause this ransomware is so damn long to fully analyze lmao.\r\nReferences\r\nhttps://github.com/weidai11/cryptopp/blob/bc7d1bafa1e8ac732396374f0bca94ab9f396f1c/chacha_simd.cpp#L569\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nhttps://github.com/advanced-threat-research/DarkSide-Config-Extract\r\nhttps://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf\r\nhttps://www.installsetupconfig.com/win32programming/networkmanagementapis16_41.html\r\nhttps://www.youtube.com/watch?v=R4xJou6JsIE\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 79 of 80\n\nhttps://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html\r\nSource: https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nhttps://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/\r\nPage 80 of 80\n\n https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/  \nFigure 69: Custom ChaCha20 implementation.  \nThis state is executed only when the file encryption is complete.\n   Page 64 of 80",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/"
	],
	"report_names": [
		"BlackMatterRansomware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb9c51bff67279640afc7f0cbb80742308abb787.pdf",
		"text": "https://archive.orkl.eu/fb9c51bff67279640afc7f0cbb80742308abb787.txt",
		"img": "https://archive.orkl.eu/fb9c51bff67279640afc7f0cbb80742308abb787.jpg"
	}
}