Skip to content

CERT-W/Volatility-notpetyakeys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
notpetya.py
notpetya.py
 
 

Repository files navigation

Volatility-notpetyakeys

This Volatility plugin is used to search for AES key withing a memory snapshot of an infected host on which NotPetya is running.

INSTALL

Put the notpetya.py file in the volatility/plugins/malware/ directory. Plugin should appear under notpetyakeys when running vol.py --info.

Dependencies

This plugin depends on yara.

Usage

vol.py -f mem --profile=<profile> notpetyakeys

Output

Output is every AES key used by NotPetya (on per fixed drive). It is not possible for now to identify which key is associated to which device.

Decryption

openssl aes-128-cbc -d -K <key> -nosalt -iv 0 -in <encrypted_file> -out <clear_file>

Misc

(c) Wavestone 2017

Thanks to @gentilkiwi and @th3m4ks

About

No description, website, or topics provided.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

11 stars

Watchers

2 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages