Jump to content

ESETFilecoderQCleaner.exe


safety

Recommended Posts

Tell me, please, can I use the / a option to define the decryption key for several encrypted files?

Quote

[2017.09.16 17:05:41.495] - Usage:
[2017.09.16 17:05:41.495] - ESETFilecoderQCleaner.exe [options] <filename(s) or directory name(s)>
[2017.09.16 17:05:41.495] -
[2017.09.16 17:05:41.495] - Options:
[2017.09.16 17:05:41.495] -   /s - Silent mode.
[2017.09.16 17:05:41.495] -   /f - Forced clean.
[2017.09.16 17:05:41.495] -   /d - Debug mode.
[2017.09.16 17:05:41.495] -   /n - Only list files for cleaning (don't clean).
[2017.09.16 17:05:41.495] -   /h or /? - Show usage.
[2017.09.16 17:05:41.510] -
[2017.09.16 17:05:41.510] -   /a - detect key for encrypting; put some encoded files (best doc(x) or xls(x) files) in one directory; start with *'s keys
[2017.09.16 17:05:41.510] -   /b - use external keyfile "decoder.keys"
[2017.09.16 17:05:41.510] -   /k [num] - use key

How to use this option correctly? and what information can I get with this?

If possible, please show a specific example.

Link to comment
Share on other sites

On 16.09.2017 at 11:39 PM, Marcos said:

Please contact samples[at]eset.com and provide:

- examples of encrypted Office documents
- payment info
- ELC logs

Dear Marcos,

I know that Virlab can calculate the key for several encrypted (office) documents. :). And I once asked for help with the decryption of files after Xorist / Filecoder.Q.

I'm wondering if it's possible to calculate the decryption key yourself using the FilecoderQCleaner utility using the "/ a"
option ?

Edited by safety
Link to comment
Share on other sites

In the log we see that the decoder is running in the key detection mode, but the key does not explicitly find, and therefore the decryption of the files that are added to the test folder is impossible.

 

[2017.09.21 15:01:55.705] - INFO: Init: CleanerMode(DetectKeys)
[2017.09.21 15:01:55.707] - INFO: Init: Generating test vectors...
[2017.09.21 15:01:55.997] - INFO: Looking for infected files...
[2017.09.21 15:01:55.997] - --------------------------------------------------------------------------------
[2017.09.21 15:01:55.997] -
[2017.09.21 15:01:56.037] - --------------------------------------------------------------------------------
[2017.09.21 15:01:56.040] - INFO: 6 infected files found.
[2017.09.21 15:01:56.043] - INFO: 0 file(s) cleaned.
[2017.09.21 15:02:03.992] - End

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...