How To Extract Cryptocurrency Addresses & Indicators Of Compromise From Binaries Using RansomCoin Tool

by 1337pwn Staff

In this tutorial, we will illustrate how to use a digital forensic tool called RansomCoin to extract cryptocurrency addresses and additional indicators of compromises (IoC) from binaries.

The tool is designed to be quicky and easy to deploy, with low false positives for cryptocurrency addresses. There are narrow false positives for emails, URLs, domains, and onion addresses.

The tool can test for:

  • Bitcoin Addresses (BTC)
  • Bitcoin Cash Addresses (BCH)
  • Monero Addresses (XMR)
  • Bitcoin Private Keys
  • Ethereum addresses (ETH)
  • Ripple addresses (XRP)
  • LTC addresses (LTC)
  • DOGECOIN addresses (DOGE)
  • NEO addresses (NEO)
  • DASH addresses (DASH)
  • Domains (Address)
  • Email Addresses (Email)
  • Onion Addresses (Address)

1. Installing RansomCoin Forensic Tool

To install the RansomCoin forensic tool, enter the subsequent command into a terminal window:

root@1337pwn:~# git clone https://github.com/Concinnity-Risks/RansomCoinPublic.git

2. Go To The “Tools” Folder Of “RansomCoinPublic” Directory

Change the current directory in Linux to the “Tools” directory of “RansomCoinPublic” by entering the following command in the terminal:

root@1337pwn:~# cd RansomCoinPublic/Tools

3. Python 3 Requirement

Before running the RansomCoin tool, we suggest that you install Python 3 if you haven’t already.

Open a terminal window and enter the following command to install the build-essential package which comprises various packages:

root@1337pwn:~# sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python-dev python3-tlsh

Keep in mind that the command has to be run from the “Tools” directory of “RansomCoinPublic”.

4. Install All The Requirements

Run the subsequent command to install all the requirements:

root@1337pwn:~# python3 -m pip install -r requirements.txt

Bear in mind that in the event that you receive an error stating “No module named pip”, proceed by entering the subsequent command in the terminal:

root@1337pwn:~# sudo apt-get install python3-pip

5. Running The Coinlector Tool From “RansomCoinPublic” Directory

The Coinlector tool from the “RansomCoinPublic” directory can auto-extract Indicators of Compromise from ransomware binaries.

Proceed by running the subsequent command in terminal to run the Coinlector Python script:

root@1337pwn:~# python3 coinlector.py

After running the Coinlector Python script, the results will have been saved to a file called Ransomware.csv in the directory (RansomCoinPublic/Tools).

6. Listing The Contents Of “Tools” Directory

To list the contents of the “Tools” directory, enter the following command into the terminal:

root@1337pwn:~# ls
chasingcoin.py    eventcoin.py   tempuscoin.py    unittestmalware.ml
coinlector.py     Ransomware.csv    testransomware
empty_test_file   requirements.txt  testransomwarepdf.pdf

Viewing The Results Of Ransomware.csv File

To view the results of the Ransomware.csv file, enter the subsequent command into the terminal:

root@1337pwn:~# less Ransomware.csv

To view the email addresses, cryptocurrency addresses, and URLs, proceed by running the subsequent grep commands in the terminal:

root@1337pwn:~# less Ransomware.csv | grep Email
root@1337pwn:~# less Ransomware.csv | grep Address
root@1337pwn:~# less Ransomware.csv | grep URL

To grep for Bitcoin (BTC) addresses, enter the following command in the terminal:

root@1337pwn:~# less Ransomware.csv | grep BTC

To grep for Ripple (XRP) addresses, enter the subsequent command in the terminal:

root@1337pwn:~# less Ransomware.csv | grep XRP

To grep for Monero (XMR) addresses, enter the following command in the terminal:

root@1337pwn:~# less Ransomware.csv | grep XMR

Tempuscoin Python Script

After running the Tempuscoin Python script, it will create a file called TemporalRansoms.csv which shows a list of timestamped ransom transactions (Sending & receiving Bitcoin addresses), including the quantity in Bitcoin and its equivalent value in USD/EUR at the moment of the transaction.

Proceed by running the subsequent command in terminal to run the Tempuscoin Python script:

root@1337pwn:~# python3 tempuscoin.py

To view the results of TemporalRansoms.csv, enter the following command:

root@1337pwn:~# less TemporalRansoms.csv

Related Posts