I am a cybersecurity student. What is the best approach to decrypting traffic from a malware? I am using x32dbg (I'm new to assembly) and have trouble finding the private key. Are there any other approaches?
This is the malware I am reverse engineering: https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/CryptoLocker_10Sep2013
Basically, if it's really SSL you need to find the SSL_Read() and SSL_Write() functions in the malware code and hook them, so that you can dump their buffers.
But, I doubt that this malware uses SSL, couldn't find any signature of SSL library in the binary.
Find the APIs it uses and hook them. The other post mentioned SSL_Read() and SSL_Write(). Malware often just uses the WinAPI to do HTTP, which makes it quite simple to use HTTPS.
Check for WinHTTP functions, or the WinInet functions, either as imports, or (typically) via dynamic lookups.
Are you looking for decrypting the files encrypted by the Ransomware. Or are you trying to decrypt the network communication of malware ?
If it is the first one, You will be able to get the private key by stepping into the code till it reaches (make sure you have lot of coffee next to you).
For the second one, You can use sslstrip to decrypt the traffic.
Assuming it's using standard methods of performing requests You could try using a proxy to route your traffic and then snoop inside the SSL. For example this tool: https://www.charlesproxy.com/
