Created
April 20, 2023 20:47
-
-
Save 0xToxin/dc2b74ac4988d4557262fa7d120df3df to your computer and use it in GitHub Desktop.
BumbleBee WSF initial downloader script deobfuscator. the script will save a "clean"/less obfuscated .js script and output the URL for the next payload fetch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Related Tweet: | |
| https://twitter.com/0xToxin/status/1649131620383825923 | |
| Tested on: | |
| doc_12QICZ_85.wsf - 5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246 | |
| Bazzar - https://bazaar.abuse.ch/sample/5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246/ | |
| Triage - https://tria.ge/230420-w4g3wabf48 | |
| ''' | |
| import re | |
| WSF_PATH = '' #input initial WSF file | |
| CLN_WSF = '' #input output for clean WSF file (necessery for rest of the script) | |
| RE_PATTERN_CLEANUP = r'^.*[;\{\}\>]$' | |
| RE_CLEANUP_2 = r"^return '\w+'};$" | |
| RE_MAIN_CONCAT = r'^(?:[^+\n]*\+){9}[^+\n]*\+.*$' | |
| wsfContent = open(WSF_PATH, 'r').read() | |
| regMatch = re.findall(RE_PATTERN_CLEANUP,wsfContent,re.MULTILINE) | |
| def customSlice(toSliceString): | |
| slicedStr = toSliceString.split('+') | |
| slicedStr[0] = slicedStr[0].split('=')[-1] | |
| slicedStr[-1] = slicedStr[-1].split(';')[0] | |
| return slicedStr | |
| for x in range(0, len(regMatch)): | |
| if regMatch[x].startswith('function') and x + 11 < len(regMatch) and regMatch[x + 11].startswith('return'): # Remove Junk Functions | |
| regMatch = regMatch[:x] + regMatch[x + 11:] | |
| elif x + 12 >= len(regMatch): | |
| break | |
| # Will produce a clean .js script (as much as possible) [pre concatenation] | |
| clnWsfFile = open(CLN_WSF, 'w') | |
| for elem in regMatch: | |
| if not re.match(RE_CLEANUP_2, elem): | |
| clnWsfFile.write(f'{elem}\n') | |
| clnWsfFile.close() | |
| # Concatenation Process | |
| clnWsfContent = open(CLN_WSF, 'r').readlines() | |
| mainLine = '' | |
| for line in clnWsfContent: | |
| if re.match(RE_MAIN_CONCAT, line): | |
| mainLine = line | |
| break | |
| if mainLine: | |
| variables = customSlice(mainLine) | |
| else: | |
| print('Well something went wrong , PM me :)') | |
| # now we have all the variables of the main concate line, let's puzzle the inner variables | |
| slicedVars = [] | |
| for var in variables: | |
| for line in clnWsfContent: | |
| if line.startswith(var): | |
| slicedVars.extend(customSlice(line)) | |
| # and now that we have a list of all the variables, we simply bruteforce it through the clean file and output the Fetch URL. | |
| urlFetchString = '' | |
| for var in slicedVars: | |
| for line in clnWsfContent: | |
| if line.startswith(var): | |
| urlFetchString += line.split("'")[1] | |
| print(f'[+] Fetching URL:{urlFetchString}') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment