BoredHackerBlog/extractor.py

## extractor.py
#Gafgyt/qbot C2 extractor
#https://bazaar.abuse.ch/browse/signature/Gafgyt/
#The file needs to be unpacked (usually packed with upx)
import re
import sys

# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
ipv4_zero = b"\x00(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"
ipv4_e9 = b"\xe9(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})\x00"

#requires unpacked file
elffile = open(sys.argv[1], 'rb').read()

re_out = re.search(ipv4_zero, elffile)
if re_out:
    print(re_out[0][1:-1].decode('ascii'))

re_out = re.search(ipv4_e9, elffile)
if re_out:
    print(re_out[0][1:-1].decode('ascii'))
	#Gafgyt/qbot C2 extractor
	#https://bazaar.abuse.ch/browse/signature/Gafgyt/
	#The file needs to be unpacked (usually packed with upx)
	import re
	import sys

	# regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
	ipv4_zero = b"\x00(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"
	ipv4_e9 = b"\xe9(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?):(\d{0,5})\x00"

	#requires unpacked file
	elffile = open(sys.argv[1], 'rb').read()

	re_out = re.search(ipv4_zero, elffile)
	if re_out:
	print(re_out[0][1:-1].decode('ascii'))

	re_out = re.search(ipv4_e9, elffile)
	if re_out:
	print(re_out[0][1:-1].decode('ascii'))