CreateRemoteThread/sha2017-abusemail-decoder.py

## sha2017-abusemail-decoder.py
#!/usr/bin/env python

import base64
import sys
import time
import subprocess
import threading

from Crypto import Random
from Crypto.Cipher import AES

BS = 16
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s : s[0:-ord(s[-1])]
magic = "SHA2017"

class AESCipher:
    def __init__( self, key ):
        self.key = key

    def encrypt( self, raw ):
        raw = pad(raw)
        iv = Random.new().read( AES.block_size )
        cipher = AES.new( self.key, AES.MODE_CBC, iv )
        return base64.b64encode( iv + cipher.encrypt( raw ) )

    def decrypt( self, enc_orig ):
        try:
          enc = base64.b64decode(enc_orig)
        except:
          # print enc_orig
          enc = base64.b64decode(enc_orig[:-1])
        iv = enc[:16]
        if len(iv) != 16:
          return ""
        cipher = AES.new(self.key, AES.MODE_CBC, iv )
        return unpad(cipher.decrypt( enc[16:] ))

key = "K8djhaIU8H2d1jNb"
cipher = AESCipher(key)

# out = open("out.bin","wb")

kibbles = {}
maxcnt = 0

data = open(sys.argv[1],"rb")
for l in data.readlines():
  # if len(l[8:]) % 16 != 0:
  #   print l
  try:
    new_d = cipher.decrypt(l[8:].rstrip())
  except:
    pass
    # print l[8:]
  if new_d[0:7] == "getfile":
    if len(new_d.split(":")) == 3:
      cnt = int(new_d.split(":")[1])
      datachunk = new_d.split(":")[2]
      if cnt in kibbles.keys() and base64.urlsafe_b64decode(datachunk) != kibbles[cnt]:
        print "MISMATCH %d" % int(cnt)
      else:
        print "WRITING OUT %d" % int(cnt)
        kibbles[cnt] = base64.urlsafe_b64decode(datachunk)
        if cnt > maxcnt:
          maxcnt = cnt
      # out.write(base64.urlsafe_b64decode(datachunk))
    else:
      print new_d
  else:
    print new_d

out = open("out.bin","wb")
for i in range(0,maxcnt + 1):
  out.write(kibbles[i])
out.close()
	#!/usr/bin/env python

	import base64
	import sys
	import time
	import subprocess
	import threading

	from Crypto import Random
	from Crypto.Cipher import AES

	BS = 16
	pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
	unpad = lambda s : s[0:-ord(s[-1])]
	magic = "SHA2017"

	class AESCipher:
	def __init__( self, key ):
	self.key = key

	def encrypt( self, raw ):
	raw = pad(raw)
	iv = Random.new().read( AES.block_size )
	cipher = AES.new( self.key, AES.MODE_CBC, iv )
	return base64.b64encode( iv + cipher.encrypt( raw ) )

	def decrypt( self, enc_orig ):
	try:
	enc = base64.b64decode(enc_orig)
	except:
	# print enc_orig
	enc = base64.b64decode(enc_orig[:-1])
	iv = enc[:16]
	if len(iv) != 16:
	return ""
	cipher = AES.new(self.key, AES.MODE_CBC, iv )
	return unpad(cipher.decrypt( enc[16:] ))

	key = "K8djhaIU8H2d1jNb"
	cipher = AESCipher(key)

	# out = open("out.bin","wb")

	kibbles = {}
	maxcnt = 0

	data = open(sys.argv[1],"rb")
	for l in data.readlines():
	# if len(l[8:]) % 16 != 0:
	# print l
	try:
	new_d = cipher.decrypt(l[8:].rstrip())
	except:
	pass
	# print l[8:]
	if new_d[0:7] == "getfile":
	if len(new_d.split(":")) == 3:
	cnt = int(new_d.split(":")[1])
	datachunk = new_d.split(":")[2]
	if cnt in kibbles.keys() and base64.urlsafe_b64decode(datachunk) != kibbles[cnt]:
	print "MISMATCH %d" % int(cnt)
	else:
	print "WRITING OUT %d" % int(cnt)
	kibbles[cnt] = base64.urlsafe_b64decode(datachunk)
	if cnt > maxcnt:
	maxcnt = cnt
	# out.write(base64.urlsafe_b64decode(datachunk))
	else:
	print new_d
	else:
	print new_d

	out = open("out.bin","wb")
	for i in range(0,maxcnt + 1):
	out.write(kibbles[i])
	out.close()