SaFiSec/emotet_c2_parser.py

## emotet_c2_parser.py
import socket
import struct

def dump_c2_list(c2_list):
    for i in range(0xFFFFFF):

        ip = Dword(c2_list + (i*8))
        if ip == 0:
            break;

        ip = struct.pack('>L', ip)
        ip = socket.inet_ntoa(str(ip))

        port = Word(c2_list + 4 + (i*8))

        print('{}:{}'.format(ip, port))

if __name__ == '__main__':
    c2_ref = FindBinary(0, SEARCH_DOWN, "83 3C C5")
    c2_list = Dword(c2_ref + 3)
    dump_c2_list(c2_list)
	import socket
	import struct

	def dump_c2_list(c2_list):
	for i in range(0xFFFFFF):

	ip = Dword(c2_list + (i*8))
	if ip == 0:
	break;

	ip = struct.pack('>L', ip)
	ip = socket.inet_ntoa(str(ip))

	port = Word(c2_list + 4 + (i*8))

	print('{}:{}'.format(ip, port))

	if __name__ == '__main__':
	c2_ref = FindBinary(0, SEARCH_DOWN, "83 3C C5")
	c2_list = Dword(c2_ref + 3)
	dump_c2_list(c2_list)