Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
A little code to decode Athena HTTP POST request and c&c response
'''
Athena HTTP - Decode HTTP POST request
Gianni 'guelfoweb' Amato
'''
import urllib
import base64
import itertools
from string import maketrans
# Request to C&C
a = "%62%33%5A%6A%61%58%42%33%61%6E%46%6B%61%33%68%6C%63%6E%6C%73%63%32%5A%36%62%58%52%6E%59%57%35%31%61%47%49%36%61%57%39%32%59%33%42%33%61%6E%52%68%5A%32%35%6F%64%57%4A%6B%63%58%68%72%5A%58%4A%35%62%48%4E%6D%65%6D%30%3D"
b = "xHR5vGU6veVwZWF0xHVpZDiwODI2MTU3MDy4NjFzMTEnZTBgYWNgYWQ4MDZgNjE3MjY5NeZ8veFrOjE2xGJuX2rpmGndZDiwxGJuX2ZpmGVkOjB8Yerxl2V5vkiwxGJ1v3g6ZeFqv2V8"
c = "%64%6A%71%78%64%6B%72%78%65%6C%72%79%65%6C%73%79%66%6D%73%7A%67%6D%74%61"
# Response from C&C
r = "ZGpxeGRrcnhlbHJ5ZWxzeWZtc3pnbXRhZgaqaWRHVsdgmUZkUFRua2ZBPT0KZgzSlGMbaHBlRDB5ZgaOaeJXMWzcmVE5SVzlvFpYY2agM2QkTG5qlGFHOXZMmU52Ydz3PQi="
# [a] decoding...
'''
a: hex (26 char) -> b64 -> text -> split(:) => a1, a2
key = {'a2[x]': 'a1[x]'}
'''
a = urllib.unquote(a).decode('utf8')
a = base64.b64decode(a)
a1 = a.split(':')[0]
a2 = a.split(':')[1]
key = maketrans(a2, a1)
# [b] decoding...
'''
b: b(key) -> b64 -> text
'''
b = b.translate(key)
b = base64.b64decode(b)
# [c] decoding...
'''
c: hex -> str -> b64
'''
c = urllib.unquote(c).decode('utf8')
c = base64.b64encode(c)
# [r] decoding...
'''
r: str(b64)-c(b64)
r: r(key) -> b64 -> split('\n') -> r1, r2
'''
r = r.replace(c, '')
r = r.translate(key)
r = base64.b64decode(r)
r1 = r.split('\n')[0]
r1 = base64.b64decode(r1)
r2 = r.split('\n')[1]
r2 = base64.b64decode(r2)
print '[Sent]\n', b
print '\n[Received]\n', r1, r2
'''
[Sent]
|type:repeat|uid:082615708861a111e0dacdad806d6172696f|ram:16|bk_killed:0|bk_files:0|bk_keys:0|busy:false|
[Received]
|interval=90| |taskid=2|command=!view www.yahoo.com|
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment