guelfoweb/athena_http_decode.py

## athena_http_decode.py
'''
Athena HTTP - Decode HTTP POST request
Gianni 'guelfoweb' Amato
'''

import urllib
import base64
import itertools
from string import maketrans

# Request to C&C
a = "%62%33%5A%6A%61%58%42%33%61%6E%46%6B%61%33%68%6C%63%6E%6C%73%63%32%5A%36%62%58%52%6E%59%57%35%31%61%47%49%36%61%57%39%32%59%33%42%33%61%6E%52%68%5A%32%35%6F%64%57%4A%6B%63%58%68%72%5A%58%4A%35%62%48%4E%6D%65%6D%30%3D"
b = "xHR5vGU6veVwZWF0xHVpZDiwODI2MTU3MDy4NjFzMTEnZTBgYWNgYWQ4MDZgNjE3MjY5NeZ8veFrOjE2xGJuX2rpmGndZDiwxGJuX2ZpmGVkOjB8Yerxl2V5vkiwxGJ1v3g6ZeFqv2V8"
c = "%64%6A%71%78%64%6B%72%78%65%6C%72%79%65%6C%73%79%66%6D%73%7A%67%6D%74%61"

# Response from C&C
r = "ZGpxeGRrcnhlbHJ5ZWxzeWZtc3pnbXRhZgaqaWRHVsdgmUZkUFRua2ZBPT0KZgzSlGMbaHBlRDB5ZgaOaeJXMWzcmVE5SVzlvFpYY2agM2QkTG5qlGFHOXZMmU52Ydz3PQi="

# [a] decoding...
'''
a: hex (26 char) -> b64 -> text -> split(:) => a1, a2
key = {'a2[x]': 'a1[x]'}
'''
a = urllib.unquote(a).decode('utf8')
a = base64.b64decode(a)
a1 = a.split(':')[0]
a2 = a.split(':')[1]
key = maketrans(a2, a1)

# [b] decoding...
'''
b: b(key) -> b64 -> text
'''
b = b.translate(key)
b = base64.b64decode(b)

# [c] decoding...
'''
c: hex -> str -> b64
'''
c = urllib.unquote(c).decode('utf8')
c = base64.b64encode(c)

# [r] decoding...
'''
r: str(b64)-c(b64)
r: r(key) -> b64 -> split('\n') -> r1, r2
'''
r = r.replace(c, '')
r = r.translate(key)
r = base64.b64decode(r)
r1 = r.split('\n')[0]
r1 = base64.b64decode(r1)
r2 = r.split('\n')[1]
r2 = base64.b64decode(r2)

print '[Sent]\n', b
print '\n[Received]\n', r1, r2

'''
[Sent]
|type:repeat|uid:082615708861a111e0dacdad806d6172696f|ram:16|bk_killed:0|bk_files:0|bk_keys:0|busy:false|

[Received]
|interval=90| |taskid=2|command=!view www.yahoo.com|
'''
	'''
	Athena HTTP - Decode HTTP POST request
	Gianni 'guelfoweb' Amato
	'''

	import urllib
	import base64
	import itertools
	from string import maketrans

	# Request to C&C
	a = "%62%33%5A%6A%61%58%42%33%61%6E%46%6B%61%33%68%6C%63%6E%6C%73%63%32%5A%36%62%58%52%6E%59%57%35%31%61%47%49%36%61%57%39%32%59%33%42%33%61%6E%52%68%5A%32%35%6F%64%57%4A%6B%63%58%68%72%5A%58%4A%35%62%48%4E%6D%65%6D%30%3D"
	b = "xHR5vGU6veVwZWF0xHVpZDiwODI2MTU3MDy4NjFzMTEnZTBgYWNgYWQ4MDZgNjE3MjY5NeZ8veFrOjE2xGJuX2rpmGndZDiwxGJuX2ZpmGVkOjB8Yerxl2V5vkiwxGJ1v3g6ZeFqv2V8"
	c = "%64%6A%71%78%64%6B%72%78%65%6C%72%79%65%6C%73%79%66%6D%73%7A%67%6D%74%61"

	# Response from C&C
	r = "ZGpxeGRrcnhlbHJ5ZWxzeWZtc3pnbXRhZgaqaWRHVsdgmUZkUFRua2ZBPT0KZgzSlGMbaHBlRDB5ZgaOaeJXMWzcmVE5SVzlvFpYY2agM2QkTG5qlGFHOXZMmU52Ydz3PQi="

	# [a] decoding...
	'''
	a: hex (26 char) -> b64 -> text -> split(:) => a1, a2
	key = {'a2[x]': 'a1[x]'}
	'''
	a = urllib.unquote(a).decode('utf8')
	a = base64.b64decode(a)
	a1 = a.split(':')[0]
	a2 = a.split(':')[1]
	key = maketrans(a2, a1)

	# [b] decoding...
	'''
	b: b(key) -> b64 -> text
	'''
	b = b.translate(key)
	b = base64.b64decode(b)

	# [c] decoding...
	'''
	c: hex -> str -> b64
	'''
	c = urllib.unquote(c).decode('utf8')
	c = base64.b64encode(c)

	# [r] decoding...
	'''
	r: str(b64)-c(b64)
	r: r(key) -> b64 -> split('\n') -> r1, r2
	'''
	r = r.replace(c, '')
	r = r.translate(key)
	r = base64.b64decode(r)
	r1 = r.split('\n')[0]
	r1 = base64.b64decode(r1)
	r2 = r.split('\n')[1]
	r2 = base64.b64decode(r2)

	print '[Sent]\n', b
	print '\n[Received]\n', r1, r2

	'''
	[Sent]
	\|type:repeat\|uid:082615708861a111e0dacdad806d6172696f\|ram:16\|bk_killed:0\|bk_files:0\|bk_keys:0\|busy:false\|

	[Received]
	\|interval=90\| \|taskid=2\|command=!view www.yahoo.com\|
	'''