herrcore/upatre_extractor.py

## upatre_extractor.py
#!/usr/local/bin/env python

####################################################
##
## All credit to @_qaz_qaz for this awesome post
## https://secrary.com/ReversingMalware/Upatre/
##
## Original script:
## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab
##
## Author: @herrcore
##
## lznt1 decompression from here:
## https://github.com/google/rekall/blob/e57446eb8ecbcf5019c1a978f469955a5078c829/rekall-core/rekall/plugins/filesystems/lznt1.py
##
####################################################

import re
import base64
import lznt1
import argparse


def find_b64_data(pe_data):
    # XOR "L" and base64 encode 'MZ\x80\x00\x01\x00\x00\x00'
    marker = r"\x00[A-Za-z0-9+\/]*ARbMTE1MTE"
    res = re.finditer(marker, pe_data)
    data_string = ''
    if res:
        for match in res:
            marker_offset = match.start()
            string_data = pe_data[marker_offset:].split('\x00')[1]
            break
    return string_data

def decrypt_data(data):
    bin_data = base64.b64decode(data)
    ptxt_data = ''
    for i in bin_data:
        ptxt_data += chr(ord(i) ^ ord("L"))
    out_data = lznt1.decompress_data(ptxt_data)
    return out_data

def main():
    parser = argparse.ArgumentParser(description="Extract PE from Upatre")
    parser.add_argument("file_name", help="PE file to extract binary from.")
    args = parser.parse_args()

    pe_data = ''
    with open(args.file_name, "rb") as fp:
        pe_data = fp.read()

    out_file = "extracted_" + args.file_name
    print "\nExtracting PE from: %s ..." % args.file_name
    base64_string = find_b64_data(pe_data)
    if base64_string == '':
        print "\tERROR: Could not extract."
    else:
        out_data = decrypt_data(base64_string)
        print "\tWriting extracted PE to: %s" % out_file
        with open(out_file, "wb") as fp:
            pe_data = fp.write(out_data)

if __name__ == '__main__':
    main()
	#!/usr/local/bin/env python

	####################################################
	##
	## All credit to @_qaz_qaz for this awesome post
	## https://secrary.com/ReversingMalware/Upatre/
	##
	## Original script:
	## https://gist.github.com/secrary/98c563688fa6cea1fd517170f97988ab
	##
	## Author: @herrcore
	##
	## lznt1 decompression from here:
	## https://github.com/google/rekall/blob/e57446eb8ecbcf5019c1a978f469955a5078c829/rekall-core/rekall/plugins/filesystems/lznt1.py
	##
	####################################################

	import re
	import base64
	import lznt1
	import argparse


	def find_b64_data(pe_data):
	# XOR "L" and base64 encode 'MZ\x80\x00\x01\x00\x00\x00'
	marker = r"\x00[A-Za-z0-9+\/]*ARbMTE1MTE"
	res = re.finditer(marker, pe_data)
	data_string = ''
	if res:
	for match in res:
	marker_offset = match.start()
	string_data = pe_data[marker_offset:].split('\x00')[1]
	break
	return string_data

	def decrypt_data(data):
	bin_data = base64.b64decode(data)
	ptxt_data = ''
	for i in bin_data:
	ptxt_data += chr(ord(i) ^ ord("L"))
	out_data = lznt1.decompress_data(ptxt_data)
	return out_data

	def main():
	parser = argparse.ArgumentParser(description="Extract PE from Upatre")
	parser.add_argument("file_name", help="PE file to extract binary from.")
	args = parser.parse_args()

	pe_data = ''
	with open(args.file_name, "rb") as fp:
	pe_data = fp.read()

	out_file = "extracted_" + args.file_name
	print "\nExtracting PE from: %s ..." % args.file_name
	base64_string = find_b64_data(pe_data)
	if base64_string == '':
	print "\tERROR: Could not extract."
	else:
	out_data = decrypt_data(base64_string)
	print "\tWriting extracted PE to: %s" % out_file
	with open(out_file, "wb") as fp:
	pe_data = fp.write(out_data)

	if __name__ == '__main__':
	main()