myrtus0x0/hancitor_conf.py

## hancitor_conf.py
import malduck
import binascii
import sys
import hashlib
from loguru import logger
import collections
import math
import json
import pefile


def estimate_shannon_entropy(data):
    m = len(data)
    bases = collections.Counter([tmp_base for tmp_base in data])

    shannon_entropy_value = 0
    for base in bases:
        n_i = bases[base]
        p_i = n_i / float(m)
        entropy_i = p_i * (math.log(p_i, 2))
        shannon_entropy_value += entropy_i

    return shannon_entropy_value * -1

def parse_config(raw_config_blob):
    conf = {}
    split_conf = raw_config_blob.split(b"\x00")
    cleaned_conf = [x for x in split_conf if x]
    logger.info(cleaned_conf)
    conf["id"] = cleaned_conf[0].decode("utf-8")
    conf["c2s"] = cleaned_conf[1].split(b"|")
    conf["c2s"] = [x.decode("utf-8") for x in conf["c2s"] if x]
    return conf

def main():
    with open(sys.argv[1], "rb") as f:
        sample_contents = f.read()

    raw_rc4_key = None
    crypted_data = None

    pe_rep = pefile.PE(data=sample_contents)
    for section in pe_rep.sections:
        if b".data" in section.Name:
            raw_rc4_key = section.get_data()[16:24]
            crypted_data = section.get_data()[24:24+8192]

    if raw_rc4_key is None or crypted_data is None:
        logger.error("unable to find .data section")
        return
    logger.info("key: %s" % binascii.hexlify(raw_rc4_key))
    flags = 0x280011
    key_length = int((flags >> 16)/8)


    raw_hash = hashlib.sha1(raw_rc4_key).digest()[:key_length]

    logger.info("len of encrypted data: %s, decrypting with %s" % (len(crypted_data), binascii.hexlify(raw_hash)))
    decrypted = malduck.rc4.decrypt(raw_hash, crypted_data)
    entropy = estimate_shannon_entropy(decrypted)
    logger.info("decrypted data entropy: %s" % entropy)
    if entropy < 1:
        conf = parse_config(decrypted)
        dumped_json = json.dumps(conf, indent=4, sort_keys=True)
        with open(conf["id"] + "_decrypted.json", "w") as f:
            f.write(dumped_json)


if __name__ == "__main__":
    main()
	import malduck
	import binascii
	import sys
	import hashlib
	from loguru import logger
	import collections
	import math
	import json
	import pefile


	def estimate_shannon_entropy(data):
	m = len(data)
	bases = collections.Counter([tmp_base for tmp_base in data])

	shannon_entropy_value = 0
	for base in bases:
	n_i = bases[base]
	p_i = n_i / float(m)
	entropy_i = p_i * (math.log(p_i, 2))
	shannon_entropy_value += entropy_i

	return shannon_entropy_value * -1

	def parse_config(raw_config_blob):
	conf = {}
	split_conf = raw_config_blob.split(b"\x00")
	cleaned_conf = [x for x in split_conf if x]
	logger.info(cleaned_conf)
	conf["id"] = cleaned_conf[0].decode("utf-8")
	conf["c2s"] = cleaned_conf[1].split(b"\|")
	conf["c2s"] = [x.decode("utf-8") for x in conf["c2s"] if x]
	return conf

	def main():
	with open(sys.argv[1], "rb") as f:
	sample_contents = f.read()

	raw_rc4_key = None
	crypted_data = None

	pe_rep = pefile.PE(data=sample_contents)
	for section in pe_rep.sections:
	if b".data" in section.Name:
	raw_rc4_key = section.get_data()[16:24]
	crypted_data = section.get_data()[24:24+8192]

	if raw_rc4_key is None or crypted_data is None:
	logger.error("unable to find .data section")
	return
	logger.info("key: %s" % binascii.hexlify(raw_rc4_key))
	flags = 0x280011
	key_length = int((flags >> 16)/8)


	raw_hash = hashlib.sha1(raw_rc4_key).digest()[:key_length]

	logger.info("len of encrypted data: %s, decrypting with %s" % (len(crypted_data), binascii.hexlify(raw_hash)))
	decrypted = malduck.rc4.decrypt(raw_hash, crypted_data)
	entropy = estimate_shannon_entropy(decrypted)
	logger.info("decrypted data entropy: %s" % entropy)
	if entropy < 1:
	conf = parse_config(decrypted)
	dumped_json = json.dumps(conf, indent=4, sort_keys=True)
	with open(conf["id"] + "_decrypted.json", "w") as f:
	f.write(dumped_json)


	if __name__ == "__main__":
	main()