Last active
December 3, 2020 08:44
-
-
Save myrtus0x0/62397e4d37dd6e9e24f216259257f595 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import malduck | |
import binascii | |
import sys | |
import hashlib | |
from loguru import logger | |
import collections | |
import math | |
import json | |
import pefile | |
def estimate_shannon_entropy(data): | |
m = len(data) | |
bases = collections.Counter([tmp_base for tmp_base in data]) | |
shannon_entropy_value = 0 | |
for base in bases: | |
n_i = bases[base] | |
p_i = n_i / float(m) | |
entropy_i = p_i * (math.log(p_i, 2)) | |
shannon_entropy_value += entropy_i | |
return shannon_entropy_value * -1 | |
def parse_config(raw_config_blob): | |
conf = {} | |
split_conf = raw_config_blob.split(b"\x00") | |
cleaned_conf = [x for x in split_conf if x] | |
logger.info(cleaned_conf) | |
conf["id"] = cleaned_conf[0].decode("utf-8") | |
conf["c2s"] = cleaned_conf[1].split(b"|") | |
conf["c2s"] = [x.decode("utf-8") for x in conf["c2s"] if x] | |
return conf | |
def main(): | |
with open(sys.argv[1], "rb") as f: | |
sample_contents = f.read() | |
raw_rc4_key = None | |
crypted_data = None | |
pe_rep = pefile.PE(data=sample_contents) | |
for section in pe_rep.sections: | |
if b".data" in section.Name: | |
raw_rc4_key = section.get_data()[16:24] | |
crypted_data = section.get_data()[24:24+8192] | |
if raw_rc4_key is None or crypted_data is None: | |
logger.error("unable to find .data section") | |
return | |
logger.info("key: %s" % binascii.hexlify(raw_rc4_key)) | |
flags = 0x280011 | |
key_length = int((flags >> 16)/8) | |
raw_hash = hashlib.sha1(raw_rc4_key).digest()[:key_length] | |
logger.info("len of encrypted data: %s, decrypting with %s" % (len(crypted_data), binascii.hexlify(raw_hash))) | |
decrypted = malduck.rc4.decrypt(raw_hash, crypted_data) | |
entropy = estimate_shannon_entropy(decrypted) | |
logger.info("decrypted data entropy: %s" % entropy) | |
if entropy < 1: | |
conf = parse_config(decrypted) | |
dumped_json = json.dumps(conf, indent=4, sort_keys=True) | |
with open(conf["id"] + "_decrypted.json", "w") as f: | |
f.write(dumped_json) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment