Created
June 4, 2021 14:44
-
-
Save nurpabuccu/ac3fe35720d13890c0cc5317acf12a82 to your computer and use it in GitHub Desktop.
Cerberus payload base64+rc4 decrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script can be used for malware samples that used Base64+RC4. | |
| # python3 rc4_decrypt.py <key> <base64-ciphertext> | |
| import codecs | |
| import base64 | |
| import sys | |
| key = sys.argv[1] | |
| c = base64.b64decode(sys.argv[2]) | |
| def KSA(key): | |
| S = list(range(256)) | |
| j = 0 | |
| for i in range(256): | |
| j = (j + S[i] + key[i % len(key)]) % 256 | |
| S[i], S[j] = S[j], S[i] # swap values | |
| return S | |
| def PRGA(S): | |
| i = 0 | |
| j = 0 | |
| while True: | |
| i = (i + 1) % 256 | |
| j = (j + S[i]) % 256 | |
| S[i], S[j] = S[j], S[i] | |
| K = S[(S[i] + S[j]) % 256] | |
| yield K | |
| def encrypt_logic(key, text): | |
| key = [ord(c) for c in key] | |
| keystream = PRGA(KSA(key)) | |
| res = [] | |
| for c in text: | |
| val = ("%02x" % (c ^ next(keystream))) # XOR and taking hex | |
| res.append(val) | |
| return ''.join(res) | |
| def encrypt(key, plaintext): | |
| plaintext = [ord(c) for c in plaintext] | |
| return encrypt_logic(key, plaintext) | |
| def decrypt(key, ciphertext): | |
| ciphertext = codecs.decode(ciphertext, 'hex_codec') | |
| res = encrypt_logic(key, ciphertext) | |
| return codecs.decode(res, 'hex_codec').decode('utf-8') | |
| decrypted = decrypt(key, c) | |
| print(decrypted) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment