Code to decrypt embedded driver in Daxin malware sample

daxin_decrypt_embedded.py

#!/usr/bin/env python3

#
#   Algorithm used by Daxin to decrypt embedded driver
#   Uses slightly modified RC4 (see comment in rc4() below)
#
#   Constants fitting for sample
#   b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
#

import hashlib
import struct

def gen_key(const1,const2):
    # hardcoded into function, might also change per sample
    key_data = b"\x7C\x4E\xD0\x68\x20\x4b\x42\xEB\x08\x4A\xFE\xA9\xEB\x50\x30\xa3"
    d1 = struct.pack("<I",const1)
    d2 = struct.pack("<I",const2)

    key_data = d1 + key_data + d2

    key = hashlib.md5(key_data).digest()
    out = bytearray(struct.pack("<I",const1^const2) + key[4:])
    h = const1 ^ const2
    for i in range(16):
        if (i & 1):
            k = ((h << 11) & 0xFFFFFFFF) ^ ((h >> 5) & 0xFFFFFFFF)
            k ^= out[i]
            k ^= 0xFFFFFFFF # not
        else:
            k = ((h >> 3) & 0xFFFFFFFF) ^ ((h << 7) & 0xFFFFFFFF)
            k ^= out[i]

        h ^= k

    out = struct.pack("<I",h) + out[4:]
    return out

def rc4(data, key):
    x = 0
    box = bytearray(range(256))
    for i in range(256):
        x = (x + box[i] + key[i % len(key)]) % 256
        box[i], box[x] = box[x], box[i]

    y = x       # original RC4 sets both 0
    x = 0
    out = bytearray()
    for char in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(char ^ box[(box[x] + box[y]) % 256])
    return out


data = open("driver","rb").read()
key = gen_key(0x4373F262,0x21B33EE9)
plain = rc4(data,key)
open("out","wb").write(plain)