usualsuspect/decrypt.py

## decrypt.py
#!/usr/bin/env python3
#
# String decryption for unknown malware
#
# Author: @jaydinbas (2023-05-02)
#
# Reference sample:
#
# https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234
#

import struct

def rol64(q,n):
    return ((q >> n) | (q << (64-n)))

def decrypt(s,k):
    s = bytearray(s)

    for i in range(len(s)):
        s[i] ^= (rol64(k,(i % 8)*8) & 0xFF)

    return s

data = b'Y7Oy\x9b\xfcF\xa0]*Yh\xc3\xb2\x0b\xa0'
data += b'R(Ny\xc2\xbf\x06\xb4UmXf\xcc\xfc\x1a\xb1'
data += struct.pack("<I",0x7B5E2748)
data += struct.pack("<B",0xA1)
k = (0x0C169D3A1 << 32) | 0x93B4331

# prints
# bytearray(b'http://alibababackupcloud.com/spyder\x00')
print(decrypt(data,k))
	#!/usr/bin/env python3
	#
	# String decryption for unknown malware
	#
	# Author: @jaydinbas (2023-05-02)
	#
	# Reference sample:
	#
	# https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234
	#

	import struct

	def rol64(q,n):
	return ((q >> n) \| (q << (64-n)))

	def decrypt(s,k):
	s = bytearray(s)

	for i in range(len(s)):
	s[i] ^= (rol64(k,(i % 8)*8) & 0xFF)

	return s

	data = b'Y7Oy\x9b\xfcF\xa0]*Yh\xc3\xb2\x0b\xa0'
	data += b'R(Ny\xc2\xbf\x06\xb4UmXf\xcc\xfc\x1a\xb1'
	data += struct.pack("<I",0x7B5E2748)
	data += struct.pack("<B",0xA1)
	k = (0x0C169D3A1 << 32) \| 0x93B4331

	# prints
	# bytearray(b'http://alibababackupcloud.com/spyder\x00')
	print(decrypt(data,k))