Skip to content

Instantly share code, notes, and snippets.

@usualsuspect
Created May 2, 2023 11:21
Show Gist options
  • Save usualsuspect/8765e594c9f768ada6fb7f15eb3a0ffa to your computer and use it in GitHub Desktop.
Save usualsuspect/8765e594c9f768ada6fb7f15eb3a0ffa to your computer and use it in GitHub Desktop.
String decryption for unknown malware
#!/usr/bin/env python3
#
# String decryption for unknown malware
#
# Author: @jaydinbas (2023-05-02)
#
# Reference sample:
#
# https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234
#
import struct
def rol64(q,n):
return ((q >> n) | (q << (64-n)))
def decrypt(s,k):
s = bytearray(s)
for i in range(len(s)):
s[i] ^= (rol64(k,(i % 8)*8) & 0xFF)
return s
data = b'Y7Oy\x9b\xfcF\xa0]*Yh\xc3\xb2\x0b\xa0'
data += b'R(Ny\xc2\xbf\x06\xb4UmXf\xcc\xfc\x1a\xb1'
data += struct.pack("<I",0x7B5E2748)
data += struct.pack("<B",0xA1)
k = (0x0C169D3A1 << 32) | 0x93B4331
# prints
# bytearray(b'http://alibababackupcloud.com/spyder\x00')
print(decrypt(data,k))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment