Skip to content

Instantly share code, notes, and snippets.

@usualsuspect
Created September 9, 2022 21:30
Show Gist options
  • Save usualsuspect/f12cae4c9d4ab06f037aa0d54dbaab76 to your computer and use it in GitHub Desktop.
Save usualsuspect/f12cae4c9d4ab06f037aa0d54dbaab76 to your computer and use it in GitHub Desktop.
KONNI blob decrypter
#!/usr/bin/env python3
#
# Author: @jaydinbas
#
# Decrypt string blobs and files used by KONNI malware
#
# Reference sample: 158f5228225d9337083c323b45a63e70297ed9c8ecb8517dc1d8cb64f29acf5d
# via https://twitter.com/ShadowChasing1/status/1568064494982823937
#
# Malware uses manual implementation of AES256 in CTR mode. Payloads have 16 byte
# prefix containing initial counter value
#
# AES256 key is SHA256(<service name>) where service name depends on the sample.
# Reference file uses "authtokenmgt" as service name.
#
import sys
from Cryptodome.Cipher import AES
import hashlib
if len(sys.argv) != 3:
print("usage: %s <service name> <encrypted data file>" % sys.argv[0])
sys.exit(0)
data = open(sys.argv[2],"rb").read()
initial_counter = data[:16]
data = data[16:]
phrase = sys.argv[1].encode("utf16")[2:] #skip BOM
key = hashlib.sha256(phrase).digest()
cipher = AES.new(key=key,initial_value=initial_counter,mode=AES.MODE_CTR,nonce=b'')
plain = cipher.decrypt(data)
try:
plain = plain.decode("utf16")
print(plain)
except:
print(repr(plain))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment