API tools faq
paste
Advertisement
FirehaK

Blackremote config deobfuscator

FirehaK
Nov 6th, 2019
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.91 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. from distutils.util import strtobool
  3. import json
  4.  
  5. CONFIG = '|%*%|6470625D49771B045543190975|%*%|1D060229|%*%|6270745E|%*%|183C210D092A0404544202|%*%|060809|%*%|1528201F1F|%*%|1D060229|%*%|1D060229|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|28083582|%*%|oSILlzCwXBSrQ1Vb72t6|%*%|76600545|%*%|EbIXtKRzHJklNNL94gD|%*%|31052217|%*%|13285204|%*%|Kumasi12345|%*%|'
  6.  
  7. KEY = 'INSERT_KEY_FROM_CLIENT'
  8. SEPARATOR = '|%*%|'
  9.  
  10. def deobfuscate(key, msg):
  11.     num = round(len(msg) / 2)
  12.     num2 = 1
  13.     text = ''
  14.  
  15.     while (num2 <= num):
  16.         key_index = (num2 % len(key) + 1) - 1
  17.         msg_index = (2 * num2 - 1) - 1
  18.        
  19.         num3 = int(msg[msg_index:msg_index+2], 16)
  20.         num4 = ord(key[key_index:key_index+1])
  21.        
  22.         text = text + chr(num3 ^ num4)
  23.         num2 = num2 + 1
  24.     return text
  25.  
  26. if __name__ == '__main__':
  27.     config = {}
  28.     options = CONFIG.split(SEPARATOR)
  29.  
  30.     config['C2'] = deobfuscate(KEY, options[1])
  31.     config['Port'] = deobfuscate(KEY, options[3])
  32.     config['Registry subkey'] = deobfuscate(KEY, options[5])
  33.     config['Exe name 1'] = deobfuscate(KEY, options[7])
  34.     config['Exe name 2'] = deobfuscate(KEY, options[8])
  35.     config['Detect VMs'] = bool(strtobool(deobfuscate(KEY, options[9])))
  36.     config['Detect Sandboxie'] = bool(strtobool(deobfuscate(KEY, options[10])))
  37.     config['Detect traffic capture'] = bool(strtobool(deobfuscate(KEY, options[11])))
  38.    
  39.     # is "virus" or "sample" in the file name
  40.     config['Detect researcher'] = bool(strtobool(deobfuscate(KEY, options[12])))
  41.     config['Mutex'] = options[18]
  42.  
  43.     # TODO: fix encoding issues for registry path values
  44.     config['Registry Path'] = 'HKCU\\{0}\\{1}'.format(
  45.         deobfuscate(KEY, options[21]),
  46.         deobfuscate(KEY, options[22])
  47.     )
  48.  
  49.     # some unknown, some just need descriptive names
  50.     labels_tbd = {
  51.         'Option 2': deobfuscate(KEY, options[2]),
  52.         'Option 4': deobfuscate(KEY, options[4]),
  53.         'Option 6': bool(strtobool(deobfuscate(KEY, options[6]))),
  54.         'Option 13': bool(strtobool(deobfuscate(KEY, options[13]))),
  55.         'Option 14': bool(strtobool(deobfuscate(KEY, options[14]))),
  56.         'Option 15': bool(strtobool(deobfuscate(KEY, options[15]))),
  57.         'Option 16': bool(strtobool(deobfuscate(KEY, options[16]))),
  58.         'Option 17': 'Application.StartupPath\\{0}'.format(options[17]),
  59.         'Option 19': '%APPDATA%\\{0}'.format(options[19]),
  60.         'Option 20': 'Application.StartupPath\\{0}\\{1}'.format(options[17], options[20]),
  61.     }
  62.     config['Labels TBD'] = labels_tbd
  63.  
  64.     print('The real config does NOT use JSON! It is formatted for convenience!\n')
  65.     print('Encoded config: {0}\n'.format(CONFIG))
  66.    
  67.     print('Decoded/Labeled config:\n{0}'.format(
  68.         json.dumps(config, ensure_ascii=False, indent=2, sort_keys=True))
  69.     )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!