Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from distutils.util import strtobool
- import json
- CONFIG = '|%*%|6470625D49771B045543190975|%*%|1D060229|%*%|6270745E|%*%|183C210D092A0404544202|%*%|060809|%*%|1528201F1F|%*%|1D060229|%*%|1D060229|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|1528201F1F|%*%|28083582|%*%|oSILlzCwXBSrQ1Vb72t6|%*%|76600545|%*%|EbIXtKRzHJklNNL94gD|%*%|31052217|%*%|13285204|%*%|Kumasi12345|%*%|'
- KEY = 'INSERT_KEY_FROM_CLIENT'
- SEPARATOR = '|%*%|'
- def deobfuscate(key, msg):
- num = round(len(msg) / 2)
- num2 = 1
- text = ''
- while (num2 <= num):
- key_index = (num2 % len(key) + 1) - 1
- msg_index = (2 * num2 - 1) - 1
- num3 = int(msg[msg_index:msg_index+2], 16)
- num4 = ord(key[key_index:key_index+1])
- text = text + chr(num3 ^ num4)
- num2 = num2 + 1
- return text
- if __name__ == '__main__':
- config = {}
- options = CONFIG.split(SEPARATOR)
- config['C2'] = deobfuscate(KEY, options[1])
- config['Port'] = deobfuscate(KEY, options[3])
- config['Registry subkey'] = deobfuscate(KEY, options[5])
- config['Exe name 1'] = deobfuscate(KEY, options[7])
- config['Exe name 2'] = deobfuscate(KEY, options[8])
- config['Detect VMs'] = bool(strtobool(deobfuscate(KEY, options[9])))
- config['Detect Sandboxie'] = bool(strtobool(deobfuscate(KEY, options[10])))
- config['Detect traffic capture'] = bool(strtobool(deobfuscate(KEY, options[11])))
- # is "virus" or "sample" in the file name
- config['Detect researcher'] = bool(strtobool(deobfuscate(KEY, options[12])))
- config['Mutex'] = options[18]
- # TODO: fix encoding issues for registry path values
- config['Registry Path'] = 'HKCU\\{0}\\{1}'.format(
- deobfuscate(KEY, options[21]),
- deobfuscate(KEY, options[22])
- )
- # some unknown, some just need descriptive names
- labels_tbd = {
- 'Option 2': deobfuscate(KEY, options[2]),
- 'Option 4': deobfuscate(KEY, options[4]),
- 'Option 6': bool(strtobool(deobfuscate(KEY, options[6]))),
- 'Option 13': bool(strtobool(deobfuscate(KEY, options[13]))),
- 'Option 14': bool(strtobool(deobfuscate(KEY, options[14]))),
- 'Option 15': bool(strtobool(deobfuscate(KEY, options[15]))),
- 'Option 16': bool(strtobool(deobfuscate(KEY, options[16]))),
- 'Option 17': 'Application.StartupPath\\{0}'.format(options[17]),
- 'Option 19': '%APPDATA%\\{0}'.format(options[19]),
- 'Option 20': 'Application.StartupPath\\{0}\\{1}'.format(options[17], options[20]),
- }
- config['Labels TBD'] = labels_tbd
- print('The real config does NOT use JSON! It is formatted for convenience!\n')
- print('Encoded config: {0}\n'.format(CONFIG))
- print('Decoded/Labeled config:\n{0}'.format(
- json.dumps(config, ensure_ascii=False, indent=2, sort_keys=True))
- )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement