def get_config(self): ''' This is the main entry :return: ''' key1 = '15af8sd4s1c5s511' key2 = '4e3f5a4c592b243f' crypted_config = self.file_info.file_from_zip('config.txt') first_round = crypto.decrypt_aes(key1, binascii.unhexlify(crypted_config)) clear_config = crypto.decrypt_aes(key2, binascii.unhexlify(first_round[:-16])) fields = clear_config.decode('utf-8').split("<separator>") config_dict = {'Domain': fields[0], 'Password': fields[1], 'Port1': fields[2], 'Port2': fields[3] } if len(fields) > 4: config_dict['InstallName'] = fields[4] config_dict['JarName'] = fields[5] # Set the config to the class for use self.config = config_dict
def get_config(self): ''' This is the main entry :return: ''' # Getting resource is tough so instead we grab the base64 string from the raw file_data = self.file_info.file_data re_pattern = b'[a-zA-Z0-9+/]{60,}={0,2}' conf_string = re.findall(re_pattern, file_data)[0] # b64decode conf_string = b64decode(conf_string) # Derive Key key_hash = hashlib.md5( 'Specify a Password'.encode('utf-8')).hexdigest() aes_key = key_hash[:30] + key_hash + '00' # Decrypt decrypted = crypto.decrypt_aes(binascii.unhexlify(aes_key), conf_string) string_list = decrypted.decode('utf-8').split('|') config_dict = {} config_dict["Domain"] = string_list[0] config_dict["Port"] = string_list[1] config_dict["BackUp Domain"] = string_list[2] config_dict["Install Name"] = string_list[3] config_dict["Startup Name"] = string_list[4] config_dict["Campaign ID"] = string_list[5] # Set the config to the class for use self.config = config_dict
def get_config(self): ''' This is the main entry :return: ''' file_info = self.file_info file_list = file_info.zip_namelist() # Look for Dropper if 'sky.drive' in file_list and 'mega.download' in file_list and 'drop.box' in file_list: self.extract_from_droppper() # Look for implant elif 'server/resources/config.json' in file_list and 'server/resources/Key1.json' in file_list and 'server/resources/Key2.json' in file_list: rsa_serialized_key = file_info.file_from_zip('server/resources/Key1.json') encrypted_aes_key = file_info.file_from_zip('server/resources/Key2.json') aes_encrypted_config = file_info.file_from_zip('server/resources/config.json') # Another round of extraction rsa_key_string = Jbifrost.extract_rsa_key(rsa_serialized_key) aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key) implant_config = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_config) implant_config = implant_config.decode('utf-8').rstrip('\x0e') self.config = implant_config elif 'lp/sq/d.png' in file_info: self.extract_from_droppper() else: print '\n[+] Failed to find jBiFrost malware...'
def extract_from_droppper(self): file_info = self.file_info try: # Read Files encrypted_aes_key = file_info.file_from_zip('mega.download') rsa_serialized_key = file_info.file_from_zip('sky.drive') aes_encrypted_config = file_info.file_from_zip('drop.box') # Deserailize and retrieve the RSA Key rsa_key_string = self.extract_rsa_key(rsa_serialized_key) # Decrypt the AES Key using the RSA Key aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key) except: # Read in serialized RSA KeyRep file. aes_encrypted_config = file_info.file_from_zip('lp/sq/d.png') aes_key = 'lks03oeldkfirowl' # Use the AES Key to decrpyt the config aes_decrypted_xml = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_config) parsed_xml = self.parse_xml(aes_decrypted_xml) # Extract the implant using the xml properties rsa_serialized_key_path = parsed_xml['PRIVATE_PASSWORD'].lstrip('/') aes_path = parsed_xml['PASSWORD_CRYPTED'].lstrip('/') implant_path = parsed_xml['SERVER_PATH'].lstrip('/') rsa_serialized_key = file_info.file_from_zip(rsa_serialized_key_path) encrypted_aes_key = file_info.file_from_zip(aes_path) aes_encrypted_jar = file_info.file_from_zip(implant_path) # Another round of extraction rsa_key_string = Jbifrost.extract_rsa_key(rsa_serialized_key) aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key) implant_jar = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_jar) # Update for new file new_info = fileparser.FileParser(rawdata=implant_jar) self.file_info = new_info # Run config again self.get_config()
def get_config(self): ''' This is the main entry :return: ''' config_dict = {} # Getting resource is tough so instead we grab the base64 string from the raw file_data = self.file_info.file_data re_pattern = b'[a-zA-Z0-9+/]{60,}={0,2}' conf_string = re.findall(re_pattern, file_data)[0] password = "******" # b64decode conf_string = b64decode(conf_string) # Derive Key key_hash = hashlib.md5(password.encode('utf-8')).hexdigest() aes_key = key_hash[:30] + key_hash + '00' # Decrypt decrypted = crypto.decrypt_aes(binascii.unhexlify(aes_key), conf_string) string_list = decrypted.decode('utf-8').split('*') config_dict = {} config_dict["Domain"] = string_list[1] config_dict["Port"] = string_list[2] config_dict["Password"] = string_list[3] config_dict["Install Name"] = string_list[4] config_dict["Startup Name"] = string_list[5] config_dict["Campaign ID"] = string_list[6] config_dict["Backup Domain"] = string_list[7] self.config = config_dict
def get_config(self): ''' This is the main entry :return: ''' file_info = self.file_info file_list = file_info.zip_namelist() internal_jar = None key_file = None config_data = None config_dict = {} for name in file_list: if name == 'key.dat': key_file = file_info.file_from_zip(name) if name == 'enc.dat': internal_jar = file_info.file_from_zip(name) if name == 'config.dat': config_data = file_info.file_from_zip(name) # If there is a wrapper around the jrat if internal_jar: drop_conf = key_file new_key = drop_conf[:16] drop_conf_fields = key_file[16:].split(b',') config_dict['dropper'] = [] for field in drop_conf_fields: try: decoded_field = b64decode(field).decode('utf-8') config_dict['dropper'].append(unhexlify(decoded_field)) except: pass new_jar_data = crypto.decrypt_aes(new_key, internal_jar) new_jar = fileparser.FileParser(rawdata=new_jar_data) # replace the keyfile and jar file with the new dropper for name in new_jar.zip_namelist(): if name == 'key.dat': key_file = new_jar.file_from_zip(name) if name == 'config.dat': config_data = new_jar.file_from_zip(name) # With the Key and Config Decrypt if len(key_file) == 16: # AES decrypted = crypto.decrypt_aes(key_file, config_data) if len(key_file) in [24, 32]: decrypted = crypto.decrypt_des3(key_file, config_data) # Process the decrypted Config decrypted = decrypted.decode('utf-8') # Clean it up a little for c in ['\x01', '\x03', '\x04', '\x06', '\x08']: decrypted = decrypted.replace(c, '') fields = decrypted.split('SPLIT') for field in fields: if '=' not in field: continue key, value = field.split('=') if key == 'ip': config_dict['Domain'] = value if key == 'addresses': dom_list = value.split(',') dom_count = 0 for dom in dom_list: if dom == '': continue config_dict['Domain {0}'.format(dom_count)] = value.split( ':')[0] config_dict['Port {0}'.format(dom_count)] = value.split( ':')[1] dom_count += 1 if key == 'port': config_dict['Port'] = value if key == 'os': config_dict['OS'] = value if key == 'mport': config_dict['MPort'] = value if key == 'perms': config_dict['Perms'] = value if key == 'error': config_dict['Error'] = value if key == 'reconsec': config_dict['RetryInterval'] = value if key == 'ti': config_dict['TI'] = value if key == 'pass': config_dict['Password'] = value if key == 'id': config_dict['CampaignID'] = value if key == 'mutex': config_dict['Mutex'] = value if key == 'toms': config_dict['TimeOut'] = value if key == 'per': config_dict['Persistance'] = value if key == 'name': config_dict['InstallName'] = value if key == 'tiemout': config_dict['TimeOutFlag'] = value if key == 'debugmsg': config_dict['DebugMsg'] = value config_dict["EncryptionKey"] = key_file # Set the config to the class for use self.config = config_dict