def get_config(self):
'''
This is the main entry
:return:
'''
file_data = self.file_info.file_data
pe = pefile.PE(data=file_data, fast_load=False)
data = self.yara_scan(file_data, '$opcodes03')
try:
key_va = struct.unpack('i', data[0][19:23])[0]
except:
data = self.yara_scan(file_data, '$opcodes05')
key_va = struct.unpack('<i', data[0][23:27])[0]
key_hex = self.pe_data(pe, key_va, 16)
data_2 = self.yara_scan(file_data, '$opcodes04')
config_list = []
for section in data_2:
length = struct.unpack('i', section[9:13])[0]
data_va = struct.unpack('i', section[17:21])[0]
sec_data = self.pe_data(pe, data_va, length)
dec = decrypt_arc4(key_hex, sec_data)
if b'\x00' in dec:
dec = dec[:dec.index(b'\x00')]
config_list.append(dec)
config_dict = self.parse_config(config_list)
#Check for new version
if config_dict == {}:
print("New Version Check")
data_2 = self.yara_scan(file_data, '$opcodes06')
config_list = []
for section in data_2:
length = struct.unpack('i', section[12:16])[0]
data_va = struct.unpack('i', section[20:24])[0]
sec_data = self.pe_data(pe, data_va, length)
dec = decrypt_arc4(key_hex, sec_data)
if b'\x00' in dec:
dec = dec[:dec.index(b'\x00')]
config_list.append(dec)
config_dict = self.parse_config(config_list)
self.config = config_dict
def ver_80(conf):
conf_dict = {}
conf_dict['Domain'] = decrypt_arc4('UniQue OussamiO', unhexlify(conf[1]))
conf_dict['Campaign'] = conf[2]
conf_dict['Enable Startup'] = conf[3]
conf_dict['StartupName'] = conf[4]
conf_dict['FolderName'] = conf[5]
if conf[6] == "D":
conf_dict['Path'] = 'App Data Folder'
elif conf[6] == "W":
conf_dict['Path'] = 'Windows Folder'
if conf[6] == "s":
conf_dict['Path'] = 'System Folder'
conf_dict['Enable Error Message'] = conf[7]
conf_dict['Error Message'] = conf[8]
conf_dict['Disable Firewall'] = conf[9]
#conf_dict[''] = conf[10]
#conf_dict[''] = conf[11]
conf_dict['USB Spread'] = conf[12]
conf_dict['MSN Spread'] = conf[13]
conf_dict['P2P Spread'] = conf[14]
conf_dict['Melt'] = conf[15]
conf_dict['Get Default User Name'] = conf[16]
conf_dict['Connection Delay'] = conf[17]
conf_dict['Set Hidden'] = conf[18]
conf_dict['Protect Process'] = conf[19]
#conf_dict[''] = conf[20]
return conf_dict
def config_cleaner(self, raw_dict):
clean_dict = {}
for k,v in raw_dict.items():
if k == 'ip':
clean_dict['Domain'] = decrypt_arc4('oussamio', unhexlify(v))
if k == 'fire':
clean_dict['Firewall Bypass'] = v
if k == 'foder':
clean_dict['InstallPath'] = v
if k == 'mlt':
clean_dict['Melt'] = v
if k == 'msns':
clean_dict['MSN Spread'] = v
if k == 'name':
clean_dict['Reg Key'] = v
if k == 'path':
clean_dict['Reg value'] = v
if k == 'port':
clean_dict['Port'] = v
if k == 'ppp':
clean_dict['P2PSpread'] = v
if k == 'reg':
clean_dict['Registry Startup'] = v
if k == 'usb':
clean_dict['USB Spread'] = v
if k == 'usbn':
clean_dict['USB Name'] = v
if k == 'victimo':
clean_dict['Campaign'] = v
return clean_dict
def ver_801(conf):
conf_dict = {}
conf_dict['Domain'] = decrypt_arc4('UniQue OussamiO', conf[1])
conf_dict['Campaign'] = conf[2]
conf_dict['Enable Startup'] = conf[3]
conf_dict['StartupName'] = conf[4]
conf_dict['FolderName'] = conf[5]
if conf[6] == 'D':
conf_dict['Path'] = 'App Data Folder'
elif conf[6] == 'W':
conf_dict['Path'] = 'Windows Folder'
if conf[6] == 's':
conf_dict['Path'] = 'System Folder'
conf_dict['Enable Error Message'] = conf[7]
conf_dict['Error Message'] = conf[8]
conf_dict['Disable Firewall'] = conf[9]
conf_dict['USB Spread'] = conf[12]
conf_dict['MSN Spread'] = conf[13]
conf_dict['P2P Spread'] = conf[14]
conf_dict['Melt'] = conf[15]
conf_dict['Get Default User Name'] = conf[16]
conf_dict['Connection Delay'] = conf[17]
conf_dict['Set Hidden'] = conf[18]
conf_dict['Protect Process'] = conf[19]
conf_dict['Name To Spread'] = conf[20]
conf_dict['Enable Active X'] = conf[21]
conf_dict['Active X Key'] = conf[22]
conf_dict['Enable Mutex'] = conf[23]
conf_dict['Mutex'] = conf[24]
conf_dict['Persistant Server'] = conf[25]
conf_dict['Offline Keylogger'] = conf[26]
conf_dict['Disable Task Manager'] = conf[27]
conf_dict['Disable RegEdit'] = conf[28]
return conf_dict
def get_config(self):
'''
This is the main entry
:return:
'''
key = "awenubisskqi"
# Get the file from the zip
zip_xml = self.file_info.file_from_zip('config.xml')
# No Easy way to detect version so just try it
try:
xml_string = crypto.decrypt_des_ecb(key[:-4], zip_xml)
except ValueError:
xml_string = crypto.decrypt_arc4(key, zip_xml)
# Convert to XML
xml = ET.fromstring(xml_string)
# Read the XML to a config dict
config_dict = {}
for child in xml:
if child.text.startswith("Adwind RAT"):
config_dict['Version'] = child.text
else:
config_dict[child.attrib['key']] = child.text
# Parse the config
config_dict = self.parse_config(config_dict)
# Set the config to the class for use
self.config = config_dict
def version_b(enckey, coded_jar):
config_dict = {}
for key in enckey:
decoded_data = crypto.decrypt_arc4(key, coded_jar)
decoded_jar = ZipFile(BytesIO(decoded_data))
raw_config = decoded_jar.read('config.xml').decode('utf-8')
for line in raw_config.split('\n'):
if line.startswith('<entry key'):
config_dict[re.findall('key="(.*?)"', line)[0]] = re.findall('>(.*?)</entry', line)[0]
config_dict['ConfigKey'] = key
return config_dict
def get_config(self):
'''
This is the main entry
:return:
'''
# Use file data to get version number
version_string = "Unknown"
ascii_strings = self.file_info.ascii_strings()
for s in ascii_strings:
if re.search(b'^[12]\.\d+\d{0,1}.*[FPL].*', s):
version_string = s
res_data = self.file_info.pe_resource_by_name("SETTINGS")
key_length_byte = res_data[0]
key_length = key_length_byte
key = res_data[1:key_length + 1]
encrypted_config = res_data[key_length + 1:]
decrypted_config = decrypt_arc4(key, encrypted_config)
config_string = decrypted_config.decode('utf-8')
# Parse the config
if '@@' in config_string:
config_list = config_string.split("@@")
else:
config_list = config_string.split('\x1e')
domain_string = config_list[0].split("|")
domain_list = []
for domain in domain_string:
parts = domain.split(":")
if len(parts) == 3:
dom = {"c2:": parts[0], "port": parts[1], "password": parts[2]}
domain_list.append(dom)
raw_config = {
"version": version_string.decode('utf-8'),
"domains": domain_list,
"mutex": config_list[14],
"Campaign": config_list[1],
"Connection Interval": config_list[2],
"Connection Delay": ord(config_list[3]),
"screenshot Windows": config_list[23],
"Keylog file": config_list[17].replace("\x00", ""),
"Install Name": config_list[10].replace("\x00", "")
}
self.config = raw_config
def version_a(enckey, coded_jar):
config_dict = {}
for key in enckey:
decoded_data = crypto.decrypt_arc4(key, coded_jar)
try:
decoded_jar = ZipFile(BytesIO(decoded_data))
raw_config = decoded_jar.read('org/jsocket/resources/config.json')
config = json.loads(raw_config)
for k, v in config.iteritems():
config_dict[k] = v
config_dict['ConfigKey'] = key
return config_dict
except:
pass
def parse_v5(file_info, dc_version):
config = {}
# Get the config section
config_data = file_info.pe_resource_by_name("DCDATA")
# Decrypt the config using the key
crypted_config = bytes.fromhex(config_data.decode())
clear_config = crypto.decrypt_arc4(dc_version, crypted_config)
# Parse the config entries to get a json object
config_list = clear_config.split(b'\r\n')
for entries in config_list[1:-1]:
key, value = entries.split(b'=')
key = key.strip().decode('utf-8')
value = value.rstrip()[1:-1]
clean_value = string_printable(value.decode('utf-8'))
config[key] = clean_value
config['Version'] = dc_version
# return the json
return config
def get_config(self):
'''
This is the main entry
:return:
'''
raw_config = {}
file_data = self.file_info.file_data
# Get Resource
res_data = self.file_info.pe_resource_id(
b'X\x00T\x00R\x00E\x00M\x00E\x00')
# Return no resource
if not res_data:
print(" [-] No Config Resource Found")
return # Check what we do for a negative result
key = 'C\x00O\x00N\x00'
decrypted_config = crypto.decrypt_arc4(key, res_data)
# 1.3.x - Not implemented yet.
if len(decrypted_config) == 0xe10:
config_data = None
# 2.9.x - Not a stable extract.
elif len(decrypted_config) == 0x1390 or len(
decrypted_config) == 0x1392:
config_data = self.v29(decrypted_config)
# 3.1 & 3.2
elif len(decrypted_config) == 0x5Cc:
config_data = self.v32(decrypted_config)
# 3.5
elif len(decrypted_config) == 0x7f0:
config_data = self.v35(decrypted_config)
else:
config_data = None