def get_bot_information(self, file_data):
BEACONC2 = re.compile('[a-zA-Z0-9\.]{4,255},\/[a-zA-Z09\-\.\_\~\:\/\?\#\[\]@\!\$\&\'\(\)\*\+\,\;\=]{1,}')
results = {}
pe = pefile.PE(data=file_data)
dotdata = ''
for section in pe.sections:
if section.Name == '.data\x00\x00\x00':
dotdata = section.get_data()
frame = bytearray()
for byte in dotdata:
decimal = ord(byte)
newbyte = cobaltbeacon._xor(decimal)
frame.append(newbyte)
strings = [i for i in data_strings(str(frame), 1)]
strings = strings[0:]
results['c2s'] = []
for string in strings:
if BEACONC2.search(string):
parts = string.split(',')
g = len(parts)
if g > 1:
while g > 0:
path = parts[g-1]
host = parts[g-2]
if is_ip_or_domain(host):
results['c2s'].append({"c2_uri": "http://{0}{1}".format(host,path)})
g-=2
return results
def get_bot_information(self, file_data):
results = {}
config = data.split("abccba")
if len(config) > 5:
dict["Domain"] = config[1]
dict["Port"] = config[2]
dict["Campaign Name"] = config[3]
dict["Copy StartUp"] = config[4]
dict["StartUp Name"] = config[5]
dict["Add To Registry"] = config[6]
dict["Registry Key"] = config[7]
dict["Melt + Inject SVCHost"] = config[8]
dict["Anti Kill Process"] = config[9]
dict["USB Spread"] = config[10]
dict["Kill AVG 2012-2013"] = config[11]
dict["Kill Process Hacker"] = config[12]
dict["Kill Process Explorer"] = config[13]
dict["Kill NO-IP"] = config[14]
dict["Block Virus Total"] = config[15]
dict["Block Virus Scan"] = config[16]
dict["HideProcess"] = config[17]
return dict
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
c2s = set()
ip = None
path = None
next_is_path = False
start_checking = False
for s in data_strings(file_data, 1):
if s == "C:\\swi.txt":
start_checking = True
if start_checking and path is None:
if next_is_path:
if s.startswith("http://"):
ip = None
path = None
next_is_path = False
continue
path = s
next_is_path = False
elif is_ip_or_domain(s) and ip is None:
ip = s
next_is_path = True
if ip is not None and path is not None:
results['c2_uri'] = "http://{0}{1}".format(ip, path)
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
potential_domains = []
for d in wide_strings:
if d.endswith(',') and len(d) > 4:
h = []
h = d[:-1].strip().split(',')
for j in h:
if is_ip_or_domain(j):
potential_domains.append(j)
potential_ports = []
for p in wide_strings:
if p.endswith(',') and len(p) > 2:
t = []
t = p[:-1].strip().split(',')
for u in t:
if Revenge._is_number(u):
potential_ports.append(u)
# potential_ports = [int(p) for p in wide_strings if Revenge._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if len(potential_domains) == 1 and len(potential_ports) == 1:
if potential_domains[0].endswith(":" +
str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(
potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(
potential_domains[0], potential_ports[0])
else:
results['c2s'] = []
i = 0
while i < len(potential_domains):
results['c2s'].append({
"c2_uri":
"tcp://{0}:{1}".format(potential_domains[i],
potential_ports[i])
})
i += 1
return results
def get_bot_information(self, file_data):
results = {}
host = ""
port = ""
host, port = Njratgold._getcfg(file_data)
try:
h = base64.b64decode(host)
except:
h = "ERR"
try:
p = base64.b64decode(port)
except:
p = "ERR"
if is_ip_or_domain(h) and Njratgold._is_number(p):
results['c2_uri'] = "tcp://{0}:{1}".format(h, p)
elif is_ip_or_domain(h):
results['c2_uri'] = "tcp://{0}".format(h)
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data)]
for x in xrange(len(wide_strings)):
s = wide_strings[x]
if is_ip_or_domain(s):
ip = s
port = int(wide_strings[x + 1])
results['c2_uri'] = "tcp://{0}:{1}".format(ip, port)
break
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data)]
for x in xrange(len(wide_strings)):
s = wide_strings[x]
if is_ip_or_domain(s):
ip = s
port = int(wide_strings[x + 1])
results['c2_uri'] = "tcp://{0}:{1}".format(ip, port)
break
return results
def get_bot_information(self, file_data):
results = {}
config = bytearray()
config = Njratgold._getcfg(file_data)
c2 = myc2rex.search(config)
try:
d = base64.b64decode(c2.group(1)).replace("~n", "s.")
except:
d = "nope"
if is_ip_or_domain(d):
results['c2_uri'] = "tcp://{0}".format(d)
return results
def get_bot_information(self, file_data):
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
for i in range(0, len(wide_strings)):
if wide_strings[i] == "_ENABLE_PROFILING":
for j in range(1, 12):
if is_ip_or_domain(wide_strings[i + j]):
results['c2_uri'] = wide_strings[i + j]
return results
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
uri_path = None
domain = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
domain = s
if ".php?" in s:
uri_path = s
if domain is not None and uri_path is not None:
results["c2_uri"] = "{0}{1}".format(domain, uri_path)
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
gate = s
if is_ip_or_domain(s):
server = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
BASE64_REGEX = re.compile('[A-Za-z0-9/]{10,}[\=]{0,2}')
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
start_index = 0
wide_strings = wide_strings[start_index:]
c2s = [d for d in wide_strings if BASE64_REGEX.match(d)]
for a in c2s:
try:
decstr = base64.b64decode(a).decode('ascii')
if is_ip_or_domain(decstr):
results['c2_uri'] = "tcp://{0}".format(decstr)
except:
pass
return results
def get_bot_information(self, file_data):
results = {}
pe = pefile.PE(data=file_data)
dottext = ''
for section in pe.sections:
if section.Name == '.text\x00\x00\x00':
dottext = section.get_data()
wide_strings = [i for i in data_strings_wide(dottext, 1)]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
extra_hosts = ['1.1.1.1']
for d in potential_domains:
if d in extra_hosts:
potential_domains.remove(d)
if len(potential_domains) > 0:
for d in potential_domains:
results['c2_uri'] = "tcp://{0}".format(d)
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find("run.php") != -1:
gate = s
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
server = s
if match(r'^\d\.\d\.\d$', s) is not None:
results["version"] = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
for s in data_strings(file_data):
if s.find("run.php") != -1:
gate = s
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
server = s
if match(r'^\d\.\d\.\d$', s) is not None:
results["version"] = s
if server is not None and gate is not None:
results["c2_uri"] = "%s%s" % (server, gate)
return results
def get_bot_information(self, file_data):
# todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
#if "[endof]" not in wide_strings:
# return results
#wide_strings = wide_strings[:wide_strings.index("[endof]")]
start_index = 0
for x in xrange(len(wide_strings)):
if wide_strings[x].startswith(
"0."
) or "netsh firewall add allowedprogram" in wide_strings[x]:
start_index = x
break
wide_strings = wide_strings[start_index:]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if potential_domains[0].endswith(":" + str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(
potential_domains[0], potential_ports[0])
#else:
# print "SHIT {0} {1}".format(potential_domains, potential_ports)
return results
def get_bot_information(self, file_data):
results = {}
uri_paths = None
domains = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
if domains is None:
domains = set()
domains.add(s)
if s[0] == "/" and len([i for i in s if i == "/"]) > 1:
if uri_paths is None:
uri_paths = set()
uri_paths.add(s)
if domains is not None and uri_paths is not None:
results["c2s"] = []
for d in domains:
for p in uri_paths:
results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)})
return results
def get_bot_information(self, file_data):
results = {}
uri_paths = None
domains = None
for s in data_strings(file_data):
if is_ip_or_domain(s):
if domains is None:
domains = set()
domains.add(s)
if s.endswith(".php"):
if uri_paths is None:
uri_paths = set()
uri_paths.add(s)
if domains is not None and uri_paths is not None:
results["c2s"] = []
for d in domains:
for p in uri_paths:
results["c2s"].append({"c2_uri": "{0}{1}".format(d, p)})
return results
def get_bot_information(self, file_data):
results = {}
start_search_address = file_data.find("\x90" * 8) + 8
xor_key = struct.unpack("<I", file_data[start_search_address:][:4])[0] ^ 0x8be58955
data = file_data[start_search_address:]
decrypted = ""
while len(data) > 4:
d = struct.unpack("<I", data[:4])[0]
data = data[4:]
decrypted += struct.pack("<I", d ^ xor_key)
for s in data_strings(decrypted):
if is_ip_or_domain(s):
results['c2_uri'] = s
return results
def get_bot_information(self, file_data):
# todo Pimp this out with https://github.com/kevthehermit/RATDecoders/blob/master/njRat.py
results = {}
wide_strings = [i for i in data_strings_wide(file_data, 1)]
#if "[endof]" not in wide_strings:
# return results
#wide_strings = wide_strings[:wide_strings.index("[endof]")]
start_index = 0
for x in xrange(len(wide_strings)):
if wide_strings[x].startswith("0.") or "netsh firewall add allowedprogram" in wide_strings[x]:
start_index = x
break
wide_strings = wide_strings[start_index:]
potential_domains = [d for d in wide_strings if is_ip_or_domain(d)]
potential_ports = [int(p) for p in wide_strings if njRat._is_number(p)]
extra_domains = ["winlogon.com", "Microsoft.com"]
for d in extra_domains:
if d in potential_domains:
potential_domains.remove(d)
if len(potential_ports) > 1:
potential_ports = [p for p in potential_ports if p > 10]
#print potential_ports
#print potential_domains
# todo have less shitty extraction method
if len(potential_domains) > 0 and len(potential_ports) > 0:
if potential_domains[0].endswith(":" + str(potential_ports[0])):
results['c2_uri'] = "tcp://{0}".format(potential_domains[0])
else:
results['c2_uri'] = "tcp://{0}:{1}".format(potential_domains[0], potential_ports[0])
#else:
# print "SHIT {0} {1}".format(potential_domains, potential_ports)
return results
def get_bot_information(self, file_data):
results = {}
uri = None
uris = []
all_uris = []
for s in data_strings(file_data):
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
all_uris.append(s)
if s.endswith(".php"):
uri = s
uris.append(s)
if uri is not None and len(uris) > 0:
if "c2s" not in results:
results["c2s"] = []
for i in uris:
results["c2s"].append({"c2_uri": i})
results["all_uris"] = list(set(all_uris))
return results
def get_bot_information(self, file_data):
results = {}
uri = None
uris = []
all_uris = []
for s in data_strings(file_data):
if s.startswith("http://") and len(s) > len("http://"):
domain = s[7:]
if domain.find('/') != -1:
domain = domain[:domain.find('/')]
if is_ip_or_domain(domain):
all_uris.append(s)
if s.endswith(".php"):
uri = s
uris.append(s)
if uri is not None and len(uris) > 0:
if "c2s" not in results:
results["c2s"] = []
for i in uris:
results["c2s"].append({"c2_uri": i})
results["all_uris"] = list(set(all_uris))
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
def get_bot_information(self, file_data):
results = {}
gate = None
server = None
pe = PE(data=file_data)
for x in xrange(len(pe.sections)):
for s in data_strings(pe.get_data(pe.sections[x].VirtualAddress)):
if s.find(".php") != -1:
if s[0] != "/":
s = "/" + s
if gate is None:
gate = set()
gate.add(s)
if is_ip_or_domain(s):
if server is None:
server = set()
server.add(s)
if server is not None and gate is not None:
results["c2s"] = []
for ip in server:
for p in gate:
uri = "%s%s" % (ip, p)
results["c2s"].append({"c2_uri": uri})
return results
def _parse_config(string_list):
config_dict = {}
if string_list[5] == '0.3.5':
config_dict["version"] = string_list[5]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[6] == '0.3.6':
config_dict["version"] = string_list[6]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
return config_dict
if string_list[3] == '0.4.1a':
config_dict["version"] = string_list[3]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
return config_dict
if string_list[2] == '0.5.0E':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[5] == '0.5.0E':
config_dict["version"] = string_list[5]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
return config_dict
if string_list[2] == '0.6.4':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
return config_dict
if string_list[2] == '0.7.1':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[2] == '0.7d':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
return config_dict
if string_list[9] == '0.7d':
config_dict["version"] = string_list[9]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[5]
return config_dict
if string_list[10] == '0.7d':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
return config_dict
if string_list[21] == '0.7d':
config_dict["version"] = string_list[21]
config_dict["Domain"] = string_list[15]
config_dict["Port"] = string_list[17]
return config_dict
if string_list[12] == '0.7d' and string_list[83] == 'netsh firewall delete allowedprogram "':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[12] == '0.7d':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[16] == '0.7d':
config_dict["version"] = string_list[16]
config_dict["Domain"] = string_list[20]
config_dict["Port"] = string_list[21]
return config_dict
if string_list[28] == '0.7d':
config_dict["version"] = string_list[28]
config_dict["Domain"] = string_list[22]
config_dict["Port"] = string_list[24]
return config_dict
if string_list[29] == '0.7d':
config_dict["version"] = string_list[29]
config_dict["Domain"] = string_list[22]
config_dict["Port"] = string_list[25]
return config_dict
if string_list[24] == '0.7d' and string_list[25] == 'TGVHZW5kUmF0':
config_dict["version"] = string_list[24]
config_dict["Domain"] = base64.b64decode(string_list[18])
config_dict["Port"] = base64.b64decode(string_list[19])
return config_dict
if string_list[20] == '0.7d' and string_list[19] == 'Q3J5cA==':
config_dict["version"] = string_list[20]
config_dict["Domain"] = base64.b64decode(string_list[14])[::-1]
config_dict["Port"] = base64.b64decode(string_list[16])[::-1]
return config_dict
if string_list[20] == '0.7 MultiHost':
config_dict["version"] = string_list[20]
config_dict["Domain"] = string_list[14]
config_dict["Port"] = string_list[16]
return config_dict
if string_list[21] == '0.7 MultiHost':
config_dict["version"] = string_list[21]
config_dict["Domain"] = string_list[14]
config_dict["Port"] = string_list[17]
return config_dict
if string_list[9] == '0.11G':
config_dict["version"] = string_list[9]
config_dict["Domain"] = string_list[2].split(":")[0]
config_dict["Port"] = string_list[2].split(":")[1]
return config_dict
if string_list[10] == '0.11G':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[2].split(":")[0]
config_dict["Port"] = string_list[2].split(":")[1]
return config_dict
if string_list[10] == 'VISION':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
return config_dict
if string_list[12] == 'im523':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[7]
return config_dict
if string_list[11] == 'im523':
config_dict["version"] = string_list[11]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
return config_dict
if string_list[2] == 'Hallaj PRO Rat [Fixed]':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
return config_dict
if string_list[2] == '#######Hallaj PRO Rat [Fixed v2]##########':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[5]
config_dict["Port"] = string_list[6]
return config_dict
if string_list[8] == '30 2E 37 64':
config_dict["version"] = string_list[8].replace(' ', '').decode('hex')
config_dict["Domain"] = string_list[3].replace(' ', '').decode('hex')
config_dict["Port"] = string_list[4].replace(' ', '').decode('hex')
return config_dict
if string_list[2] == '0.8d':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
return config_dict
if string_list[21] == u'\u1f70\u1f6e\u1f77\u1fa4' and string_list[22] == u'\u1fbc\u1f67\u1fbc\u1f67\u1fbc':
config_dict["version"] = '0.7d-HiDDen'
config_dict["Domain"] = njRat._hiddenperson_decode(string_list[15])
config_dict["Port"] = njRat._hiddenperson_decode(string_list[17])
return config_dict
if string_list[4] == 'zwazwczwtzw' and string_list[47] == 'zwvzwnzw' and string_list[53] == 'nzwezwtzwszwh' and string_list[54] == 'fizwrzwezwwalzwl dzwezwlzwezwte azwllowedprogrzwam "':
config_dict["version"] = '0.7d-zwmod'
config_dict["Domain"] = string_list[83]
config_dict["Port"] = string_list[84]
return config_dict
if len(string_list) > 139:
for i in range(0, len(string_list), 1):
if string_list[i] == '0.7.3':
config_dict["version"] = string_list[i]
config_dict["Port"] = string_list[i-3]
if string_list[i-4] == 'False' or string_list[i-4] == 'True':
config_dict["Domain"] = string_list[i-5]
else:
config_dict["Domain"] = string_list[i-4]
if len(config_dict) > 2:
return config_dict
if string_list[149] == '0.9b':
config_dict["version"] = string_list[149]
config_dict["Domain"] = string_list[10]
config_dict["Port"] = string_list[11]
return config_dict
if len(string_list) > 94:
if string_list[91] == '0.7D':
config_dict["version"] = string_list[91]
config_dict["Domain"] = string_list[88]
config_dict["Port"] = string_list[89]
return config_dict
if string_list[94] == '0.7d':
config_dict["version"] = string_list[94]
config_dict["Domain"] = string_list[91]
config_dict["Port"] = string_list[92]
return config_dict
if len(string_list) > 75:
if string_list[76] == '0.7NC':
config_dict["version"] = string_list[76]
config_dict["Domain"] = string_list[71]
config_dict["Port"] = string_list[72]
return config_dict
if string_list[75] == 'cGFzdHBpbg==':
config_dict["version"] = base64.b64decode(string_list[75])
config_dict["Domain"] = string_list[71]
config_dict["Port"] = string_list[72]
return config_dict
if string_list[75] == 'QiBIQVQ=':
config_dict["version"] = '0.7d-BHAT'
config_dict["Domain"] = base64.b64decode(string_list[71])[::-1]
config_dict["Port"] = base64.b64decode(string_list[72])
return config_dict
if len(string_list) > 110:
if string_list[103] == '0.6.4':
config_dict["version"] = string_list[103]
config_dict["Domain"] = string_list[107]
config_dict["Port"] = string_list[108]
return config_dict
if string_list[25] == 'Eroor' or (len(string_list) > 511 and string_list[511] == 'Eroor'):
i=0
while i < len(string_list):
if len(string_list[i]) > 20:
try:
domain = base64.b64decode(str(string_list[i].replace("FRANSESCO","M").replace("Strik","=")))
if is_ip_or_domain(domain):
config_dict["Domain"] = domain
config_dict["version"] = '0.7d-BR'
except:
pass
try:
domain = base64.b64decode(str(string_list[i].replace("*","M").replace("!","=")))
if is_ip_or_domain(domain):
config_dict["Domain"] = domain
config_dict["version"] = '0.7d-BR'
except:
pass
if len(string_list[i]) > 2 and len(string_list[i]) < 9:
try:
port = base64.b64decode(str(string_list[i]))
if njRat._is_number(port):
config_dict["Port"] = port
except:
pass
i+=1
if len(config_dict) > 0:
return config_dict
# generic config search
for i in range(0, len(string_list)):
if njRat._is_number(string_list[i]) and is_ip_or_domain(string_list[i-1]):
config_dict["version"] = 'GENERIC'
config_dict["Domain"] = string_list[i-1]
config_dict["Port"] = string_list[i]
return config_dict
def _parse_config(string_list):
config_dict = {}
isbig = len(string_list)
if string_list[5] == '0.3.5':
config_dict["version"] = string_list[5]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
elif string_list[6] == '0.3.6':
config_dict["version"] = string_list[6]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
elif string_list[3] == '0.4.1a':
config_dict["version"] = string_list[3]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
elif string_list[2] == '0.5.0E':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
elif string_list[5] == '0.5.0E':
config_dict["version"] = string_list[5]
config_dict["Domain"] = string_list[8]
config_dict["Port"] = string_list[9]
elif string_list[2] == '0.6.4':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
elif string_list[2] == '0.7.1':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
elif string_list[2] == '0.7d':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
elif string_list[9] == '0.7d':
config_dict["version"] = string_list[9]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[5]
elif string_list[10] == '0.7d':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
elif string_list[21] == '0.7d':
config_dict["version"] = string_list[21]
config_dict["Domain"] = string_list[15]
config_dict["Port"] = string_list[17]
elif string_list[12] == '0.7d' and string_list[
83] == 'netsh firewall delete allowedprogram "':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
elif string_list[12] == '0.7d':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[8]
elif string_list[28] == '0.7d':
config_dict["version"] = string_list[28]
config_dict["Domain"] = string_list[22]
config_dict["Port"] = string_list[24]
elif string_list[29] == '0.7d':
config_dict["version"] = string_list[29]
config_dict["Domain"] = string_list[22]
config_dict["Port"] = string_list[25]
elif string_list[24] == '0.7d' and string_list[25] == 'TGVHZW5kUmF0':
config_dict["version"] = string_list[24]
config_dict["Domain"] = base64.b64decode(string_list[18])
config_dict["Port"] = base64.b64decode(string_list[19])
elif string_list[9] == '0.11G':
config_dict["version"] = string_list[9]
config_dict["Domain"] = string_list[2].split(":")[0]
config_dict["Port"] = string_list[2].split(":")[1]
elif string_list[10] == '0.11G':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[2].split(":")[0]
config_dict["Port"] = string_list[2].split(":")[1]
elif string_list[10] == 'VISION':
config_dict["version"] = string_list[10]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
elif string_list[12] == 'im523':
config_dict["version"] = string_list[12]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[7]
elif string_list[11] == 'im523':
config_dict["version"] = string_list[11]
config_dict["Domain"] = string_list[4]
config_dict["Port"] = string_list[6]
elif string_list[2] == 'Hallaj PRO Rat [Fixed]':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[6]
config_dict["Port"] = string_list[7]
elif string_list[2] == '#######Hallaj PRO Rat [Fixed v2]##########':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[5]
config_dict["Port"] = string_list[6]
elif string_list[2] == '0.8d':
config_dict["version"] = string_list[2]
config_dict["Domain"] = string_list[7]
config_dict["Port"] = string_list[8]
elif string_list[21] == u'\u1f70\u1f6e\u1f77\u1fa4' and string_list[
22] == u'\u1fbc\u1f67\u1fbc\u1f67\u1fbc':
config_dict["version"] = '0.7d-HiDDen'
def hiddenperson_decode(cfgstr):
c = ''
for a in cfgstr:
b = ord(a) - 2 - 1
c = c + chr(b)
return c
config_dict["Domain"] = hiddenperson_decode(string_list[15])
config_dict["Port"] = hiddenperson_decode(string_list[17])
elif len(string_list) > 95:
if string_list[94] == '0.7d':
config_dict["version"] = string_list[94]
config_dict["Domain"] = string_list[91]
config_dict["Port"] = string_list[92]
elif string_list[4] == 'zwazwczwtzw' and string_list[
47] == 'zwvzwnzw' and string_list[
53] == 'nzwezwtzwszwh' and string_list[
54] == 'fizwrzwezwwalzwl dzwezwlzwezwte azwllowedprogrzwam "':
config_dict["version"] = '0.7d-zwmod'
config_dict["Domain"] = string_list[83]
config_dict["Port"] = string_list[84]
elif string_list[25] == 'Eroor':
i = 0
while i < len(string_list):
if len(string_list[i]) > 20:
try:
domain = base64.b64decode(
str(string_list[i].replace("FRANSESCO",
"M").replace(
"Strik", "=")))
if is_ip_or_domain(domain):
config_dict["Domain"] = domain
config_dict["version"] = '0.7d-BR'
except:
pass
if len(string_list[i]) > 2 and len(string_list[i]) < 9:
try:
port = base64.b64decode(str(string_list[i]))
if njRat._is_number(port):
config_dict["Port"] = port
except:
pass
i += 1
elif isbig > 139:
i = 0
while i < isbig:
if string_list[i] == '0.7.3':
config_dict["version"] = string_list[i]
config_dict["Port"] = string_list[i - 3]
if string_list[i -
4] == 'False' or string_list[i -
4] == 'True':
config_dict["Domain"] = string_list[i - 5]
else:
config_dict["Domain"] = string_list[i - 4]
i += 1
if string_list[103] == '0.6.4':
config_dict["version"] = string_list[103]
config_dict["Domain"] = string_list[107]
config_dict["Port"] = string_list[108]
if len(config_dict) > 0:
return config_dict
