def get_config(self):
'''
This is the main entry
:return:
'''
key1 = '15af8sd4s1c5s511'
key2 = '4e3f5a4c592b243f'
crypted_config = self.file_info.file_from_zip('config.txt')
first_round = crypto.decrypt_aes(key1, binascii.unhexlify(crypted_config))
clear_config = crypto.decrypt_aes(key2, binascii.unhexlify(first_round[:-16]))
fields = clear_config.decode('utf-8').split("<separator>")
config_dict = {'Domain': fields[0],
'Password': fields[1],
'Port1': fields[2],
'Port2': fields[3]
}
if len(fields) > 4:
config_dict['InstallName'] = fields[4]
config_dict['JarName'] = fields[5]
# Set the config to the class for use
self.config = config_dict
def get_config(self):
'''
This is the main entry
:return:
'''
# Getting resource is tough so instead we grab the base64 string from the raw
file_data = self.file_info.file_data
re_pattern = b'[a-zA-Z0-9+/]{60,}={0,2}'
conf_string = re.findall(re_pattern, file_data)[0]
# b64decode
conf_string = b64decode(conf_string)
# Derive Key
key_hash = hashlib.md5(
'Specify a Password'.encode('utf-8')).hexdigest()
aes_key = key_hash[:30] + key_hash + '00'
# Decrypt
decrypted = crypto.decrypt_aes(binascii.unhexlify(aes_key),
conf_string)
string_list = decrypted.decode('utf-8').split('|')
config_dict = {}
config_dict["Domain"] = string_list[0]
config_dict["Port"] = string_list[1]
config_dict["BackUp Domain"] = string_list[2]
config_dict["Install Name"] = string_list[3]
config_dict["Startup Name"] = string_list[4]
config_dict["Campaign ID"] = string_list[5]
# Set the config to the class for use
self.config = config_dict
def get_config(self):
'''
This is the main entry
:return:
'''
file_info = self.file_info
file_list = file_info.zip_namelist()
# Look for Dropper
if 'sky.drive' in file_list and 'mega.download' in file_list and 'drop.box' in file_list:
self.extract_from_droppper()
# Look for implant
elif 'server/resources/config.json' in file_list and 'server/resources/Key1.json' in file_list and 'server/resources/Key2.json' in file_list:
rsa_serialized_key = file_info.file_from_zip('server/resources/Key1.json')
encrypted_aes_key = file_info.file_from_zip('server/resources/Key2.json')
aes_encrypted_config = file_info.file_from_zip('server/resources/config.json')
# Another round of extraction
rsa_key_string = Jbifrost.extract_rsa_key(rsa_serialized_key)
aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key)
implant_config = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_config)
implant_config = implant_config.decode('utf-8').rstrip('\x0e')
self.config = implant_config
elif 'lp/sq/d.png' in file_info:
self.extract_from_droppper()
else:
print
'\n[+] Failed to find jBiFrost malware...'
def extract_from_droppper(self):
file_info = self.file_info
try:
# Read Files
encrypted_aes_key = file_info.file_from_zip('mega.download')
rsa_serialized_key = file_info.file_from_zip('sky.drive')
aes_encrypted_config = file_info.file_from_zip('drop.box')
# Deserailize and retrieve the RSA Key
rsa_key_string = self.extract_rsa_key(rsa_serialized_key)
# Decrypt the AES Key using the RSA Key
aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key)
except:
# Read in serialized RSA KeyRep file.
aes_encrypted_config = file_info.file_from_zip('lp/sq/d.png')
aes_key = 'lks03oeldkfirowl'
# Use the AES Key to decrpyt the config
aes_decrypted_xml = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_config)
parsed_xml = self.parse_xml(aes_decrypted_xml)
# Extract the implant using the xml properties
rsa_serialized_key_path = parsed_xml['PRIVATE_PASSWORD'].lstrip('/')
aes_path = parsed_xml['PASSWORD_CRYPTED'].lstrip('/')
implant_path = parsed_xml['SERVER_PATH'].lstrip('/')
rsa_serialized_key = file_info.file_from_zip(rsa_serialized_key_path)
encrypted_aes_key = file_info.file_from_zip(aes_path)
aes_encrypted_jar = file_info.file_from_zip(implant_path)
# Another round of extraction
rsa_key_string = Jbifrost.extract_rsa_key(rsa_serialized_key)
aes_key = crypto.decrypt_rsa(rsa_key_string, encrypted_aes_key)
implant_jar = crypto.decrypt_aes(aes_key[-16:], aes_encrypted_jar)
# Update for new file
new_info = fileparser.FileParser(rawdata=implant_jar)
self.file_info = new_info
# Run config again
self.get_config()
def get_config(self):
'''
This is the main entry
:return:
'''
config_dict = {}
# Getting resource is tough so instead we grab the base64 string from the raw
file_data = self.file_info.file_data
re_pattern = b'[a-zA-Z0-9+/]{60,}={0,2}'
conf_string = re.findall(re_pattern, file_data)[0]
password = "******"
# b64decode
conf_string = b64decode(conf_string)
# Derive Key
key_hash = hashlib.md5(password.encode('utf-8')).hexdigest()
aes_key = key_hash[:30] + key_hash + '00'
# Decrypt
decrypted = crypto.decrypt_aes(binascii.unhexlify(aes_key),
conf_string)
string_list = decrypted.decode('utf-8').split('*')
config_dict = {}
config_dict["Domain"] = string_list[1]
config_dict["Port"] = string_list[2]
config_dict["Password"] = string_list[3]
config_dict["Install Name"] = string_list[4]
config_dict["Startup Name"] = string_list[5]
config_dict["Campaign ID"] = string_list[6]
config_dict["Backup Domain"] = string_list[7]
self.config = config_dict
def get_config(self):
'''
This is the main entry
:return:
'''
file_info = self.file_info
file_list = file_info.zip_namelist()
internal_jar = None
key_file = None
config_data = None
config_dict = {}
for name in file_list:
if name == 'key.dat':
key_file = file_info.file_from_zip(name)
if name == 'enc.dat':
internal_jar = file_info.file_from_zip(name)
if name == 'config.dat':
config_data = file_info.file_from_zip(name)
# If there is a wrapper around the jrat
if internal_jar:
drop_conf = key_file
new_key = drop_conf[:16]
drop_conf_fields = key_file[16:].split(b',')
config_dict['dropper'] = []
for field in drop_conf_fields:
try:
decoded_field = b64decode(field).decode('utf-8')
config_dict['dropper'].append(unhexlify(decoded_field))
except:
pass
new_jar_data = crypto.decrypt_aes(new_key, internal_jar)
new_jar = fileparser.FileParser(rawdata=new_jar_data)
# replace the keyfile and jar file with the new dropper
for name in new_jar.zip_namelist():
if name == 'key.dat':
key_file = new_jar.file_from_zip(name)
if name == 'config.dat':
config_data = new_jar.file_from_zip(name)
# With the Key and Config Decrypt
if len(key_file) == 16:
# AES
decrypted = crypto.decrypt_aes(key_file, config_data)
if len(key_file) in [24, 32]:
decrypted = crypto.decrypt_des3(key_file, config_data)
# Process the decrypted Config
decrypted = decrypted.decode('utf-8')
# Clean it up a little
for c in ['\x01', '\x03', '\x04', '\x06', '\x08']:
decrypted = decrypted.replace(c, '')
fields = decrypted.split('SPLIT')
for field in fields:
if '=' not in field:
continue
key, value = field.split('=')
if key == 'ip':
config_dict['Domain'] = value
if key == 'addresses':
dom_list = value.split(',')
dom_count = 0
for dom in dom_list:
if dom == '':
continue
config_dict['Domain {0}'.format(dom_count)] = value.split(
':')[0]
config_dict['Port {0}'.format(dom_count)] = value.split(
':')[1]
dom_count += 1
if key == 'port':
config_dict['Port'] = value
if key == 'os':
config_dict['OS'] = value
if key == 'mport':
config_dict['MPort'] = value
if key == 'perms':
config_dict['Perms'] = value
if key == 'error':
config_dict['Error'] = value
if key == 'reconsec':
config_dict['RetryInterval'] = value
if key == 'ti':
config_dict['TI'] = value
if key == 'pass':
config_dict['Password'] = value
if key == 'id':
config_dict['CampaignID'] = value
if key == 'mutex':
config_dict['Mutex'] = value
if key == 'toms':
config_dict['TimeOut'] = value
if key == 'per':
config_dict['Persistance'] = value
if key == 'name':
config_dict['InstallName'] = value
if key == 'tiemout':
config_dict['TimeOutFlag'] = value
if key == 'debugmsg':
config_dict['DebugMsg'] = value
config_dict["EncryptionKey"] = key_file
# Set the config to the class for use
self.config = config_dict