├── IcedID_Dropper ├── IcedID_Dropper_Decryptor.py └── README.md ├── NetWire ├── IDA_NetWire_Decoder.py ├── IDA_NetWire_Decryptor.py ├── NetWire_Decoded_Strings.txt ├── NetWire_Decryption.gif └── README.md ├── OlympicDestroyer ├── Olympic_Decryptor.py └── README.md └── README.md /IcedID_Dropper/IcedID_Dropper_Decryptor.py: -------------------------------------------------------------------------------- 1 | # Author: JR0driguezB 2 | # Tool to decrypt files downloaded by the IcedID dropper component distributed by Hancitor via command 4 3 | # At least for now (November 2017), it is only downloading IcedID 4 | 5 | import sys 6 | import struct 7 | 8 | def RC4(key,data): 9 | 10 | S = range(256) 11 | j = 0 12 | out = [] 13 | 14 | #KSA Phase 15 | for i in range(256): 16 | j = (j + S[i] + ord( key[i % len(key)] )) % 256 17 | S[i] , S[j] = S[j] , S[i] 18 | 19 | #PRGA Phase 20 | i = j = 0 21 | for char in data: 22 | i = ( i + 1 ) % 256 23 | j = ( j + S[i] ) % 256 24 | S[i] , S[j] = S[j] , S[i] 25 | out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) 26 | 27 | decrypted_data = ''.join(out) 28 | 29 | return decrypted_data 30 | 31 | def main(infile,outfile): 32 | 33 | with open(infile, "r") as encrypted_file: 34 | encrypted_data = encrypted_file.read() 35 | 36 | key = "" 37 | 38 | for i in range(10,len(encrypted_data)): 39 | if(encrypted_data[i]) != chr(0x00): 40 | key += encrypted_data[i] 41 | else: 42 | index = i 43 | break 44 | print "[+] RC4 key: {}".format(key) 45 | 46 | decrypted_text = RC4(key,encrypted_data[index+1:]) 47 | 48 | size = struct.unpack(" ".format(sys.argv[0])); 61 | else: 62 | infile = sys.argv[1] 63 | outfile = sys.argv[2] 64 | main(infile,outfile) 65 | -------------------------------------------------------------------------------- /IcedID_Dropper/README.md: -------------------------------------------------------------------------------- 1 | # IcedID Dropper 2 | Tool to decrypt files downloaded by the IcedID dropper component distributed by Hancitor via command 4. 3 | At least for now (November 2017), it is only downloading IcedID. 4 | 5 | + IcedID_Dropper_Decryptor.py 6 | -------------------------------------------------------------------------------- /NetWire/IDA_NetWire_Decoder.py: -------------------------------------------------------------------------------- 1 | 2 | # JR0driguezB 3 | 4 | # Simple script to decode NetWire RAT encoded strings 5 | # Tested with sample fe53a72b7153804b22dc7a805f21db4f 6 | # Unpacked to payload f350f56eafbafa294a6ed87791838ee4 7 | 8 | total_decoding_counter = 0 9 | success_decoding_counter = 0 10 | 11 | not_a_key = "_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C" 12 | 13 | # Decoding function -> 0x38E5B60E 14 | 15 | for xRef in XrefsTo(0x38E5B60E, flags=0): 16 | 17 | print "Call to decode string at offset {:02X}".format(xRef.frm) 18 | 19 | PrevInstr = idc.PrevHead(xRef.frm) 20 | if (GetMnem(PrevInstr) == "mov" and GetOperandValue(PrevInstr, 1) != 0): 21 | offset = GetOperandValue(PrevInstr, 1) 22 | success_decoding_counter = success_decoding_counter + 1 23 | 24 | encoded_string = "" 25 | 26 | while GetManyBytes(offset, 1) != "\x00": 27 | encoded_string += GetManyBytes(offset, 1) 28 | offset = offset + 0x01 29 | 30 | print "Encoded string: {}".format(encoded_string) 31 | 32 | decoded_string = "" 33 | 34 | for a in range(len(encoded_string)): 35 | 36 | found = False 37 | 38 | for b in range(len(not_a_key)): 39 | if encoded_string[a] == not_a_key[b]: 40 | decoded_string += not_a_key[(b + 6) % 64] 41 | found = True 42 | if (found == False): 43 | decoded_string += encoded_string[a] 44 | 45 | print "Decoded string: {}".format(decoded_string) 46 | 47 | MakeComm(PrevInstr, decoded_string) 48 | 49 | print "------------------------------" 50 | 51 | 52 | total_decoding_counter = total_decoding_counter + 1 53 | 54 | print "------------------------------" 55 | print "Total decoding calls: {}".format(total_decoding_counter) 56 | print "Successful decoding calls: {}".format(success_decoding_counter) 57 | -------------------------------------------------------------------------------- /NetWire/IDA_NetWire_Decryptor.py: -------------------------------------------------------------------------------- 1 | 2 | # JR0driguezB 3 | 4 | # Simple script to decrypt NetWire RAT encrypted strings 5 | # Tested with sample fe53a72b7153804b22dc7a805f21db4f 6 | # Unpacked to payload f350f56eafbafa294a6ed87791838ee4 7 | 8 | def KSA_Phase(key): 9 | 10 | S = range(256) 11 | j = 0 12 | for i in range(256): 13 | j = (j + S[i] + ord( key[i % len(key)] )) % 256 14 | S[i] , S[j] = S[j] , S[i] 15 | return S 16 | 17 | def PRGA_Phase(data, S): 18 | i = j = 0 19 | out = [] 20 | for char in data: 21 | i = ( i + 1 ) % 256 22 | j = ( j + S[i] ) % 256 23 | S[i] , S[j] = S[j] , S[i] 24 | out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) 25 | 26 | decrypted_string = ''.join(out) 27 | 28 | return decrypted_string 29 | 30 | def main(): 31 | 32 | total_decryption_counter = 0 33 | 34 | # The first call to KSA Phase routine initializes the S Box with RC4 key at offset 0x38E6E604 35 | RC4_Key = GetManyBytes(0x38E6E604, 0x10) 36 | S_Box = KSA_Phase(RC4_Key) 37 | 38 | # RC4 PRGA Phase function -> 0x38E668AD 39 | 40 | for xRef in XrefsTo(0x38E668AD, flags=0): 41 | 42 | print "Call to decrypt string at offset {:02X}".format(xRef.frm) 43 | 44 | PrevInstr = idc.PrevHead(xRef.frm) 45 | PrevInstr = idc.PrevHead(PrevInstr) 46 | PrevInstr = idc.PrevHead(PrevInstr) 47 | 48 | if (GetMnem(PrevInstr) == "mov"): 49 | offset = GetOperandValue(PrevInstr, 1) 50 | 51 | PrevInstr = idc.PrevHead(PrevInstr) 52 | size = GetOperandValue(PrevInstr, 1) 53 | 54 | encrypted_string = GetManyBytes(offset, size) 55 | 56 | print "Encrypted string at offset: {:02X}".format(offset) 57 | 58 | S_Box_Init = S_Box[:] 59 | 60 | decrypted_string = PRGA_Phase(encrypted_string, S_Box_Init) 61 | 62 | for String_xRef in XrefsTo(offset, flags=0): 63 | 64 | print "\x09xRef to string at offset {:02X}".format(String_xRef.frm) 65 | MakeComm(String_xRef.frm, decrypted_string) 66 | 67 | print "------------------------------" 68 | 69 | total_decryption_counter = total_decryption_counter + 1 70 | 71 | print "------------------------------" 72 | print "Total decryption calls: {}".format(total_decryption_counter) 73 | 74 | if __name__ == '__main__': 75 | 76 | main() -------------------------------------------------------------------------------- /NetWire/NetWire_Decoded_Strings.txt: -------------------------------------------------------------------------------- 1 | %s\%s.exe 2 | GetExtendedTcpTable 3 | GetExtendedUdpTable 4 | GetProcessImageFileNameA 5 | GetProcessImageFileNameA 6 | CONNECT %s:%d HTTP/1.0 7 | Local Disk 8 | WinHttpOpen 9 | WinHttpGetProxyForUrl 10 | WinHttpGetIEProxyConfigForCurrentUser 11 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 12 | SOFTWARE\Microsoft\Active Setup\Installed Components\%s 13 | StubPath 14 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 15 | SOFTWARE\Microsoft\Active Setup\Installed Components 16 | [Backspace] 17 | [Enter] 18 | [Tab] 19 | [Arrow Left] 20 | [Arrow Up] 21 | [Arrow Right] 22 | [Arrow Down] 23 | [Home] 24 | [Page Up] 25 | [Page Down] 26 | [End] 27 | [Break] 28 | [Delete] 29 | [Insert] 30 | [Print Screen] 31 | [Scroll Lock] 32 | [Caps Lock] 33 | [Esc] 34 | [Ctrl+%c] 35 | [Ctrl+%c] 36 | RegisterRawInputDevices 37 | GetRawInputData 38 | Secur32.dll 39 | LsaGetLogonSessionData 40 | LsaFreeReturnBuffer 41 | LsaEnumerateLogonSessions 42 | SOFTWARE\Mozilla\%s\ 43 | CurrentVersion 44 | SOFTWARE\Mozilla\%s\%s\Main 45 | Install Directory 46 | mozutils.dll 47 | mozglue.dll 48 | mozsqlite3.dll 49 | nss3.dll 50 | %s\nss3.dll 51 | %s\Mozilla\Firefox\profiles.ini 52 | %s\Mozilla\Firefox\%s 53 | %s\Thunderbird\profiles.ini 54 | %s\Thunderbird\%s 55 | %s\Mozilla\SeaMonkey\profiles.ini 56 | %s\Mozilla\SeaMonkey\%s 57 | %s\signons.sqlite 58 | %s\logins.json 59 | NSS_Init 60 | PK11_GetInternalKeySlot 61 | PK11_Authenticate 62 | PL_Base64Decode 63 | SECITEM_ZfreeItem 64 | PK11SDR_Decrypt 65 | PK11_FreeSlot 66 | NSS_Shutdown 67 | sqlite3_open 68 | sqlite3_close 69 | sqlite3_prepare_v2 70 | sqlite3_step 71 | sqlite3_column_text 72 | select * from moz_logins 73 | select * from moz_logins 74 | hostname 75 | encryptedUsername 76 | encryptedPassword 77 | hostname 78 | %s\Opera\Opera\wand.dat 79 | %s\Opera\Opera\profile\wand.dat 80 | %s\.purple\accounts.xml 81 | 82 | 83 | 84 | advapi32.dll 85 | CredEnumerateA 86 | CredFree 87 | WindowsLive:name=* 88 | Email 89 | POP3 User 90 | POP3 Server 91 | POP3 Password 92 | IMAP User 93 | IMAP Server 94 | IMAP Password 95 | HTTP User 96 | HTTP Server 97 | HTTP Password 98 | SMTP User 99 | SMTP Server 100 | SMTP Password 101 | EAS User 102 | EAS Server URL 103 | EAS Password 104 | Email 105 | POP3 User 106 | POP3 Server 107 | POP3 Password 108 | IMAP User 109 | IMAP Server 110 | IMAP Password 111 | HTTP User 112 | HTTP Server 113 | HTTP Password 114 | SMTP User 115 | SMTP Server 116 | SMTP Password 117 | EAS User 118 | EAS Server URL 119 | EAS Password 120 | crypt32.dll 121 | CryptUnprotectData 122 | advapi32.dll 123 | CredEnumerateA 124 | CredFree 125 | crypt32.dll 126 | CryptUnprotectData 127 | index.dat 128 | vaultcli.dll 129 | VaultOpenVault 130 | VaultCloseVault 131 | VaultEnumerateItems 132 | VaultGetItem 133 | VaultGetItem 134 | VaultFree 135 | %s\Google\Chrome\User Data\Default\Login Data 136 | %s\Chromium\User Data\Default\Login Data 137 | %s\Comodo\Dragon\User Data\Default\Login Data 138 | %s\Yandex\YandexBrowser\User Data\Default\Login Data 139 | %s\Opera Software\Opera Stable\Login Data 140 | GetModuleFileNameExA 141 | GetModuleFileNameExA 142 | %s\system32\cmd.exe 143 | advapi32.dll 144 | GetUserNameA 145 | USERNAME 146 | GetNativeSystemInfo 147 | kernel32.dll 148 | SYSTEM\CurrentControlSet\Control\ProductOptions 149 | ProductType 150 | WINNT 151 | LANMANNT 152 | SERVERNT 153 | GlobalMemoryStatusEx 154 | HARDWARE\DESCRIPTION\System\CentralProcessor\0 155 | AllocateAndInitializeSid 156 | CheckTokenMembership 157 | FreeSid -------------------------------------------------------------------------------- /NetWire/NetWire_Decryption.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JR0driguezB/malware_analysis/f50cb29d37095c2111f596ba1ae3f7e6d4d95823/NetWire/NetWire_Decryption.gif -------------------------------------------------------------------------------- /NetWire/README.md: -------------------------------------------------------------------------------- 1 | # NetWire RAT strings decoder and decryptor 2 | Simple IDA script to decode NetWire RAT encoded strings 3 | + IDA_NetWire_Decoder.py 4 | + IDA_NetWire_Decryptor.py 5 | + NetWire_Decoded_Strings.txt 6 | 7 | ![Alt Text](https://github.com/JR0driguezB/malware_analysis/blob/master/NetWire/NetWire_Decryption.gif) 8 | -------------------------------------------------------------------------------- /OlympicDestroyer/Olympic_Decryptor.py: -------------------------------------------------------------------------------- 1 | 2 | # JR0driguezB 3 | 4 | # Script to decrypt Olympic Destroyer resources 5 | 6 | from Crypto.Cipher import AES 7 | import binascii 8 | import sys 9 | 10 | key = binascii.unhexlify("202cb962ac59075b964b07152d234b70202cb962ac59075b964b07152d234b70") 11 | 12 | iv = binascii.unhexlify("00000000000000000000000000000000") 13 | 14 | cipher = AES.new(key, AES.MODE_CBC, iv) 15 | 16 | if __name__ == '__main__': 17 | 18 | if len(sys.argv) < 3: 19 | print("[*] {} ".format(sys.argv[0])); 20 | 21 | else: 22 | 23 | infile = sys.argv[1] 24 | outfile = sys.argv[2] 25 | 26 | with open(infile, "r") as bin_file: 27 | encrypted_file = bin_file.read() 28 | 29 | IsMultipleOf16 = len(encrypted_file) % 16 30 | 31 | if IsMultipleOf16 != 0: 32 | encrypted_file = encrypted_file[:-IsMultipleOf16] 33 | 34 | decrypted_file = cipher.decrypt(encrypted_file) 35 | 36 | with open(outfile, 'w') as exe_file: 37 | exe_file.write(decrypted_file) 38 | -------------------------------------------------------------------------------- /OlympicDestroyer/README.md: -------------------------------------------------------------------------------- 1 | # OlympicDestroyer resource decryptor 2 | Simple tool to decrypt resources of OlympicDestroyer malware. 3 | 4 | + Olympic_Decryptor.py 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # malware_analysis 2 | Various snippets created during malware analysis 3 | --------------------------------------------------------------------------------