├── IcedID_Dropper
    ├── IcedID_Dropper_Decryptor.py
    └── README.md
├── NetWire
    ├── IDA_NetWire_Decoder.py
    ├── IDA_NetWire_Decryptor.py
    ├── NetWire_Decoded_Strings.txt
    ├── NetWire_Decryption.gif
    └── README.md
├── OlympicDestroyer
    ├── Olympic_Decryptor.py
    └── README.md
└── README.md


/IcedID_Dropper/IcedID_Dropper_Decryptor.py:
--------------------------------------------------------------------------------
 1 | # Author: JR0driguezB
 2 | # Tool to decrypt files downloaded by the IcedID dropper component distributed by Hancitor via command 4
 3 | # At least for now (November 2017), it is only downloading IcedID
 4 | 
 5 | import sys
 6 | import struct
 7 | 
 8 | def RC4(key,data):
 9 | 
10 |     S = range(256)
11 |     j = 0
12 |     out = []
13 | 
14 |     #KSA Phase
15 |     for i in range(256):
16 |         j = (j + S[i] + ord( key[i % len(key)] )) % 256
17 |         S[i] , S[j] = S[j] , S[i]
18 | 
19 |     #PRGA Phase
20 |     i = j = 0
21 |     for char in data:
22 |         i = ( i + 1 ) % 256
23 |         j = ( j + S[i] ) % 256
24 |         S[i] , S[j] = S[j] , S[i]
25 |         out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
26 | 
27 |     decrypted_data = ''.join(out)
28 | 
29 |     return decrypted_data
30 | 
31 | def main(infile,outfile):
32 | 
33 |     with open(infile, "r") as encrypted_file:
34 |         encrypted_data = encrypted_file.read()
35 | 
36 |     key = ""
37 | 
38 |     for i in range(10,len(encrypted_data)):
39 |         if(encrypted_data[i]) != chr(0x00):
40 |             key += encrypted_data[i]
41 |         else:
42 |             index = i
43 |             break
44 |     print "[+] RC4 key: {}".format(key)
45 | 
46 |     decrypted_text = RC4(key,encrypted_data[index+1:])
47 | 
48 |     size = struct.unpack("<I",decrypted_text[:4])[0]
49 | 
50 |     print "[+] Size of decrypted file: {0} bytes".format(size)
51 | 
52 |     with open(outfile, 'w') as decrypted_file:
53 |         decrypted_file.write(decrypted_text[4:size+4])
54 | 
55 |     print "[+] Decrypted file: {}".format(outfile)
56 | 
57 | if __name__ == '__main__':
58 | 
59 |     if len(sys.argv) < 3:
60 |         print("[*] {} <infile> <outfile>".format(sys.argv[0]));
61 |     else:
62 |         infile = sys.argv[1]
63 |         outfile = sys.argv[2]
64 |         main(infile,outfile)
65 | 


--------------------------------------------------------------------------------
/IcedID_Dropper/README.md:
--------------------------------------------------------------------------------
1 | # IcedID Dropper
2 | Tool to decrypt files downloaded by the IcedID dropper component distributed by Hancitor via command 4.
3 | At least for now (November 2017), it is only downloading IcedID.
4 | 
5 | + <b>IcedID_Dropper_Decryptor.py</b>
6 | 


--------------------------------------------------------------------------------
/NetWire/IDA_NetWire_Decoder.py:
--------------------------------------------------------------------------------
 1 | 
 2 | # JR0driguezB
 3 | 
 4 | # Simple script to decode NetWire RAT encoded strings
 5 | # Tested with sample fe53a72b7153804b22dc7a805f21db4f
 6 | # Unpacked to payload f350f56eafbafa294a6ed87791838ee4
 7 | 
 8 | total_decoding_counter = 0
 9 | success_decoding_counter = 0
10 | 
11 | not_a_key = "_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C"
12 | 
13 | # Decoding function -> 0x38E5B60E
14 | 
15 | for xRef in XrefsTo(0x38E5B60E, flags=0):
16 | 
17 | 	print "Call to decode string at offset {:02X}".format(xRef.frm)
18 | 
19 | 	PrevInstr = idc.PrevHead(xRef.frm)
20 | 	if (GetMnem(PrevInstr) == "mov" and GetOperandValue(PrevInstr, 1) != 0):
21 | 		offset = GetOperandValue(PrevInstr, 1)
22 | 		success_decoding_counter = success_decoding_counter + 1
23 | 
24 | 		encoded_string = ""
25 | 
26 | 		while GetManyBytes(offset, 1) != "\x00":
27 | 			encoded_string += GetManyBytes(offset, 1)
28 | 			offset = offset + 0x01
29 | 
30 | 		print "Encoded string: {}".format(encoded_string)
31 | 
32 | 		decoded_string = ""
33 | 
34 | 		for a in range(len(encoded_string)):
35 | 
36 | 			found = False
37 | 
38 | 			for b in range(len(not_a_key)):
39 | 				if encoded_string[a] == not_a_key[b]:
40 | 					decoded_string += not_a_key[(b + 6) % 64]
41 | 					found = True
42 | 			if (found == False):
43 | 				decoded_string += encoded_string[a]
44 | 
45 | 		print "Decoded string: {}".format(decoded_string)
46 | 
47 | 		MakeComm(PrevInstr, decoded_string)
48 | 
49 | 		print "------------------------------"
50 | 
51 | 
52 | 	total_decoding_counter = total_decoding_counter + 1
53 | 
54 | print "------------------------------"
55 | print "Total decoding calls: {}".format(total_decoding_counter)
56 | print "Successful decoding calls: {}".format(success_decoding_counter)
57 | 


--------------------------------------------------------------------------------
/NetWire/IDA_NetWire_Decryptor.py:
--------------------------------------------------------------------------------
 1 | 
 2 | # JR0driguezB
 3 | 
 4 | # Simple script to decrypt NetWire RAT encrypted strings
 5 | # Tested with sample fe53a72b7153804b22dc7a805f21db4f
 6 | # Unpacked to payload f350f56eafbafa294a6ed87791838ee4
 7 | 
 8 | def KSA_Phase(key):
 9 | 
10 | 	S = range(256)
11 | 	j = 0
12 | 	for i in range(256):
13 | 		j = (j + S[i] + ord( key[i % len(key)] )) % 256
14 | 		S[i] , S[j] = S[j] , S[i]
15 | 	return S
16 | 
17 | def PRGA_Phase(data, S):
18 | 	i = j = 0
19 | 	out = []
20 | 	for char in data:
21 | 	    i = ( i + 1 ) % 256
22 | 	    j = ( j + S[i] ) % 256
23 | 	    S[i] , S[j] = S[j] , S[i]
24 | 	    out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
25 | 
26 | 	decrypted_string = ''.join(out)
27 | 
28 | 	return decrypted_string
29 | 
30 | def main():
31 | 
32 | 	total_decryption_counter = 0
33 | 
34 | 	# The first call to KSA Phase routine initializes the S Box with RC4 key at offset 0x38E6E604
35 | 	RC4_Key = GetManyBytes(0x38E6E604, 0x10)
36 | 	S_Box = KSA_Phase(RC4_Key)
37 | 
38 | 	# RC4 PRGA Phase function -> 0x38E668AD
39 | 
40 | 	for xRef in XrefsTo(0x38E668AD, flags=0):
41 | 
42 | 		print "Call to decrypt string at offset {:02X}".format(xRef.frm)
43 | 
44 | 		PrevInstr = idc.PrevHead(xRef.frm)
45 | 		PrevInstr = idc.PrevHead(PrevInstr)
46 | 		PrevInstr = idc.PrevHead(PrevInstr)
47 | 
48 | 		if (GetMnem(PrevInstr) == "mov"):
49 | 			offset = GetOperandValue(PrevInstr, 1)
50 | 
51 | 			PrevInstr = idc.PrevHead(PrevInstr)
52 | 			size = GetOperandValue(PrevInstr, 1)
53 | 
54 | 			encrypted_string = GetManyBytes(offset, size)
55 | 
56 | 			print "Encrypted string at offset: {:02X}".format(offset)
57 | 
58 | 			S_Box_Init = S_Box[:]
59 | 
60 | 			decrypted_string = PRGA_Phase(encrypted_string, S_Box_Init)
61 | 
62 | 			for String_xRef in XrefsTo(offset, flags=0):
63 | 
64 | 				print "\x09xRef to string at offset {:02X}".format(String_xRef.frm)
65 | 				MakeComm(String_xRef.frm, decrypted_string)
66 | 
67 | 			print "------------------------------"
68 | 
69 | 		total_decryption_counter = total_decryption_counter + 1
70 | 
71 | 	print "------------------------------"
72 | 	print "Total decryption calls: {}".format(total_decryption_counter)
73 | 
74 | if __name__ == '__main__':
75 | 
76 | 	main()


--------------------------------------------------------------------------------
/NetWire/NetWire_Decoded_Strings.txt:
--------------------------------------------------------------------------------
  1 | %s\%s.exe
  2 | GetExtendedTcpTable
  3 | GetExtendedUdpTable
  4 | GetProcessImageFileNameA
  5 | GetProcessImageFileNameA
  6 | CONNECT %s:%d HTTP/1.0
  7 | Local Disk
  8 | WinHttpOpen
  9 | WinHttpGetProxyForUrl
 10 | WinHttpGetIEProxyConfigForCurrentUser
 11 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 12 | SOFTWARE\Microsoft\Active Setup\Installed Components\%s
 13 | StubPath
 14 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 15 | SOFTWARE\Microsoft\Active Setup\Installed Components
 16 | [Backspace]
 17 | [Enter]
 18 | [Tab]
 19 | [Arrow Left]
 20 | [Arrow Up]
 21 | [Arrow Right]
 22 | [Arrow Down]
 23 | [Home]
 24 | [Page Up]
 25 | [Page Down]
 26 | [End]
 27 | [Break]
 28 | [Delete]
 29 | [Insert]
 30 | [Print Screen]
 31 | [Scroll Lock]
 32 | [Caps Lock]
 33 | [Esc]
 34 | [Ctrl+%c]
 35 | [Ctrl+%c]
 36 | RegisterRawInputDevices
 37 | GetRawInputData
 38 | Secur32.dll
 39 | LsaGetLogonSessionData
 40 | LsaFreeReturnBuffer
 41 | LsaEnumerateLogonSessions
 42 | SOFTWARE\Mozilla\%s\
 43 | CurrentVersion
 44 | SOFTWARE\Mozilla\%s\%s\Main
 45 | Install Directory
 46 | mozutils.dll
 47 | mozglue.dll
 48 | mozsqlite3.dll
 49 | nss3.dll
 50 | %s\nss3.dll
 51 | %s\Mozilla\Firefox\profiles.ini
 52 | %s\Mozilla\Firefox\%s
 53 | %s\Thunderbird\profiles.ini
 54 | %s\Thunderbird\%s
 55 | %s\Mozilla\SeaMonkey\profiles.ini
 56 | %s\Mozilla\SeaMonkey\%s
 57 | %s\signons.sqlite
 58 | %s\logins.json
 59 | NSS_Init
 60 | PK11_GetInternalKeySlot
 61 | PK11_Authenticate
 62 | PL_Base64Decode
 63 | SECITEM_ZfreeItem
 64 | PK11SDR_Decrypt
 65 | PK11_FreeSlot
 66 | NSS_Shutdown
 67 | sqlite3_open
 68 | sqlite3_close
 69 | sqlite3_prepare_v2
 70 | sqlite3_step
 71 | sqlite3_column_text
 72 | select *  from moz_logins
 73 | select *  from moz_logins
 74 | hostname
 75 | encryptedUsername
 76 | encryptedPassword
 77 | hostname
 78 | %s\Opera\Opera\wand.dat
 79 | %s\Opera\Opera\profile\wand.dat
 80 | %s\.purple\accounts.xml
 81 | <protocol>
 82 | <name>
 83 | <password>
 84 | advapi32.dll
 85 | CredEnumerateA
 86 | CredFree
 87 | WindowsLive:name=*
 88 | Email
 89 | POP3 User
 90 | POP3 Server
 91 | POP3 Password
 92 | IMAP User
 93 | IMAP Server
 94 | IMAP Password
 95 | HTTP User
 96 | HTTP Server
 97 | HTTP Password
 98 | SMTP User
 99 | SMTP Server
100 | SMTP Password
101 | EAS User
102 | EAS Server URL
103 | EAS Password
104 | Email
105 | POP3 User
106 | POP3 Server
107 | POP3 Password
108 | IMAP User
109 | IMAP Server
110 | IMAP Password
111 | HTTP User
112 | HTTP Server
113 | HTTP Password
114 | SMTP User
115 | SMTP Server
116 | SMTP Password
117 | EAS User
118 | EAS Server URL
119 | EAS Password
120 | crypt32.dll
121 | CryptUnprotectData
122 | advapi32.dll
123 | CredEnumerateA
124 | CredFree
125 | crypt32.dll
126 | CryptUnprotectData
127 | index.dat
128 | vaultcli.dll
129 | VaultOpenVault
130 | VaultCloseVault
131 | VaultEnumerateItems
132 | VaultGetItem
133 | VaultGetItem
134 | VaultFree
135 | %s\Google\Chrome\User Data\Default\Login Data
136 | %s\Chromium\User Data\Default\Login Data
137 | %s\Comodo\Dragon\User Data\Default\Login Data
138 | %s\Yandex\YandexBrowser\User Data\Default\Login Data
139 | %s\Opera Software\Opera Stable\Login Data
140 | GetModuleFileNameExA
141 | GetModuleFileNameExA
142 | %s\system32\cmd.exe
143 | advapi32.dll
144 | GetUserNameA
145 | USERNAME
146 | GetNativeSystemInfo
147 | kernel32.dll
148 | SYSTEM\CurrentControlSet\Control\ProductOptions
149 | ProductType
150 | WINNT
151 | LANMANNT
152 | SERVERNT
153 | GlobalMemoryStatusEx
154 | HARDWARE\DESCRIPTION\System\CentralProcessor\0
155 | AllocateAndInitializeSid
156 | CheckTokenMembership
157 | FreeSid


--------------------------------------------------------------------------------
/NetWire/NetWire_Decryption.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JR0driguezB/malware_analysis/f50cb29d37095c2111f596ba1ae3f7e6d4d95823/NetWire/NetWire_Decryption.gif


--------------------------------------------------------------------------------
/NetWire/README.md:
--------------------------------------------------------------------------------
1 | # NetWire RAT strings decoder and decryptor
2 | Simple IDA script to decode NetWire RAT encoded strings
3 | + <b>IDA_NetWire_Decoder.py</b>
4 | + <b>IDA_NetWire_Decryptor.py</b>
5 | + <b>NetWire_Decoded_Strings.txt</b>
6 | 
7 | ![Alt Text](https://github.com/JR0driguezB/malware_analysis/blob/master/NetWire/NetWire_Decryption.gif)
8 | 


--------------------------------------------------------------------------------
/OlympicDestroyer/Olympic_Decryptor.py:
--------------------------------------------------------------------------------
 1 | 
 2 | # JR0driguezB
 3 | 
 4 | # Script to decrypt Olympic Destroyer resources
 5 | 
 6 | from Crypto.Cipher import AES
 7 | import binascii
 8 | import sys
 9 | 
10 | key = binascii.unhexlify("202cb962ac59075b964b07152d234b70202cb962ac59075b964b07152d234b70")
11 | 
12 | iv = binascii.unhexlify("00000000000000000000000000000000")
13 | 
14 | cipher = AES.new(key, AES.MODE_CBC, iv)
15 | 
16 | if __name__ == '__main__':
17 | 
18 | 	if len(sys.argv) < 3:
19 | 		print("[*] {} <encrypted file> <decrypted file>".format(sys.argv[0]));
20 | 
21 | 	else:
22 | 
23 | 		infile = sys.argv[1]
24 | 		outfile = sys.argv[2]
25 | 
26 | 		with open(infile, "r") as bin_file:
27 | 			encrypted_file = bin_file.read()
28 | 
29 | 		IsMultipleOf16 = len(encrypted_file) % 16
30 | 
31 | 		if IsMultipleOf16 != 0:
32 | 			encrypted_file = encrypted_file[:-IsMultipleOf16]
33 | 
34 | 		decrypted_file = cipher.decrypt(encrypted_file)
35 | 
36 | 		with open(outfile, 'w') as exe_file:
37 | 			exe_file.write(decrypted_file)
38 | 


--------------------------------------------------------------------------------
/OlympicDestroyer/README.md:
--------------------------------------------------------------------------------
1 | # OlympicDestroyer resource decryptor
2 | Simple tool to decrypt resources of OlympicDestroyer malware.
3 | 
4 | + <b>Olympic_Decryptor.py</b>
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # malware_analysis
2 | Various snippets created during malware analysis
3 | 


--------------------------------------------------------------------------------