Tuesday, April 15, 2014

Python - base64 Decode and XOR with 0xe8 Config File Leading to C2 Server


# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter == 2):
        listItem = listItem + letter
        counter = 1

# Define the new list of where the hex will go after XORed with the xorKey
newInfo = []

xorKey = 0xe8

for counter in range(0,len(info)):
    # Append to the list and remove from the hex 0x68 so it is represented as 68 in the list
    newInfo.append(hex(int(info[counter], 16) ^ int(xorKey))[2:])

# Print the list joined together as a string and then decode the hex to ascii
print ''.join(e for e in newInfo).decode("hex")

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...