-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathdarkcomet.py
More file actions
executable file
·53 lines (40 loc) · 1.42 KB
/
darkcomet.py
File metadata and controls
executable file
·53 lines (40 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python
# darkcomet_config.py
# From https://code.google.com/p/alienvault-labs-garage/downloads/detail?name=extract_config_from_binary.py
import pefile
import sys
import random, base64, sys
from binascii import *
key = "#KCMDDC5#-890"
def rc4crypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = 0
y = 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
pe = pefile.PE(sys.argv[1])
config = {"GENCODE": "", "MUTEX": "", "NETDATA": "", "PWD": "", "SID": ""}
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) in config.keys():
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva + size]
try:
dec = rc4crypt(unhexlify(data), key)
config[str(entry.name)] = dec
except:
print "Error during decrytion"
print config