import zipfile import base64 import hashlib from Crypto.Cipher import AES from Crypto.Protocol.KDF import PBKDF2 import sys # basis from https://www.quickprogrammingtips.com/python/aes-256-encryption-and-decryption-in-python.html def get_private_key(salt): salt = bytes.fromhex(salt) kdf = PBKDF2(password, salt, 16, count=65536) return kdf def decrypt(enc, password): #print("Salt") #print(salt) private_key = get_private_key(salt) #print("Private Key") #print(private_key.hex()) #print("Salt Bytes") #print(bytes.fromhex(salt)) cipher = AES.new(private_key, AES.MODE_CBC, bytes.fromhex(salt)) #print("Encoded Hex") encoded1=b64decode[40:] #print(encoded1) #print("Encoded Bytes") encbytes=bytes.fromhex(encoded1) #print(encbytes) #print("Decoded Config") decodedtext = cipher.decrypt(encbytes) return decodedtext # Read config if len (sys.argv) < 2: print("Error: Expected argument of STRRAT file") print("Usage: python3 decrypt-strrat.py [PATH TO STRRAT]") sys.exit(0) file = sys.argv[1] print (r""" ▄████████ ███ ▄████████ ▄████████ ▄████████ ███ ████████▄ ▄████████ ▄████████ ▄████████ ▄██ ▄ ▄███████▄ ███ ▄████████ ▄████████ ███ ███ ▀█████████▄ ███ ███ ███ ███ ███ ███ ▀█████████▄ ███ ▀███ ███ ███ ███ ███ ███ ███ ███ ██▄ ███ ███ ▀█████████▄ ███ ███ ███ ███ ███ █▀ ▀███▀▀██ ███ ███ ███ ███ ███ ███ ▀███▀▀██ ███ ███ ███ █▀ ███ █▀ ███ ███ ███▄▄▄███ ███ ███ ▀███▀▀██ ███ █▀ ███ ███ ███ ███ ▀ ▄███▄▄▄▄██▀ ▄███▄▄▄▄██▀ ███ ███ ███ ▀ ███ ███ ▄███▄▄▄ ███ ▄███▄▄▄▄██▀ ▀▀▀▀▀▀███ ███ ███ ███ ▀ ▄███▄▄▄ ▄███▄▄▄▄██▀ ▀███████████ ███ ▀▀███▀▀▀▀▀ ▀▀███▀▀▀▀▀ ▀███████████ ███ ███ ███ ▀▀███▀▀▀ ███ ▀▀███▀▀▀▀▀ ▄██ ███ ▀█████████▀ ███ ▀▀███▀▀▀ ▀▀███▀▀▀▀▀ ███ ███ ▀███████████ ▀███████████ ███ ███ ███ ███ ███ ███ █▄ ███ █▄ ▀███████████ ███ ███ ███ ███ ███ █▄ ▀███████████ ▄█ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄████████▀ ▄████▀ ███ ███ ███ ███ ███ █▀ ▄████▀ ████████▀ ██████████ ████████▀ ███ ███ ▀█████▀ ▄████▀ ▄████▀ ██████████ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ _ _____ _ _____ _ _ | | ____ / ____| | | | __ \ (_(_) | |__ _ _ / __ \| | _ _| |__ ___ _ __| |__) |__ _ _ _ _ _ | '_ \| | | | / / _` | | | | | | '_ \ / _ | '__| _ // _` | | | | | | | |_) | |_| | | | (_| | |___| |_| | |_) | __| | | | \ | (_| | | | |_| | |_.__/ \__, | \ \__,_|\_____\__, |_.__/ \___|_| |_| \_\__,_|_| |\__,_| __/ | \____/ __/ | _/ | |___/ |___/ |__/ """) if zipfile.is_zipfile(file): with zipfile.ZipFile(file, mode="r") as archive: print("Analysing File: "+file) config=archive.read('carLambo/resources/config.txt') b64decode=base64.b64decode(config).hex() #print("B64 Encrypted Config") #print(b64decode) salt=b64decode[8:40] password = "strigoi" decrypted = decrypt(b64decode, password) #print(bytes.decode(decrypted)) configsplit=bytes.decode(decrypted).split("|") print('C2: ' + configsplit[0]) print('Primary Lock/Port: ' + configsplit[1]) print('Plugins Download URL: ' + configsplit[2]) print('Secondary/Fallback C2: ' + configsplit[3]) print('Secondary Lock/Fallback Port: ' + configsplit[4]) print('Startup Folder Persistence: ' + configsplit[5]) print('Secondary Startup Folder Persistence: ' + configsplit[6]) print('Skype Scheduled Task Persistence: ' + configsplit[7]) print('License ID: ' + configsplit[8]) else: print("File not valid strrat malware")