$ malconf --version
malconf 1.0

$ clamscan f.exe
f.exe: Win.Trojan.DarkKomet-1 FOUND

Output:

[+] Loading File: f.exe
[-] Found: DarkComet
[-] Running Decoder
Traceback (most recent call last):
File "/usr/local/bin/malconf", line 122, in
process_file(args[0], output_file)
File "/usr/local/bin/malconf", line 49, in process_file
module.get_config()
File "/usr/local/lib/python3.8/dist-packages/malwareconfig/decoders/darkcomet.py", line 70, in get_config
raw_config = self.parse_v5(self.file_info, dc_version)
File "/usr/local/lib/python3.8/dist-packages/malwareconfig/decoders/darkcomet.py", line 41, in parse_v5
clear_config = crypto.decrypt_arc4(dc_version, crypted_config)
File "/usr/local/lib/python3.8/dist-packages/malwareconfig/crypto.py", line 22, in decrypt_arc4
cipher = ARC4.new(key)
File "/usr/local/lib/python3.8/dist-packages/Crypto/Cipher/ARC4.py", line 132, in new
return ARC4Cipher(key, *args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/Crypto/Cipher/ARC4.py", line 60, in init
result = _raw_arc4_lib.ARC4_stream_init(c_uint8_ptr(key),
File "/usr/local/lib/python3.8/dist-packages/Crypto/Util/_raw_api.py", line 144, in c_uint8_ptr
raise TypeError("Object type %s cannot be passed to C code" % type(data))
TypeError: Object type <class 'str'> cannot be passed to C code

LuminosityLink
Nanocore (people still use cracked versions of this out there for some reason)
ImminentMonitor

pycrypto is no longer maintained and should not be used anymore. An alternative library is pycryptodome, which provides an alternative that is still maintained and suitable for the purposes of this library.

However, note that some functions, such as XOR, are no longer available in pycryptodome, so those should be replaced by something like bytes([a ^ b for a, b in zip(itertools.cycle(key), data)])

There is currently a security vulnerability in pycrypto, so changing this is essential:

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ pycrypto                   │ 2.6.1     │ <=2.6.1                  │ 35015    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Heap-based buffer overflow in the ALGnew function in block_templace.c in     │
│ Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to  │
│ execute arbitrary code as demonstrated by a crafted iv parameter to          │
│ cryptmsg.py.                                                                 │
╘══════════════════════════════════════════════════════════════════════════════╛

The Sakula config extractor is printing to stdout instead of writing to a file when a 2nd argument is given.

There seems like there is another file similar to the "c.dat" file. It uses an XOR of 0xDB instead of the 0xDD. The 2 hashes that I have are "1d8d9cfed0f4311541cbc7322664ba12a335e9c0432bc850a06b3e2d22d24cff" and "131a897b3af60f42c6a314e4aa767c101c58d53c1a8b82e083de3635976c4993".

I came across a sample on VT (19913fd36da6d714d895e7018fcb32213b48859e) which the decoder doesn't handle. The decoder gets the key (#KCMDDC51#-890), but the entry.name list doesn't match the naming in BASE_CONFIG (A1,A2,B1,B2,C1,C2,D1,D2,DVCLAL,E1,PACKAGEINFO). I did some debugging and an error is thrown ('odd length string') when calling unhexify(data). Ping me offline if you need the file.

Used your decodes quite a bit and realized it would be handy to not only have the filename, but the md5sum of the decoded sample in the resulting file (in case the filename was not the hash).

Would that makes sense?

I have been having issues running a a few JAR files known to be Version G through the Standalone AlienSpy script.

I keep getting the following error message: KeyError: "There is no item named '0BUV1k{Mh0xAAd2crs\x08j3/jFIWw2KdFHajktc4A/D4lw1/VS19zYvtm4VSGWP/WXBh?rn5pQES6t5J/8Tbs8/xkfbU3ATjDznshqmFbgWMljVXxBq/?cssMrgCA8G/7ZtTD8Cr7Y5O6kkBVaOXsZ9C.7' in the archive"

I think the XOR key for this file may have changed slightly.

Hashes:
67f0db70c76ad3fef62f8be4bdd09434282e87c53f97f6f0f22cc27f576868b1
d0da7e3b0edc05681994218569ec724db6ff6b1b3a826cdd3ced663a1da2581a

As reported in Operation Arid Viper.

Available at http://devhima.webs.com/devspy and http://devhima.webs.com/devpctwitter

Issue Type

[x] Bug (Typo)

Steps to Replicate and Expected Behaviour

• Examine README.md and observe staticly, however expect to see statically.
• Examine malwareconfig/decoders/jbifrost.py and observe decrpyt, however expect to see decrypt.

Notes

Semi-automated issue generated by
https://github.com/timgates42/meticulous/blob/master/docs/NOTE.md

To avoid wasting CI processing resources a branch with the fix has been
prepared but a pull request has not yet been created. A pull request fixing
the issue can be prepared from the link below, feel free to create it or
request @timgates42 create the PR. Alternatively if the fix is undesired please
close the issue with a small comment about the reasoning.

https://github.com/timgates42/RATDecoders/pull/new/bugfix_typos

Thanks.

Downloadable at http://rmansys.ru/downloads/

Hi,

I guess something was changed with pype32 but when you currently run the following code
'for s in m.netMetaDataStreams[dir_type].info'
it does not work beacuse m.netMetaDataStreams is a list an does not accept #US as a value, the whole function actually doesnt work because the list only contains strings which you cannot use .iteritems() on either.

Probably should be if str(entry.name) == "RC_DATA" or str(entry.name) == "RCData":

Hi,

Was working on extraction of config of njrat, with extraction towards a file it works fine but with CLI it does not due
TypeError: Object of type bytes is not JSON serializable

This is due the njrat decoder code used to extract the campaign id:
config_dict["Campaign ID"] = b64decode(string_list[version_index-1])

The b64decode returns a bytes object and not a string, this can be easily fixed by adding ".decode()" after the b64decode.

I could make a PR, but are you still working on this project since several other PR are still open including one for njrat?

In a number of files there's the string_clean function which looks like:

def string_clean(line):
    return ''.join((char for char in line if 32< ord(char) < 127))

Is the 32 < intended? This will have the effect of stripping out space characters (which may be relevant in some cases)

I see the error Unable to import decoder Infinity
VT Sample: 28eae0af73e81ff54e52280a941aad804ac2247d707ec9c7dc447af9fee0c301
Yara rule is ./yaraRules/Infinity.yar

how do i start a rat?

transition from scripts=['malconf'] in setup.py over to console scripts. once this is done, python then builds cross-platform command line commands automagically

Examples:

https://github.com/plyara/plyara/blob/master/setup.py

you can then separate the CLI code into a single file like this:
https://github.com/plyara/plyara/blob/master/plyara/command_line.py